security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

hst/container: optional runtime and tmpdir sharing
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Sandbox (push) Successful in 39s
Details
Test / Sandbox (race detector) (push) Successful in 39s
Details
Test / Hakurei (push) Successful in 42s
Details
Test / Hpkg (push) Successful in 40s
Details
Test / Hakurei (race detector) (push) Successful in 44s
Details
Test / Flake checks (push) Successful in 1m23s
Details

Browse Source 
Sharing and persisting these directories do not always make sense. Make it optional here.

Closes #16.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-10-19 03:53:20 +09:00
parent b5b30aea2e
commit 699c19e972
19 changed files with 106 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
cmd/hakurei/command.go
View File

@@ -81,6 +81,8 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
flagHomeDir string
flagUserName string
flagPrivateRuntime, flagPrivateTmpdir bool
flagWayland, flagX11, flagDBus, flagPulse bool
)
@@ -211,6 +213,13 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
}
}
if !flagPrivateRuntime {
config.Container.Flags |= hst.FShareRuntime
}
if !flagPrivateTmpdir {
config.Container.Flags |= hst.FShareTmpdir
}
// parse D-Bus config file from flags if applicable
if flagDBus {
if flagDBusConfigSession == "builtin" {
@@ -264,6 +273,10 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
"Container home directory").
Flag(&flagUserName, "u", command.StringFlag("chronos"),
"Passwd user name within sandbox").
Flag(&flagPrivateRuntime, "private-runtime", command.BoolFlag(false),
"Do not share XDG_RUNTIME_DIR between containers under the same identity").
Flag(&flagPrivateTmpdir, "private-tmpdir", command.BoolFlag(false),
"Do not share TMPDIR between containers under the same identity").
Flag(&flagWayland, "wayland", command.BoolFlag(false),
"Enable connection to Wayland via security-context-v1").
Flag(&flagX11, "X", command.BoolFlag(false),

6
cmd/hakurei/command_test.go
View File

@@ -36,7 +36,7 @@ Commands:
},
{
"run", []string{"run", "-h"}, `
Usage: hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--wayland] [-X] [--dbus] [--pulse] COMMAND [OPTIONS]
Usage: hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pulse] COMMAND [OPTIONS]
Flags:
-X Enable direct connection to X11
@@ -58,6 +58,10 @@ Flags:
Reverse-DNS style Application identifier, leave empty to inherit instance identifier
-mpris
Allow owning MPRIS D-Bus path, has no effect if custom config is available
-private-runtime
Do not share XDG_RUNTIME_DIR between containers under the same identity
-private-tmpdir
Do not share TMPDIR between containers under the same identity
-pulse
Enable direct connection to PulseAudio
-u string

12
cmd/hakurei/print_test.go
View File

@@ -332,7 +332,9 @@ App
"tty": true,
"multiarch": true,
"map_real_uid": true,
"device": true
"device": true,
"share_runtime": true,
"share_tmpdir": true
}
},
"time": "1970-01-01T00:00:00.000000009Z"
@@ -482,7 +484,9 @@ App
"tty": true,
"multiarch": true,
"map_real_uid": true,
"device": true
"device": true,
"share_runtime": true,
"share_tmpdir": true
}
}
`, true},
@@ -692,7 +696,9 @@ func TestPrintPs(t *testing.T) {
"tty": true,
"multiarch": true,
"map_real_uid": true,
"device": true
"device": true,
"share_runtime": true,
"share_tmpdir": true
}
},
"time": "1970-01-01T00:00:00.000000009Z"