security/hakurei
security/hakurei
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

container/init: use /proc/self as intermediate
All checks were successful
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m19s
Details
Test / Sandbox (race detector) (push) Successful in 4m11s
Details
Test / Hakurei (race detector) (push) Successful in 5m28s
Details
Test / Hakurei (push) Successful in 2m10s
Details
Test / Planterette (push) Successful in 38m44s
Details
Test / Flake checks (push) Successful in 3m0s
Details

Browse Source 
Setting up via /tmp is okay, /proc/self/fd makes a lot more sense though for reasons described in the comment.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-07-06 02:14:35 +09:00
parent d9b6d48e7c
commit 356b42a406
Signed by: cat
SSH Key Fingerprint: SHA256:wr6yH7sDDbUFi81k/GsIGwpM3O2QrwqYlLF26CcJa4w
1 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
container/init.go
View File

@ -20,8 +20,21 @@ const (
// time to wait for linger processes after death of initial process // time to wait for linger processes after death of initial process
residualProcessTimeout = 5 * time.Second residualProcessTimeout = 5 * time.Second
// intermediate tmpfs mount point /* intermediate tmpfs mount point
basePath = "/tmp"
this path might seem like a weird choice, however there are many good reasons to use it:
- the contents of this path is never exposed to the container:
the tmpfs root established here effectively becomes anonymous after pivot_root
- it is safe to assume this path exists and is a directory:
this program will not work correctly without a proper /proc and neither will most others
- this path belongs to the container init:
the container init is not any more privileged or trusted than the rest of the container
- this path is only accessible by init and root:
the container init sets SUID_DUMP_DISABLE and terminates if that fails;
it should be noted that none of this should become relevant at any point since the resulting
intermediate root tmpfs should be effectively anonymous */
intermediateHostPath = "/proc/self/fd"
// setup params file descriptor // setup params file descriptor
setupEnv = "HAKUREI_SETUP" setupEnv = "HAKUREI_SETUP"
@ -124,10 +137,10 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
} }
} }
if err := Mount("rootfs", basePath, "tmpfs", MS_NODEV|MS_NOSUID, ""); err != nil { if err := Mount("rootfs", intermediateHostPath, "tmpfs", MS_NODEV|MS_NOSUID, ""); err != nil {
log.Fatalf("cannot mount intermediate root: %v", err) log.Fatalf("cannot mount intermediate root: %v", err)
} }
if err := os.Chdir(basePath); err != nil { if err := os.Chdir(intermediateHostPath); err != nil {
log.Fatalf("cannot enter base path: %v", err) log.Fatalf("cannot enter base path: %v", err)
} }
@ -141,8 +154,8 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
if err := os.Mkdir(hostDir, 0755); err != nil { if err := os.Mkdir(hostDir, 0755); err != nil {
log.Fatalf("%v", err) log.Fatalf("%v", err)
} }
// pivot_root uncovers basePath in hostDir // pivot_root uncovers intermediateHostPath in hostDir
if err := PivotRoot(basePath, hostDir); err != nil { if err := PivotRoot(intermediateHostPath, hostDir); err != nil {
log.Fatalf("cannot pivot into intermediate root: %v", err) log.Fatalf("cannot pivot into intermediate root: %v", err)
} }
if err := os.Chdir("/"); err != nil { if err := os.Chdir("/"); err != nil {