security/hakurei
security/hakurei
6
3
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases 9 Wiki Activity

.clang-format: do not limit line length
All checks were successful
Test / Create distribution (push) Successful in 38s
Details
Test / Sandbox (push) Successful in 2m18s
Details
Test / Hakurei (push) Successful in 3m15s
Details
Test / Hpkg (push) Successful in 4m5s
Details
Test / Sandbox (race detector) (push) Successful in 4m26s
Details
Test / Hakurei (race detector) (push) Successful in 5m10s
Details
Test / Flake checks (push) Successful in 1m27s
Details

Browse Source 
This hard limit destroys readability in some places.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-11-15 16:53:10 +09:00
parent c761e1de4d
commit 41b49137a8
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
5 changed files with 43 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.clang-format Normal file
View File

@ -0,0 +1 @@
ColumnLimit: 0

22
container/seccomp/libseccomp-helper.c
View File

@ -9,7 +9,8 @@
#define LEN(arr) (sizeof(arr) / sizeof((arr)[0])) #define LEN(arr) (sizeof(arr) / sizeof((arr)[0]))
int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p, int32_t hakurei_scmp_make_filter(
int *ret_p, uintptr_t allocate_p,
uint32_t arch, uint32_t multiarch, uint32_t arch, uint32_t multiarch,
struct hakurei_syscall_rule *rules, struct hakurei_syscall_rule *rules,
size_t rules_sz, hakurei_export_flag flags) { size_t rules_sz, hakurei_export_flag flags) {
@ -72,11 +73,9 @@ int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p,
assert(rule->m_errno == EPERM || rule->m_errno == ENOSYS); assert(rule->m_errno == EPERM || rule->m_errno == ENOSYS);
if (rule->arg) if (rule->arg)
*ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno), *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno), rule->syscall, 1, *rule->arg);
rule->syscall, 1, *rule->arg);
else else
*ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno), *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno), rule->syscall, 0);
rule->syscall, 0);
if (*ret_p == -EFAULT) { if (*ret_p == -EFAULT) {
res = 4; res = 4;
@ -93,22 +92,17 @@ int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p,
last_allowed_family = -1; last_allowed_family = -1;
for (i = 0; i < LEN(socket_family_allowlist); i++) { for (i = 0; i < LEN(socket_family_allowlist); i++) {
if (socket_family_allowlist[i].flags_mask != 0 && if (socket_family_allowlist[i].flags_mask != 0 &&
(socket_family_allowlist[i].flags_mask & flags) != (socket_family_allowlist[i].flags_mask & flags) != socket_family_allowlist[i].flags_mask)
socket_family_allowlist[i].flags_mask)
continue; continue;
for (disallowed = last_allowed_family + 1; for (disallowed = last_allowed_family + 1; disallowed < socket_family_allowlist[i].family; disallowed++) {
disallowed < socket_family_allowlist[i].family; disallowed++) {
/* Blocklist the in-between valid families */ /* Blocklist the in-between valid families */
seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, disallowed));
SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, disallowed));
} }
last_allowed_family = socket_family_allowlist[i].family; last_allowed_family = socket_family_allowlist[i].family;
} }
/* Blocklist the rest */ /* Blocklist the rest */
seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_GE, last_allowed_family + 1));
SCMP_A0(SCMP_CMP_GE, last_allowed_family + 1));
if (allocate_p == 0) { if (allocate_p == 0) {
*ret_p = seccomp_load(ctx); *ret_p = seccomp_load(ctx);

3
container/seccomp/libseccomp-helper.h
View File

@ -19,7 +19,8 @@ struct hakurei_syscall_rule {
}; };
extern void *hakurei_scmp_allocate(uintptr_t f, size_t len); extern void *hakurei_scmp_allocate(uintptr_t f, size_t len);
int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p, int32_t hakurei_scmp_make_filter(
int *ret_p, uintptr_t allocate_p,
uint32_t arch, uint32_t multiarch, uint32_t arch, uint32_t multiarch,
struct hakurei_syscall_rule *rules, struct hakurei_syscall_rule *rules,
size_t rules_sz, hakurei_export_flag flags); size_t rules_sz, hakurei_export_flag flags);

27
internal/wayland/wayland-client-helper.c
View File

@ -9,17 +9,20 @@
#include "security-context-v1-protocol.h" #include "security-context-v1-protocol.h"
#include <wayland-client.h> #include <wayland-client.h>
static void registry_handle_global(void *data, struct wl_registry *registry, static void registry_handle_global(
uint32_t name, const char *interface, void *data,
struct wl_registry *registry,
uint32_t name,
const char *interface,
uint32_t version) { uint32_t version) {
struct wp_security_context_manager_v1 **out = data; struct wp_security_context_manager_v1 **out = data;
if (strcmp(interface, wp_security_context_manager_v1_interface.name) == 0) if (strcmp(interface, wp_security_context_manager_v1_interface.name) == 0)
*out = wl_registry_bind(registry, name, *out = wl_registry_bind(registry, name, &wp_security_context_manager_v1_interface, 1);
&wp_security_context_manager_v1_interface, 1);
} }
static void registry_handle_global_remove(void *data, static void registry_handle_global_remove(
void *data,
struct wl_registry *registry, struct wl_registry *registry,
uint32_t name) {} /* no-op */ uint32_t name) {} /* no-op */
@ -28,8 +31,12 @@ static const struct wl_registry_listener registry_listener = {
.global_remove = registry_handle_global_remove, .global_remove = registry_handle_global_remove,
}; };
int32_t hakurei_bind_wayland_fd(char *socket_path, int fd, const char *app_id, int32_t hakurei_bind_wayland_fd(
const char *instance_id, int sync_fd) { char *socket_path,
int fd,
const char *app_id,
const char *instance_id,
int sync_fd) {
int32_t res = 0; /* refer to resErr for corresponding Go error */ int32_t res = 0; /* refer to resErr for corresponding Go error */
struct wl_display *display; struct wl_display *display;
@ -43,8 +50,7 @@ int32_t hakurei_bind_wayland_fd(char *socket_path, int fd, const char *app_id,
registry = wl_display_get_registry(display); registry = wl_display_get_registry(display);
struct wp_security_context_manager_v1 *security_context_manager = NULL; struct wp_security_context_manager_v1 *security_context_manager = NULL;
wl_registry_add_listener(registry, &registry_listener, wl_registry_add_listener(registry, &registry_listener, &security_context_manager);
&security_context_manager);
int ret; int ret;
ret = wl_display_roundtrip(display); ret = wl_display_roundtrip(display);
wl_registry_destroy(registry); wl_registry_destroy(registry);
@ -71,8 +77,7 @@ int32_t hakurei_bind_wayland_fd(char *socket_path, int fd, const char *app_id,
goto out; goto out;
struct wp_security_context_v1 *security_context; struct wp_security_context_v1 *security_context;
security_context = wp_security_context_manager_v1_create_listener( security_context = wp_security_context_manager_v1_create_listener(security_context_manager, listen_fd, sync_fd);
security_context_manager, listen_fd, sync_fd);
wp_security_context_v1_set_sandbox_engine(security_context, "app.hakurei"); wp_security_context_v1_set_sandbox_engine(security_context, "app.hakurei");
wp_security_context_v1_set_app_id(security_context, app_id); wp_security_context_v1_set_app_id(security_context, app_id);
wp_security_context_v1_set_instance_id(security_context, instance_id); wp_security_context_v1_set_instance_id(security_context, instance_id);

8
internal/wayland/wayland-client-helper.h
View File

@ -1,4 +1,8 @@
#include <stdint.h> #include <stdint.h>
int32_t hakurei_bind_wayland_fd(char *socket_path, int fd, const char *app_id, int32_t hakurei_bind_wayland_fd(
const char *instance_id, int sync_fd); char *socket_path,
int fd,
const char *app_id,
const char *instance_id,
int sync_fd);