security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

hst/container: pack boolean options
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m12s
Details
Test / Hakurei (push) Successful in 3m8s
Details
Test / Hpkg (push) Successful in 4m2s
Details
Test / Hakurei (race detector) (push) Successful in 4m46s
Details
Test / Sandbox (race detector) (push) Successful in 2m11s
Details
Test / Flake checks (push) Successful in 1m37s
Details

Browse Source 
The memory saving is relatively insignificant, however this increases serialisation efficiency.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-10-14 06:37:24 +09:00
parent a341466942
commit 4c647add0d
14 changed files with 362 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
internal/app/app_test.go
View File

@@ -44,8 +44,6 @@ func TestApp(t *testing.T) {
{
"nixos permissive defaults no enablements", new(stubNixOS),
&hst.Config{Container: &hst.ContainerConfig{
Userns: true, HostNet: true, HostAbstract: true, Tty: true,
Filesystem: []hst.FilesystemConfigJSON{
{FilesystemConfig: &hst.FSBind{
Target: fhs.AbsRoot,
@@ -71,6 +69,8 @@ func TestApp(t *testing.T) {
Path: m("/run/current-system/sw/bin/zsh"),
Args: []string{"/run/current-system/sw/bin/zsh"},
Flags: hst.FUserns | hst.FHostNet | hst.FHostAbstract | hst.FTty,
}},
state.ID{
0x4a, 0x45, 0x0b, 0x65,
@@ -162,8 +162,6 @@ func TestApp(t *testing.T) {
Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPulse),
Container: &hst.ContainerConfig{
Userns: true, HostNet: true, HostAbstract: true, Tty: true,
Filesystem: []hst.FilesystemConfigJSON{
{FilesystemConfig: &hst.FSBind{
Target: fhs.AbsRoot,
@@ -194,6 +192,8 @@ func TestApp(t *testing.T) {
Path: m("/run/current-system/sw/bin/zsh"),
Args: []string{"zsh", "-c", "exec chromium "},
Flags: hst.FUserns | hst.FHostNet | hst.FHostAbstract | hst.FTty,
},
},
state.ID{
@@ -308,7 +308,7 @@ func TestApp(t *testing.T) {
ID: "org.chromium.Chromium",
Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPulse),
Container: &hst.ContainerConfig{
Userns: true, HostNet: true, MapRealUID: true, Env: nil,
Env: nil,
Filesystem: []hst.FilesystemConfigJSON{
f(&hst.FSBind{Source: m("/bin")}),
f(&hst.FSBind{Source: m("/usr/bin/")}),
@@ -330,6 +330,8 @@ func TestApp(t *testing.T) {
Home: m("/var/lib/persist/module/hakurei/0/1"),
Path: m("/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"),
Flags: hst.FUserns | hst.FHostNet | hst.FMapRealUID,
},
SystemBus: &hst.BusConfig{
Talk: []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},

2
internal/app/outcome.go
View File

@@ -94,7 +94,7 @@ func newOutcomeState(k syscallDispatcher, msg message.Msg, id *state.ID, config
s.Shim.WaitDelay = s.Container.WaitDelay
}
if s.Container.MapRealUID {
if s.Container.Flags&hst.FMapRealUID != 0 {
s.Mapuid, s.Mapgid = k.getuid(), k.getgid()
} else {
s.Mapuid, s.Mapgid = k.overflowUid(msg), k.overflowGid(msg)

22
internal/app/spcontainer.go
View File

@@ -48,9 +48,9 @@ func (s *spParamsOp) toContainer(state *outcomeStateParams) error {
const preallocateOpsCount = 1 << 5
state.params.Hostname = state.Container.Hostname
state.params.RetainSession = state.Container.Tty
state.params.HostNet = state.Container.HostNet
state.params.HostAbstract = state.Container.HostAbstract
state.params.RetainSession = state.Container.Flags&hst.FTty != 0
state.params.HostNet = state.Container.Flags&hst.FHostNet != 0
state.params.HostAbstract = state.Container.Flags&hst.FHostAbstract != 0
if state.Container.Path == nil {
return newWithMessage("invalid program path")
@@ -67,24 +67,24 @@ func (s *spParamsOp) toContainer(state *outcomeStateParams) error {
// this behaviour is implemented in the shim
state.params.ForwardCancel = state.Shim.WaitDelay > 0
if state.Container.Multiarch {
if state.Container.Flags&hst.FMultiarch != 0 {
state.params.SeccompFlags |= seccomp.AllowMultiarch
}
if !state.Container.SeccompCompat {
if state.Container.Flags&hst.FSeccompCompat == 0 {
state.params.SeccompPresets |= bits.PresetExt
}
if !state.Container.Devel {
if state.Container.Flags&hst.FDevel == 0 {
state.params.SeccompPresets |= bits.PresetDenyDevel
}
if !state.Container.Userns {
if state.Container.Flags&hst.FUserns == 0 {
state.params.SeccompPresets |= bits.PresetDenyNS
}
if !state.Container.Tty {
if state.Container.Flags&hst.FTty == 0 {
state.params.SeccompPresets |= bits.PresetDenyTTY
}
if state.Container.MapRealUID {
if state.Container.Flags&hst.FMapRealUID != 0 {
state.params.Uid = state.Mapuid
state.params.Gid = state.Mapgid
}
@@ -106,7 +106,7 @@ func (s *spParamsOp) toContainer(state *outcomeStateParams) error {
state.params.
Proc(fhs.AbsProc).
Tmpfs(hst.AbsPrivateTmp, 1<<12, 0755)
if !state.Container.Device {
if state.Container.Flags&hst.FDevice == 0 {
state.params.DevWritable(fhs.AbsDev, true)
} else {
state.params.Bind(fhs.AbsDev, fhs.AbsDev, bits.BindWritable|bits.BindDevice)
@@ -275,7 +275,7 @@ func (s *spFilesystemOp) toContainer(state *outcomeStateParams) error {
}
// no more configured paths beyond this point
if !state.Container.Device {
if state.Container.Flags&hst.FDevice == 0 {
state.params.Remount(fhs.AbsDev, syscall.MS_RDONLY)
}
return nil

19
internal/app/spcontainer_test.go
View File

@@ -51,12 +51,7 @@ func TestSpParamsOp(t *testing.T) {
}, func() *hst.Config {
c := hst.Template()
c.Container.Args = nil
c.Container.Multiarch = false
c.Container.SeccompCompat = false
c.Container.Devel = false
c.Container.Userns = false
c.Container.Tty = false
c.Container.Device = false
c.Container.Flags = hst.FHostNet | hst.FHostAbstract | hst.FMapRealUID
return c
}, nil, []stub.Call{
call("lookupEnv", stub.ExpectArgs{"TERM"}, "xterm", nil),
@@ -65,8 +60,8 @@ func TestSpParamsOp(t *testing.T) {
// this op configures the container state and does not make calls during toContainer
}, &container.Params{
Hostname: config.Container.Hostname,
HostNet: config.Container.HostNet,
HostAbstract: config.Container.HostAbstract,
HostNet: true,
HostAbstract: true,
Path: config.Container.Path,
Args: []string{config.Container.Path.String()},
SeccompPresets: bits.PresetExt | bits.PresetDenyDevel | bits.PresetDenyNS | bits.PresetDenyTTY,
@@ -109,9 +104,9 @@ func TestSpParamsOp(t *testing.T) {
// this op configures the container state and does not make calls during toContainer
}, &container.Params{
Hostname: config.Container.Hostname,
RetainSession: config.Container.Tty,
HostNet: config.Container.HostNet,
HostAbstract: config.Container.HostAbstract,
RetainSession: true,
HostNet: true,
HostAbstract: true,
Path: config.Container.Path,
Args: config.Container.Args,
SeccompFlags: seccomp.AllowMultiarch,
@@ -159,7 +154,7 @@ func TestSpFilesystemOp(t *testing.T) {
}}},
{FilesystemConfig: &hst.FSEphemeral{Target: hst.AbsPrivateTmp}},
}
c.Container.Device = false
c.Container.Flags &= ^hst.FDevice
return c
}
configSmall := newConfigSmall()

2
internal/app/spx11.go
View File

@@ -54,7 +54,7 @@ func (s *spX11Op) toSystem(state *outcomeStateSys) error {
}
} else {
state.sys.UpdatePermType(hst.EX11, socketPath, acl.Read, acl.Write, acl.Execute)
if !state.Container.HostAbstract {
if state.Container.Flags&hst.FHostAbstract == 0 {
s.Display = "unix:" + socketPath.String()
}
}