security/hakurei
6
3
Fork 1
Code Issues 11 Pull Requests 2 Actions 2 Packages Projects Releases 14 Wiki Activity

hst: expose scheduling priority
All checks were successful
Test / ShareFS (push) Successful in 43s
Details
Test / Hakurei (push) Successful in 53s
Details
Test / Sandbox (push) Successful in 49s
Details
Test / Sandbox (race detector) (push) Successful in 48s
Details
Test / Hakurei (race detector) (push) Successful in 53s
Details
Test / Create distribution (push) Successful in 35s
Details
Test / Flake checks (push) Successful in 1m18s
Details

Browse Source 
This is useful when limits are configured to allow it.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2026-03-12 01:20:08 +09:00
parent 196b200d0f
commit 620062cca9
8 changed files with 39 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
cmd/hakurei/command.go
View File

@@ -16,6 +16,7 @@ import (
"hakurei.app/command" "hakurei.app/command"
"hakurei.app/container/check" "hakurei.app/container/check"
"hakurei.app/container/fhs" "hakurei.app/container/fhs"
"hakurei.app/container/std"
"hakurei.app/hst" "hakurei.app/hst"
"hakurei.app/internal/dbus" "hakurei.app/internal/dbus"
"hakurei.app/internal/env" "hakurei.app/internal/env"
@@ -88,7 +89,9 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
flagGroups command.RepeatableFlag flagGroups command.RepeatableFlag
flagHomeDir string flagHomeDir string
flagUserName string flagUserName string
flagSched string
flagSchedPolicy string
flagSchedPriority int
flagPrivateRuntime, flagPrivateTmpdir bool flagPrivateRuntime, flagPrivateTmpdir bool
@@ -178,9 +181,12 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
}, },
} }
if err := config.SchedPolicy.UnmarshalText([]byte(flagSched)); err != nil { if err := config.SchedPolicy.UnmarshalText(
[]byte(flagSchedPolicy),
); err != nil {
log.Fatal(err) log.Fatal(err)
} }
config.SchedPriority = std.Int(flagSchedPriority)
// bind GPU stuff // bind GPU stuff
if et&(hst.EX11|hst.EWayland) != 0 { if et&(hst.EX11|hst.EWayland) != 0 {
@@ -292,8 +298,10 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
"Container home directory"). "Container home directory").
Flag(&flagUserName, "u", command.StringFlag("chronos"), Flag(&flagUserName, "u", command.StringFlag("chronos"),
"Passwd user name within sandbox"). "Passwd user name within sandbox").
Flag(&flagSched, "sched", command.StringFlag(""), Flag(&flagSchedPolicy, "policy", command.StringFlag(""),
"Scheduling policy to set for the container"). "Scheduling policy to set for the container").
Flag(&flagSchedPriority, "priority", command.IntFlag(0),
"Scheduling priority to set for the container").
Flag(&flagPrivateRuntime, "private-runtime", command.BoolFlag(false), Flag(&flagPrivateRuntime, "private-runtime", command.BoolFlag(false),
"Do not share XDG_RUNTIME_DIR between containers under the same identity"). "Do not share XDG_RUNTIME_DIR between containers under the same identity").
Flag(&flagPrivateTmpdir, "private-tmpdir", command.BoolFlag(false), Flag(&flagPrivateTmpdir, "private-tmpdir", command.BoolFlag(false),

8
cmd/hakurei/command_test.go
View File

@@ -36,7 +36,7 @@ Commands:
}, },
{ {
"run", []string{"run", "-h"}, ` "run", []string{"run", "-h"}, `
Usage: hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--sched <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS] Usage: hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--policy <value>] [--priority <int>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
Flags: Flags:
-X Enable direct connection to X11 -X Enable direct connection to X11
@@ -60,14 +60,16 @@ Flags:
Allow owning MPRIS D-Bus path, has no effect if custom config is available Allow owning MPRIS D-Bus path, has no effect if custom config is available
-pipewire -pipewire
Enable connection to PipeWire via SecurityContext Enable connection to PipeWire via SecurityContext
-policy string
Scheduling policy to set for the container
-priority int
Scheduling priority to set for the container
-private-runtime -private-runtime
Do not share XDG_RUNTIME_DIR between containers under the same identity Do not share XDG_RUNTIME_DIR between containers under the same identity
-private-tmpdir -private-tmpdir
Do not share TMPDIR between containers under the same identity Do not share TMPDIR between containers under the same identity
-pulse -pulse
Enable PulseAudio compatibility daemon Enable PulseAudio compatibility daemon
-sched string
Scheduling policy to set for the container
-u string -u string
Passwd user name within sandbox (default "chronos") Passwd user name within sandbox (default "chronos")
-wayland -wayland

10
hst/config.go
View File

@@ -104,9 +104,15 @@ type Config struct {
// Init user namespace supplementary groups inherited by all container processes. // Init user namespace supplementary groups inherited by all container processes.
Groups []string `json:"groups"` Groups []string `json:"groups"`
// Scheduling policy to set for the container. The zero value retains the // Scheduling policy to set for the container.
// current scheduling policy. //
// The zero value retains the current scheduling policy.
SchedPolicy std.SchedPolicy `json:"sched_policy,omitempty"` SchedPolicy std.SchedPolicy `json:"sched_policy,omitempty"`
// Scheduling priority to set for the container.
//
// The zero value implies the minimum priority of the current SchedPolicy.
// Has no effect if SchedPolicy is zero.
SchedPriority std.Int `json:"sched_priority,omitempty"`
// High level configuration applied to the underlying [container]. // High level configuration applied to the underlying [container].
Container *ContainerConfig `json:"container"` Container *ContainerConfig `json:"container"`

3
internal/outcome/outcome.go
View File

@@ -100,7 +100,8 @@ func newOutcomeState(k syscallDispatcher, msg message.Msg, id *hst.ID, config *h
PrivPID: k.getpid(), PrivPID: k.getpid(),
Verbose: msg.IsVerbose(), Verbose: msg.IsVerbose(),
SchedPolicy: config.SchedPolicy, SchedPolicy: config.SchedPolicy,
SchedPriority: config.SchedPriority,
}, },
ID: id, ID: id,

3
internal/outcome/shim.go
View File

@@ -75,6 +75,8 @@ type shimParams struct {
// Copied from [hst.Config]. // Copied from [hst.Config].
SchedPolicy std.SchedPolicy SchedPolicy std.SchedPolicy
// Copied from [hst.Config].
SchedPriority std.Int
// Outcome setup ops, contains setup state. Populated by outcome.finalise. // Outcome setup ops, contains setup state. Populated by outcome.finalise.
Ops []outcomeOp Ops []outcomeOp
@@ -276,6 +278,7 @@ func shimEntrypoint(k syscallDispatcher) {
z := container.New(ctx, msg) z := container.New(ctx, msg)
z.SetScheduler = state.Shim.SchedPolicy > 0 z.SetScheduler = state.Shim.SchedPolicy > 0
z.SchedPolicy = state.Shim.SchedPolicy z.SchedPolicy = state.Shim.SchedPolicy
z.SchedPriority = state.Shim.SchedPriority
z.Params = *stateParams.params z.Params = *stateParams.params
z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr

1
nixos.nix
View File

@@ -140,6 +140,7 @@ in
inherit (dbusConfig) session_bus system_bus; inherit (dbusConfig) session_bus system_bus;
direct_wayland = app.insecureWayland; direct_wayland = app.insecureWayland;
sched_policy = app.schedPolicy; sched_policy = app.schedPolicy;
sched_priority = app.schedPriority;
container = { container = {
inherit (app) inherit (app)

7
options.nix
View File

@@ -253,6 +253,13 @@ in
The zero value retains the current scheduling policy. The zero value retains the current scheduling policy.
''; '';
}; };
schedPriority = mkOption {
type = nullOr (ints.between 1 99);
default = null;
description = ''
Scheduling priority to set for the container.
'';
};
nix = mkEnableOption "nix daemon access"; nix = mkEnableOption "nix daemon access";
mapRealUid = mkEnableOption "mapping to priv-user uid"; mapRealUid = mkEnableOption "mapping to priv-user uid";

4
test/test.py
View File

@@ -210,10 +210,10 @@ print(machine.succeed('grep "shim: got SIGCONT from unexpected process$" /tmp/sh
sched_unset = int(machine.succeed("sudo -u alice -i hakurei -v run cat /proc/self/sched | grep '^policy' | tr -d ' ' | cut -d ':' -f 2")) sched_unset = int(machine.succeed("sudo -u alice -i hakurei -v run cat /proc/self/sched | grep '^policy' | tr -d ' ' | cut -d ':' -f 2"))
if sched_unset != 0: if sched_unset != 0:
raise Exception(f"unexpected unset policy: {sched_unset}") raise Exception(f"unexpected unset policy: {sched_unset}")
sched_idle = int(machine.succeed("sudo -u alice -i hakurei -v run --sched=idle cat /proc/self/sched | grep '^policy' | tr -d ' ' | cut -d ':' -f 2")) sched_idle = int(machine.succeed("sudo -u alice -i hakurei -v run --policy=idle cat /proc/self/sched | grep '^policy' | tr -d ' ' | cut -d ':' -f 2"))
if sched_idle != 5: if sched_idle != 5:
raise Exception(f"unexpected idle policy: {sched_idle}") raise Exception(f"unexpected idle policy: {sched_idle}")
sched_rr = int(machine.succeed("sudo -u alice -i hakurei -v run --sched=rr cat /proc/self/sched | grep '^policy' | tr -d ' ' | cut -d ':' -f 2")) sched_rr = int(machine.succeed("sudo -u alice -i hakurei -v run --policy=rr cat /proc/self/sched | grep '^policy' | tr -d ' ' | cut -d ':' -f 2"))
if sched_rr != 2: if sched_rr != 2:
raise Exception(f"unexpected round-robin policy: {sched_idle}") raise Exception(f"unexpected round-robin policy: {sched_idle}")