From 3b8a3d3b004695d79745c34821b33cfbe41048a9 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Fri, 1 Aug 2025 23:54:33 +0900 Subject: [PATCH] app: remount root readonly This does nothing for security, but should help avoid hiding bugs of programs developed in a hakurei container. Signed-off-by: Ophestra --- internal/app/app_nixos_linux_test.go | 5 ++++- internal/app/app_pd_linux_test.go | 7 +++++-- internal/app/seal_linux.go | 3 +++ test/sandbox/case/device.nix | 2 +- test/sandbox/case/mapuid.nix | 2 +- test/sandbox/case/pd.nix | 2 +- test/sandbox/case/pdlike.nix | 2 +- test/sandbox/case/preset.nix | 2 +- test/sandbox/case/tty.nix | 2 +- 9 files changed, 18 insertions(+), 9 deletions(-) diff --git a/internal/app/app_nixos_linux_test.go b/internal/app/app_nixos_linux_test.go index c1bda92..303d535 100644 --- a/internal/app/app_nixos_linux_test.go +++ b/internal/app/app_nixos_linux_test.go @@ -1,6 +1,8 @@ package app_test import ( + "syscall" + "hakurei.app/container" "hakurei.app/container/seccomp" "hakurei.app/hst" @@ -141,7 +143,8 @@ var testCasesNixos = []sealTestCase{ Place(hst.Tmp+"/pulse-cookie", nil). Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus", 0). Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket", 0). - Tmpfs("/var/run/nscd", 8192, 0755), + Tmpfs("/var/run/nscd", 8192, 0755). + Remount("/", syscall.MS_RDONLY), SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyTTY | seccomp.PresetDenyDevel, HostNet: true, ForwardCancel: true, diff --git a/internal/app/app_pd_linux_test.go b/internal/app/app_pd_linux_test.go index 7f0049b..66cebe4 100644 --- a/internal/app/app_pd_linux_test.go +++ b/internal/app/app_pd_linux_test.go @@ -2,6 +2,7 @@ package app_test import ( "os" + "syscall" "hakurei.app/container" "hakurei.app/container/seccomp" @@ -56,7 +57,8 @@ var testCasesPd = []sealTestCase{ Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", container.BindWritable). Bind("/home/chronos", "/home/chronos", container.BindWritable). Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")). - Place("/etc/group", []byte("hakurei:x:65534:\n")), + Place("/etc/group", []byte("hakurei:x:65534:\n")). + Remount("/", syscall.MS_RDONLY), SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel, HostNet: true, RetainSession: true, @@ -195,7 +197,8 @@ var testCasesPd = []sealTestCase{ Bind("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native", 0). Place(hst.Tmp+"/pulse-cookie", nil). Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus", 0). - Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket", 0), + Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket", 0). + Remount("/", syscall.MS_RDONLY), SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel, HostNet: true, RetainSession: true, diff --git a/internal/app/seal_linux.go b/internal/app/seal_linux.go index cc92db2..b25b5c4 100644 --- a/internal/app/seal_linux.go +++ b/internal/app/seal_linux.go @@ -478,6 +478,9 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co seal.container.Tmpfs(dest, 1<<13, 0755) } + // mount root read-only as the final setup Op + seal.container.Remount("/", syscall.MS_RDONLY) + // append ExtraPerms last for _, p := range config.ExtraPerms { if p == nil { diff --git a/test/sandbox/case/device.nix b/test/sandbox/case/device.nix index f5bdaa7..ded60aa 100644 --- a/test/sandbox/case/device.nix +++ b/test/sandbox/case/device.nix @@ -200,7 +200,7 @@ in } null; mount = [ - (ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004") + (ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004") (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw") (ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000004,gid=1000004") (ent "/" "/dev" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) diff --git a/test/sandbox/case/mapuid.nix b/test/sandbox/case/mapuid.nix index 8c6fcdf..945cfb4 100644 --- a/test/sandbox/case/mapuid.nix +++ b/test/sandbox/case/mapuid.nix @@ -226,7 +226,7 @@ in } null; mount = [ - (ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000003,gid=1000003") + (ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000003,gid=1000003") (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw") (ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000003,gid=1000003") (ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000003,gid=1000003") diff --git a/test/sandbox/case/pd.nix b/test/sandbox/case/pd.nix index 950afdf..2b87290 100644 --- a/test/sandbox/case/pd.nix +++ b/test/sandbox/case/pd.nix @@ -138,7 +138,7 @@ } null; mount = [ - (ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000000,gid=1000000") + (ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000000,gid=1000000") (ent "/bin" "/bin" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/home" "/home" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/lib64" "/lib64" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") diff --git a/test/sandbox/case/pdlike.nix b/test/sandbox/case/pdlike.nix index 9986eed..febf1d3 100644 --- a/test/sandbox/case/pdlike.nix +++ b/test/sandbox/case/pdlike.nix @@ -226,7 +226,7 @@ in } null; mount = [ - (ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000005,gid=1000005") + (ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000005,gid=1000005") (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw") (ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000005,gid=1000005") (ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000005,gid=1000005") diff --git a/test/sandbox/case/preset.nix b/test/sandbox/case/preset.nix index ce7677c..ecab2da 100644 --- a/test/sandbox/case/preset.nix +++ b/test/sandbox/case/preset.nix @@ -225,7 +225,7 @@ in } null; mount = [ - (ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000001,gid=1000001") + (ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000001,gid=1000001") (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw") (ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000001,gid=1000001") (ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000001,gid=1000001") diff --git a/test/sandbox/case/tty.nix b/test/sandbox/case/tty.nix index f696d8c..689101f 100644 --- a/test/sandbox/case/tty.nix +++ b/test/sandbox/case/tty.nix @@ -227,7 +227,7 @@ in } null; mount = [ - (ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002") + (ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002") (ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw") (ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000002,gid=1000002") (ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000002,gid=1000002")