security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

container/bits: move bind bits
All checks were successful
Test / Create distribution (push) Successful in 36s
Details
Test / Sandbox (push) Successful in 2m15s
Details
Test / Hakurei (push) Successful in 3m9s
Details
Test / Hpkg (push) Successful in 4m14s
Details
Test / Sandbox (race detector) (push) Successful in 4m29s
Details
Test / Hakurei (race detector) (push) Successful in 5m21s
Details
Test / Flake checks (push) Successful in 1m31s
Details

Browse Source 
This allows referring to the bits without importing container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-10-07 21:38:31 +09:00
parent 5d18af0007
commit 584ce3da68
12 changed files with 116 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
container/autoroot_test.go
View File

@@ -5,6 +5,7 @@ import (
"os"
"testing"
"hakurei.app/container/bits"
"hakurei.app/container/check"
"hakurei.app/container/stub"
)
@@ -20,14 +21,14 @@ func TestAutoRootOp(t *testing.T) {
checkOpBehaviour(t, []opBehaviourTestCase{
{"readdir", &Params{ParentPerm: 0750}, &AutoRootOp{
Host: check.MustAbs("/"),
Flags: BindWritable,
Flags: bits.BindWritable,
}, []stub.Call{
call("readdir", stub.ExpectArgs{"/"}, stubDir(), stub.UniqueError(2)),
}, stub.UniqueError(2), nil, nil},
{"early", &Params{ParentPerm: 0750}, &AutoRootOp{
Host: check.MustAbs("/"),
Flags: BindWritable,
Flags: bits.BindWritable,
}, []stub.Call{
call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
@@ -36,7 +37,7 @@ func TestAutoRootOp(t *testing.T) {
{"apply", &Params{ParentPerm: 0750}, &AutoRootOp{
Host: check.MustAbs("/"),
Flags: BindWritable,
Flags: bits.BindWritable,
}, []stub.Call{
call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
@@ -57,7 +58,7 @@ func TestAutoRootOp(t *testing.T) {
{"success pd", &Params{ParentPerm: 0750}, &AutoRootOp{
Host: check.MustAbs("/"),
Flags: BindWritable,
Flags: bits.BindWritable,
}, []stub.Call{
call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64",
"lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil),
@@ -124,10 +125,10 @@ func TestAutoRootOp(t *testing.T) {
})
checkOpsBuilder(t, []opsBuilderTestCase{
{"pd", new(Ops).Root(check.MustAbs("/"), BindWritable), Ops{
{"pd", new(Ops).Root(check.MustAbs("/"), bits.BindWritable), Ops{
&AutoRootOp{
Host: check.MustAbs("/"),
Flags: BindWritable,
Flags: bits.BindWritable,
},
}},
})
@@ -137,42 +138,42 @@ func TestAutoRootOp(t *testing.T) {
{"internal ne", &AutoRootOp{
Host: check.MustAbs("/"),
Flags: BindWritable,
Flags: bits.BindWritable,
}, &AutoRootOp{
Host: check.MustAbs("/"),
Flags: BindWritable,
Flags: bits.BindWritable,
resolved: []*BindMountOp{new(BindMountOp)},
}, true},
{"flags differs", &AutoRootOp{
Host: check.MustAbs("/"),
Flags: BindWritable | BindDevice,
Flags: bits.BindWritable | bits.BindDevice,
}, &AutoRootOp{
Host: check.MustAbs("/"),
Flags: BindWritable,
Flags: bits.BindWritable,
}, false},
{"host differs", &AutoRootOp{
Host: check.MustAbs("/tmp/"),
Flags: BindWritable,
Flags: bits.BindWritable,
}, &AutoRootOp{
Host: check.MustAbs("/"),
Flags: BindWritable,
Flags: bits.BindWritable,
}, false},
{"equals", &AutoRootOp{
Host: check.MustAbs("/"),
Flags: BindWritable,
Flags: bits.BindWritable,
}, &AutoRootOp{
Host: check.MustAbs("/"),
Flags: BindWritable,
Flags: bits.BindWritable,
}, true},
})
checkOpMeta(t, []opMetaTestCase{
{"root", &AutoRootOp{
Host: check.MustAbs("/"),
Flags: BindWritable,
Flags: bits.BindWritable,
}, "setting up", `auto root "/" flags 0x2`},
})
}

13
container/bits/bits.go Normal file
View File

@@ -0,0 +1,13 @@
// Package bits contains constants for configuring the container.
package bits
const (
// BindOptional skips nonexistent host paths.
BindOptional = 1 << iota
// BindWritable mounts filesystem read-write.
BindWritable
// BindDevice allows access to devices (special files) on this filesystem.
BindDevice
// BindEnsure attempts to create the host path if it does not exist.
BindEnsure
)

66
container/init_test.go
View File

@@ -350,7 +350,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(nil, nil, BindDevice),
Ops: new(Ops).Bind(nil, nil, bits.BindDevice),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -388,7 +388,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -427,7 +427,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -466,7 +466,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -506,7 +506,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -547,7 +547,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -589,7 +589,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -632,7 +632,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -676,7 +676,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -721,7 +721,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -767,7 +767,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -822,7 +822,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -877,7 +877,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -933,7 +933,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -990,7 +990,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -1049,7 +1049,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -1109,7 +1109,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -1170,7 +1170,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -1232,7 +1232,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -1295,7 +1295,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -1359,7 +1359,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -1424,7 +1424,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -1490,7 +1490,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -1564,7 +1564,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -1671,7 +1671,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -1779,7 +1779,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,
@@ -1889,7 +1889,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 24,
Gid: 1 << 47,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompDisable: true,
ParentPerm: 0750,
@@ -2003,7 +2003,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 24,
Gid: 1 << 47,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompDisable: true,
ParentPerm: 0750,
@@ -2103,7 +2103,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 24,
Gid: 1 << 47,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompDisable: true,
ParentPerm: 0750,
@@ -2194,7 +2194,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 24,
Gid: 1 << 47,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompDisable: true,
ParentPerm: 0750,
@@ -2287,7 +2287,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 24,
Gid: 1 << 47,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompDisable: true,
ParentPerm: 0750,
@@ -2387,7 +2387,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 24,
Gid: 1 << 47,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompDisable: true,
ParentPerm: 0750,
@@ -2523,7 +2523,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), BindDevice).Proc(check.MustAbs("/proc/")),
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompPresets: bits.PresetStrict,
RetainSession: true,

24
container/initbind.go
View File

@@ -6,6 +6,7 @@ import (
"os"
"syscall"
"hakurei.app/container/bits"
"hakurei.app/container/check"
)
@@ -25,32 +26,21 @@ type BindMountOp struct {
Flags int
}
const (
// BindOptional skips nonexistent host paths.
BindOptional = 1 << iota
// BindWritable mounts filesystem read-write.
BindWritable
// BindDevice allows access to devices (special files) on this filesystem.
BindDevice
// BindEnsure attempts to create the host path if it does not exist.
BindEnsure
)
func (b *BindMountOp) Valid() bool {
return b != nil &&
b.Source != nil && b.Target != nil &&
b.Flags&(BindOptional|BindEnsure) != (BindOptional|BindEnsure)
b.Flags&(bits.BindOptional|bits.BindEnsure) != (bits.BindOptional|bits.BindEnsure)
}
func (b *BindMountOp) early(_ *setupState, k syscallDispatcher) error {
if b.Flags&BindEnsure != 0 {
if b.Flags&bits.BindEnsure != 0 {
if err := k.mkdirAll(b.Source.String(), 0700); err != nil {
return err
}
}
if pathname, err := k.evalSymlinks(b.Source.String()); err != nil {
if os.IsNotExist(err) && b.Flags&BindOptional != 0 {
if os.IsNotExist(err) && b.Flags&bits.BindOptional != 0 {
// leave sourceFinal as nil
return nil
}
@@ -63,7 +53,7 @@ func (b *BindMountOp) early(_ *setupState, k syscallDispatcher) error {
func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
if b.sourceFinal == nil {
if b.Flags&BindOptional == 0 {
if b.Flags&bits.BindOptional == 0 {
// unreachable
return OpStateError("bind")
}
@@ -86,10 +76,10 @@ func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
}
var flags uintptr = syscall.MS_REC
if b.Flags&BindWritable == 0 {
if b.Flags&bits.BindWritable == 0 {
flags |= syscall.MS_RDONLY
}
if b.Flags&BindDevice == 0 {
if b.Flags&bits.BindDevice == 0 {
flags |= syscall.MS_NODEV
}

21
container/initbind_test.go
View File

@@ -6,6 +6,7 @@ import (
"syscall"
"testing"
"hakurei.app/container/bits"
"hakurei.app/container/check"
"hakurei.app/container/stub"
)
@@ -22,7 +23,7 @@ func TestBindMountOp(t *testing.T) {
{"skip optional", new(Params), &BindMountOp{
Source: check.MustAbs("/bin/"),
Target: check.MustAbs("/bin/"),
Flags: BindOptional,
Flags: bits.BindOptional,
}, []stub.Call{
call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "", syscall.ENOENT),
}, nil, nil, nil},
@@ -30,7 +31,7 @@ func TestBindMountOp(t *testing.T) {
{"success optional", new(Params), &BindMountOp{
Source: check.MustAbs("/bin/"),
Target: check.MustAbs("/bin/"),
Flags: BindOptional,
Flags: bits.BindOptional,
}, []stub.Call{
call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
}, nil, []stub.Call{
@@ -43,7 +44,7 @@ func TestBindMountOp(t *testing.T) {
{"ensureFile device", new(Params), &BindMountOp{
Source: check.MustAbs("/dev/null"),
Target: check.MustAbs("/dev/null"),
Flags: BindWritable | BindDevice,
Flags: bits.BindWritable | bits.BindDevice,
}, []stub.Call{
call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
}, nil, []stub.Call{
@@ -54,7 +55,7 @@ func TestBindMountOp(t *testing.T) {
{"mkdirAll ensure", new(Params), &BindMountOp{
Source: check.MustAbs("/bin/"),
Target: check.MustAbs("/bin/"),
Flags: BindEnsure,
Flags: bits.BindEnsure,
}, []stub.Call{
call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, stub.UniqueError(4)),
}, stub.UniqueError(4), nil, nil},
@@ -62,7 +63,7 @@ func TestBindMountOp(t *testing.T) {
{"success ensure", new(Params), &BindMountOp{
Source: check.MustAbs("/bin/"),
Target: check.MustAbs("/usr/bin/"),
Flags: BindEnsure,
Flags: bits.BindEnsure,
}, []stub.Call{
call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, nil),
call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil),
@@ -76,7 +77,7 @@ func TestBindMountOp(t *testing.T) {
{"success device ro", new(Params), &BindMountOp{
Source: check.MustAbs("/dev/null"),
Target: check.MustAbs("/dev/null"),
Flags: BindDevice,
Flags: bits.BindDevice,
}, []stub.Call{
call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
}, nil, []stub.Call{
@@ -89,7 +90,7 @@ func TestBindMountOp(t *testing.T) {
{"success device", new(Params), &BindMountOp{
Source: check.MustAbs("/dev/null"),
Target: check.MustAbs("/dev/null"),
Flags: BindWritable | BindDevice,
Flags: bits.BindWritable | bits.BindDevice,
}, []stub.Call{
call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil),
}, nil, []stub.Call{
@@ -176,7 +177,7 @@ func TestBindMountOp(t *testing.T) {
{"zero", new(BindMountOp), false},
{"nil source", &BindMountOp{Target: check.MustAbs("/")}, false},
{"nil target", &BindMountOp{Source: check.MustAbs("/")}, false},
{"flag optional ensure", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/"), Flags: BindOptional | BindEnsure}, false},
{"flag optional ensure", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/"), Flags: bits.BindOptional | bits.BindEnsure}, false},
{"valid", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/")}, true},
})
@@ -211,7 +212,7 @@ func TestBindMountOp(t *testing.T) {
}, &BindMountOp{
Source: check.MustAbs("/etc/"),
Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"),
Flags: BindOptional,
Flags: bits.BindOptional,
}, false},
{"source differs", &BindMountOp{
@@ -250,7 +251,7 @@ func TestBindMountOp(t *testing.T) {
{"hostdev", &BindMountOp{
Source: check.MustAbs("/dev/"),
Target: check.MustAbs("/dev/"),
Flags: BindWritable | BindDevice,
Flags: bits.BindWritable | bits.BindDevice,
}, "mounting", `"/dev/" flags 0x6`},
})
}