security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

sandbox: expose seccomp interface
All checks were successful
Test / Create distribution (push) Successful in 31s
Details
Test / Sandbox (push) Successful in 1m59s
Details
Test / Hakurei (push) Successful in 2m47s
Details
Test / Sandbox (race detector) (push) Successful in 3m11s
Details
Test / Planterette (push) Successful in 3m34s
Details
Test / Hakurei (race detector) (push) Successful in 4m22s
Details
Test / Flake checks (push) Successful in 1m8s
Details

Browse Source 
There's no point in artificially limiting and abstracting away these options. The higher level hakurei package is responsible for providing a secure baseline and sane defaults. The sandbox package should present everything to the caller.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-07-02 04:38:28 +09:00
parent a6887f7253
commit 31aef905fa
12 changed files with 117 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
internal/app/instance/common/container.go
View File

@@ -30,6 +30,8 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
Hostname: s.Hostname,
SeccompFlags: s.SeccompFlags,
SeccompPresets: s.SeccompPresets,
RetainSession: s.Tty,
HostNet: s.Net,
}
{
@@ -41,17 +43,17 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
container.SeccompFlags |= seccomp.AllowMultiarch
}
if s.Devel {
container.Flags |= sandbox.FAllowDevel
if !s.SeccompCompat {
container.SeccompPresets |= seccomp.PresetExt
}
if s.Userns {
container.Flags |= sandbox.FAllowUserns
if !s.Devel {
container.SeccompPresets |= seccomp.PresetDenyDevel
}
if s.Net {
container.Flags |= sandbox.FAllowNet
if !s.Userns {
container.SeccompPresets |= seccomp.PresetDenyNS
}
if s.Tty {
container.Flags |= sandbox.FAllowTTY
if !s.Tty {
container.SeccompPresets |= seccomp.PresetDenyTTY
}
if s.MapRealUID {