security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 7 Wiki Activity

hst/container: additional shim exit codes
All checks were successful
Test / Create distribution (push) Successful in 57s
Details
Test / Sandbox (push) Successful in 4m26s
Details
Test / Sandbox (race detector) (push) Successful in 6m36s
Details
Test / Hakurei (push) Successful in 6m58s
Details
Test / Hakurei (race detector) (push) Successful in 8m54s
Details
Test / Hpkg (push) Successful in 9m13s
Details
Test / Flake checks (push) Successful in 3m13s
Details

Browse Source 
These are now considered stable, defined behaviour and can be used by external programs to determine shim outcome.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-10-15 22:09:33 +09:00
parent ae65491223
commit 5e0f15d76b
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
3 changed files with 19 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
hst/container.go
View File

@ -24,11 +24,18 @@ const (
IdentityMin = 0
// IdentityMax is the maximum value of [Config.Identity]. This is enforced by cmd/hsu.
IdentityMax = 9999
)
const (
// ShimExitFailure is returned if the container fails to start.
ShimExitFailure = iota + 1
// ShimExitCancel is returned if the container is terminated by a shim-directed signal which cancels its context.
ShimExitCancel
// ShimExitOrphan is returned when the shim is orphaned before priv side delivers a signal.
ShimExitOrphan
// ShimExitRequest is returned when the priv side process requests shim exit.
ShimExitRequest = 254
// ShimExitOrphan is returned when the shim is orphaned before priv side delivers a signal.
ShimExitOrphan = 3
)
const (

4
internal/app/outcome.go
View File

@ -14,6 +14,10 @@ import (
"hakurei.app/system/acl"
)
// envAllocSize is the initial size of the env map pre-allocated when the configured env map is nil.
// It should be large enough to fit all insertions by outcomeOp.toContainer.
const envAllocSize = 1 << 6
func newInt(v int) *stringPair[int] { return &stringPair[int]{v, strconv.Itoa(v)} }
// stringPair stores a value and its string representation.

15
internal/app/shim.go
View File

@ -23,14 +23,11 @@ import (
//#include "shim-signal.h"
import "C"
const (
// setup pipe fd for [container.Receive]
shimEnv = "HAKUREI_SHIM"
// only used for a nil configured env map
envAllocSize = 1 << 6
)
// shimEnv is the name of the environment variable storing decimal representation of
// setup pipe fd for [container.Receive].
const shimEnv = "HAKUREI_SHIM"
// shimParams is embedded in outcomeState and transmitted from priv side to shim.
type shimParams struct {
// Priv side pid, checked against ppid in signal handler for the syscall.SIGCONT hack.
PrivPID int
@ -172,7 +169,7 @@ func ShimMain() {
if err := z.Start(); err != nil {
printMessageError("cannot start container:", err)
os.Exit(1)
os.Exit(hst.ShimExitFailure)
}
if err := z.Serve(); err != nil {
printMessageError("cannot configure container:", err)
@ -189,7 +186,7 @@ func ShimMain() {
var exitError *exec.ExitError
if !errors.As(err, &exitError) {
if errors.Is(err, context.Canceled) {
os.Exit(2)
os.Exit(hst.ShimExitCancel)
}
log.Printf("wait: %v", err)
os.Exit(127)