diff --git a/hst/config.go b/hst/config.go index 44d3638..c694606 100644 --- a/hst/config.go +++ b/hst/config.go @@ -2,7 +2,10 @@ package hst import ( + "time" + "hakurei.app/container" + "hakurei.app/container/seccomp" "hakurei.app/system/dbus" ) @@ -11,49 +14,109 @@ const Tmp = "/.hakurei" var AbsTmp = container.MustAbs(Tmp) // Config is used to seal an app implementation. -type Config struct { - // reverse-DNS style arbitrary identifier string from config; - // passed to wayland security-context-v1 as application ID - // and used as part of defaults in dbus session proxy - ID string `json:"id"` +type ( + Config struct { + // reverse-DNS style arbitrary identifier string from config; + // passed to wayland security-context-v1 as application ID + // and used as part of defaults in dbus session proxy + ID string `json:"id"` - // absolute path to executable file - Path *container.Absolute `json:"path,omitempty"` - // final args passed to container init - Args []string `json:"args"` + // absolute path to executable file + Path *container.Absolute `json:"path,omitempty"` + // final args passed to container init + Args []string `json:"args"` - // system services to make available in the container - Enablements *Enablements `json:"enablements,omitempty"` + // system services to make available in the container + Enablements *Enablements `json:"enablements,omitempty"` - // session D-Bus proxy configuration; - // nil makes session bus proxy assume built-in defaults - SessionBus *dbus.Config `json:"session_bus,omitempty"` - // system D-Bus proxy configuration; - // nil disables system bus proxy - SystemBus *dbus.Config `json:"system_bus,omitempty"` - // direct access to wayland socket; when this gets set no attempt is made to attach security-context-v1 - // and the bare socket is mounted to the sandbox - DirectWayland bool `json:"direct_wayland,omitempty"` + // session D-Bus proxy configuration; + // nil makes session bus proxy assume built-in defaults + SessionBus *dbus.Config `json:"session_bus,omitempty"` + // system D-Bus proxy configuration; + // nil disables system bus proxy + SystemBus *dbus.Config `json:"system_bus,omitempty"` + // direct access to wayland socket; when this gets set no attempt is made to attach security-context-v1 + // and the bare socket is mounted to the sandbox + DirectWayland bool `json:"direct_wayland,omitempty"` - // passwd username in container, defaults to passwd name of target uid or chronos - Username string `json:"username,omitempty"` - // absolute path to shell - Shell *container.Absolute `json:"shell"` - // absolute path to home directory in the init mount namespace - Data *container.Absolute `json:"data"` - // directory to enter and use as home in the container mount namespace, nil for Data - Dir *container.Absolute `json:"dir,omitempty"` - // extra acl ops, dispatches before container init - ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"` + // passwd username in container, defaults to passwd name of target uid or chronos + Username string `json:"username,omitempty"` + // absolute path to shell + Shell *container.Absolute `json:"shell"` + // absolute path to home directory in the init mount namespace + Data *container.Absolute `json:"data"` + // directory to enter and use as home in the container mount namespace, nil for Data + Dir *container.Absolute `json:"dir,omitempty"` + // extra acl ops, dispatches before container init + ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"` - // numerical application id, used for init user namespace credentials - Identity int `json:"identity"` - // list of supplementary groups inherited by container processes - Groups []string `json:"groups"` + // numerical application id, used for init user namespace credentials + Identity int `json:"identity"` + // list of supplementary groups inherited by container processes + Groups []string `json:"groups"` - // abstract container configuration baseline - Container *ContainerConfig `json:"container"` -} + // abstract container configuration baseline + Container *ContainerConfig `json:"container"` + } + + // ContainerConfig describes the container configuration baseline to which the app implementation adds upon. + ContainerConfig struct { + // container hostname + Hostname string `json:"hostname,omitempty"` + + // duration to wait for after interrupting a container's initial process in nanoseconds; + // a negative value causes the container to be terminated immediately on cancellation + WaitDelay time.Duration `json:"wait_delay,omitempty"` + + // extra seccomp flags + SeccompFlags seccomp.ExportFlag `json:"seccomp_flags"` + // extra seccomp presets + SeccompPresets seccomp.FilterPreset `json:"seccomp_presets"` + // disable project-specific filter extensions + SeccompCompat bool `json:"seccomp_compat,omitempty"` + // allow ptrace and friends + Devel bool `json:"devel,omitempty"` + // allow userns creation in container + Userns bool `json:"userns,omitempty"` + // share host net namespace + Net bool `json:"net,omitempty"` + // allow dangerous terminal I/O + Tty bool `json:"tty,omitempty"` + // allow multiarch + Multiarch bool `json:"multiarch,omitempty"` + + // initial process environment variables + Env map[string]string `json:"env"` + // map target user uid to privileged user uid in the user namespace + MapRealUID bool `json:"map_real_uid"` + + // pass through all devices + Device bool `json:"device,omitempty"` + // container mount points + Filesystem []FilesystemConfigJSON `json:"filesystem"` + // create symlinks inside container filesystem + Link []LinkConfig `json:"symlink"` + + // automatically bind mount top-level directories to container root; + // the zero value disables this behaviour + AutoRoot *container.Absolute `json:"auto_root,omitempty"` + // extra flags for AutoRoot + RootFlags int `json:"root_flags,omitempty"` + + // read-only /etc directory + Etc *container.Absolute `json:"etc,omitempty"` + // automatically set up /etc symlinks + AutoEtc bool `json:"auto_etc"` + } + + LinkConfig struct { + // symlink target in container + Target *container.Absolute `json:"target"` + // linkname the symlink points to; + // prepend '*' to dereference an absolute pathname on host + Linkname string `json:"linkname"` + } +) // ExtraPermConfig describes an acl update op. type ExtraPermConfig struct { diff --git a/hst/container.go b/hst/container.go deleted file mode 100644 index d42c72d..0000000 --- a/hst/container.go +++ /dev/null @@ -1,78 +0,0 @@ -package hst - -import ( - "time" - - "hakurei.app/container" - "hakurei.app/container/seccomp" -) - -const ( - // TmpfsPerm is the permission bits for tmpfs mount points - // configured through [FilesystemConfig]. - TmpfsPerm = 0755 - - // TmpfsSize is the size for tmpfs mount points - // configured through [FilesystemConfig]. - TmpfsSize = 0 -) - -type ( - // ContainerConfig describes the container configuration baseline to which the app implementation adds upon. - ContainerConfig struct { - // container hostname - Hostname string `json:"hostname,omitempty"` - - // duration to wait for after interrupting a container's initial process in nanoseconds; - // a negative value causes the container to be terminated immediately on cancellation - WaitDelay time.Duration `json:"wait_delay,omitempty"` - - // extra seccomp flags - SeccompFlags seccomp.ExportFlag `json:"seccomp_flags"` - // extra seccomp presets - SeccompPresets seccomp.FilterPreset `json:"seccomp_presets"` - // disable project-specific filter extensions - SeccompCompat bool `json:"seccomp_compat,omitempty"` - // allow ptrace and friends - Devel bool `json:"devel,omitempty"` - // allow userns creation in container - Userns bool `json:"userns,omitempty"` - // share host net namespace - Net bool `json:"net,omitempty"` - // allow dangerous terminal I/O - Tty bool `json:"tty,omitempty"` - // allow multiarch - Multiarch bool `json:"multiarch,omitempty"` - - // initial process environment variables - Env map[string]string `json:"env"` - // map target user uid to privileged user uid in the user namespace - MapRealUID bool `json:"map_real_uid"` - - // pass through all devices - Device bool `json:"device,omitempty"` - // container mount points - Filesystem []FilesystemConfigJSON `json:"filesystem"` - // create symlinks inside container filesystem - Link []LinkConfig `json:"symlink"` - - // automatically bind mount top-level directories to container root; - // the zero value disables this behaviour - AutoRoot *container.Absolute `json:"auto_root,omitempty"` - // extra flags for AutoRoot - RootFlags int `json:"root_flags,omitempty"` - - // read-only /etc directory - Etc *container.Absolute `json:"etc,omitempty"` - // automatically set up /etc symlinks - AutoEtc bool `json:"auto_etc"` - } - - LinkConfig struct { - // symlink target in container - Target *container.Absolute `json:"target"` - // linkname the symlink points to; - // prepend '*' to dereference an absolute pathname on host - Linkname string `json:"linkname"` - } -) diff --git a/internal/app/seal_linux.go b/internal/app/seal_linux.go index 536bb6a..49ef78f 100644 --- a/internal/app/seal_linux.go +++ b/internal/app/seal_linux.go @@ -479,7 +479,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co // append ExtraPerms last for _, p := range config.ExtraPerms { - if p == nil { + if p == nil || p.Path == nil { continue }