security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases 6 Wiki Activity

hst/fsbind: optional autoetc behaviour
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 2m18s
Details
Test / Hpkg (push) Successful in 4m9s
Details
Test / Sandbox (race detector) (push) Successful in 4m31s
Details
Test / Hakurei (race detector) (push) Successful in 5m6s
Details
Test / Hakurei (push) Successful in 2m24s
Details
Test / Flake checks (push) Successful in 1m29s
Details

Browse Source 
This generalises the special field allowing any special behaviour to be matched from target.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-08-25 18:30:40 +09:00
parent 1438096339
commit 6d202d73b4
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
10 changed files with 107 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cmd/hakurei/print_test.go
View File

@ -284,7 +284,7 @@ App
"dst": "/", "dst": "/",
"src": "/var/lib/hakurei/base/org.debian", "src": "/var/lib/hakurei/base/org.debian",
"write": true, "write": true,
"autoroot": true "special": true
}, },
{ {
"type": "ephemeral", "type": "ephemeral",
@ -438,7 +438,7 @@ App
"dst": "/", "dst": "/",
"src": "/var/lib/hakurei/base/org.debian", "src": "/var/lib/hakurei/base/org.debian",
"write": true, "write": true,
"autoroot": true "special": true
}, },
{ {
"type": "ephemeral", "type": "ephemeral",
@ -646,7 +646,7 @@ func Test_printPs(t *testing.T) {
"dst": "/", "dst": "/",
"src": "/var/lib/hakurei/base/org.debian", "src": "/var/lib/hakurei/base/org.debian",
"write": true, "write": true,
"autoroot": true "special": true
}, },
{ {
"type": "ephemeral", "type": "ephemeral",

10
hst/fs.go
View File

@ -18,11 +18,19 @@ type FilesystemConfig interface {
// Host returns a slice of all host paths used by this operation. // Host returns a slice of all host paths used by this operation.
Host() []*container.Absolute Host() []*container.Absolute
// Apply appends the [container.Op] implementing this operation. // Apply appends the [container.Op] implementing this operation.
Apply(ops *container.Ops) Apply(z *ApplyState)
fmt.Stringer fmt.Stringer
} }
// ApplyState holds the address of [container.Ops] and any relevant application state.
type ApplyState struct {
// AutoEtcPrefix is the prefix for [container.AutoEtcOp].
AutoEtcPrefix string
*container.Ops
}
var ( var (
ErrFSNull = errors.New("unexpected null in mount point") ErrFSNull = errors.New("unexpected null in mount point")
) )

4
hst/fs_test.go
View File

@ -209,7 +209,7 @@ type stubFS struct {
func (s stubFS) Valid() bool { return false } func (s stubFS) Valid() bool { return false }
func (s stubFS) Path() *container.Absolute { panic("unreachable") } func (s stubFS) Path() *container.Absolute { panic("unreachable") }
func (s stubFS) Host() []*container.Absolute { panic("unreachable") } func (s stubFS) Host() []*container.Absolute { panic("unreachable") }
func (s stubFS) Apply(*container.Ops) { panic("unreachable") } func (s stubFS) Apply(*hst.ApplyState) { panic("unreachable") }
func (s stubFS) String() string { return "<invalid " + s.typeName + ">" } func (s stubFS) String() string { return "<invalid " + s.typeName + ">" }
type sCheck struct { type sCheck struct {
@ -238,7 +238,7 @@ func checkFs(t *testing.T, testCases []fsTestCase) {
t.Run("ops", func(t *testing.T) { t.Run("ops", func(t *testing.T) {
ops := new(container.Ops) ops := new(container.Ops)
tc.fs.Apply(ops) tc.fs.Apply(&hst.ApplyState{AutoEtcPrefix: ":3", Ops: ops})
if !reflect.DeepEqual(ops, &tc.ops) { if !reflect.DeepEqual(ops, &tc.ops) {
gotString := new(strings.Builder) gotString := new(strings.Builder)
for _, op := range *ops { for _, op := range *ops {

68
hst/fsbind.go
View File

@ -25,17 +25,38 @@ type FSBind struct {
// skip this mount point if the host path does not exist // skip this mount point if the host path does not exist
Optional bool `json:"optional,omitempty"` Optional bool `json:"optional,omitempty"`
// enable autoroot behaviour; // enable special behaviour:
// this requires Target to be [container.AbsFHSRoot]. // for autoroot, Target must be set to [container.AbsFHSRoot];
AutoRoot bool `json:"autoroot,omitempty"` // for autoetc, Target must be set to [container.AbsFHSEtc]
Special bool `json:"special,omitempty"`
}
// IsAutoRoot returns whether this FSBind has autoroot behaviour enabled.
func (b *FSBind) IsAutoRoot() bool {
return b.Valid() && b.Special && b.Target.String() == container.FHSRoot
}
// IsAutoEtc returns whether this FSBind has autoetc behaviour enabled.
func (b *FSBind) IsAutoEtc() bool {
return b.Valid() && b.Special && b.Target.String() == container.FHSEtc
} }
func (b *FSBind) Valid() bool { func (b *FSBind) Valid() bool {
if b == nil || b.Source == nil { if b == nil || b.Source == nil {
return false return false
} }
if b.AutoRoot && (b.Target == nil || b.Target.String() != container.FHSRoot) { if b.Special {
return false if b.Target == nil {
return false
} else {
switch b.Target.String() {
case container.FHSRoot, container.FHSEtc:
break
default:
return false
}
}
} }
return true return true
} }
@ -57,7 +78,7 @@ func (b *FSBind) Host() []*container.Absolute {
return []*container.Absolute{b.Source} return []*container.Absolute{b.Source}
} }
func (b *FSBind) Apply(ops *container.Ops) { func (b *FSBind) Apply(z *ApplyState) {
if !b.Valid() { if !b.Valid() {
return return
} }
@ -77,10 +98,15 @@ func (b *FSBind) Apply(ops *container.Ops) {
flags |= container.BindOptional flags |= container.BindOptional
} }
if !b.AutoRoot { switch {
ops.Bind(b.Source, target, flags) case b.IsAutoRoot():
} else { z.Root(b.Source, flags)
ops.Root(b.Source, flags)
case b.IsAutoEtc():
z.Etc(b.Source, z.AutoEtcPrefix)
default:
z.Bind(b.Source, target, flags)
} }
} }
@ -96,15 +122,21 @@ func (b *FSBind) String() string {
flagSym = "w" flagSym = "w"
} }
if b.AutoRoot { if b.Special {
prefix := "autoroot" switch {
if flagSym != "" { case b.IsAutoRoot():
prefix += ":" + flagSym prefix := "autoroot"
if flagSym != "" {
prefix += ":" + flagSym
}
if b.Source.String() != container.FHSRoot {
return prefix + ":" + b.Source.String()
}
return prefix
case b.IsAutoEtc():
return "autoetc:" + b.Source.String()
} }
if b.Source.String() != container.FHSRoot {
return prefix + ":" + b.Source.String()
}
return prefix
} }
g := 4 + len(b.Source.String()) g := 4 + len(b.Source.String())

40
hst/fsbind_test.go
View File

@ -63,35 +63,45 @@ func TestFSBind(t *testing.T) {
}}, m("/"), ms("/"), }}, m("/"), ms("/"),
"*/"}, "*/"},
{"autoroot nil target", &hst.FSBind{ {"special nil target", &hst.FSBind{
Source: m("/"), Source: m("/"),
AutoRoot: true, Special: true,
}, false, nil, nil, nil, "<invalid>"}, }, false, nil, nil, nil, "<invalid>"},
{"autoroot bad target", &hst.FSBind{ {"special bad target", &hst.FSBind{
Source: m("/"), Source: m("/"),
Target: m("/etc/"), Target: m("/var/"),
AutoRoot: true, Special: true,
}, false, nil, nil, nil, "<invalid>"}, }, false, nil, nil, nil, "<invalid>"},
{"autoroot pd", &hst.FSBind{ {"autoroot pd", &hst.FSBind{
Target: m("/"), Target: m("/"),
Source: m("/"), Source: m("/"),
Write: true, Write: true,
AutoRoot: true, Special: true,
}, true, container.Ops{&container.AutoRootOp{ }, true, container.Ops{&container.AutoRootOp{
Host: m("/"), Host: m("/"),
Flags: container.BindWritable, Flags: container.BindWritable,
}}, m("/"), ms("/"), "autoroot:w"}, }}, m("/"), ms("/"), "autoroot:w"},
{"autoroot silly", &hst.FSBind{ {"autoroot silly", &hst.FSBind{
Target: m("/"), Target: m("/"),
Source: m("/etc"), Source: m("/etc"),
Write: true, Write: true,
AutoRoot: true, Special: true,
}, true, container.Ops{&container.AutoRootOp{ }, true, container.Ops{&container.AutoRootOp{
Host: m("/etc"), Host: m("/etc"),
Flags: container.BindWritable, Flags: container.BindWritable,
}}, m("/"), ms("/etc"), "autoroot:w:/etc"}, }}, m("/"), ms("/etc"), "autoroot:w:/etc"},
{"autoetc", &hst.FSBind{
Target: m("/etc/"),
Source: m("/etc/"),
Special: true,
}, true, container.Ops{
&container.MkdirOp{Path: m("/etc/"), Perm: 0755},
&container.BindMountOp{Source: m("/etc/"), Target: m("/etc/.host/:3")},
&container.AutoEtcOp{Prefix: ":3"},
}, m("/etc/"), ms("/etc/"), "autoetc:/etc/"},
}) })
} }

6
hst/fsephemeral.go
View File

@ -38,7 +38,7 @@ func (e *FSEphemeral) Host() []*container.Absolute { return nil }
const fsEphemeralDefaultPerm = os.FileMode(0755) const fsEphemeralDefaultPerm = os.FileMode(0755)
func (e *FSEphemeral) Apply(ops *container.Ops) { func (e *FSEphemeral) Apply(z *ApplyState) {
if !e.Valid() { if !e.Valid() {
return return
} }
@ -54,9 +54,9 @@ func (e *FSEphemeral) Apply(ops *container.Ops) {
} }
if e.Write { if e.Write {
ops.Tmpfs(e.Target, size, perm) z.Tmpfs(e.Target, size, perm)
} else { } else {
ops.Readonly(e.Target, perm) z.Readonly(e.Target, perm)
} }
} }

6
hst/fsoverlay.go
View File

@ -62,15 +62,15 @@ func (o *FSOverlay) Host() []*container.Absolute {
return p return p
} }
func (o *FSOverlay) Apply(op *container.Ops) { func (o *FSOverlay) Apply(z *ApplyState) {
if !o.Valid() { if !o.Valid() {
return return
} }
if o.Upper != nil && o.Work != nil { // rw if o.Upper != nil && o.Work != nil { // rw
op.Overlay(o.Target, o.Upper, o.Work, o.Lower...) z.Overlay(o.Target, o.Upper, o.Work, o.Lower...)
} else { // ro } else { // ro
op.OverlayReadonly(o.Target, o.Lower...) z.OverlayReadonly(o.Target, o.Lower...)
} }
} }

2
hst/hst_test.go
View File

@ -107,7 +107,7 @@ func TestTemplate(t *testing.T) {
"dst": "/", "dst": "/",
"src": "/var/lib/hakurei/base/org.debian", "src": "/var/lib/hakurei/base/org.debian",
"write": true, "write": true,
"autoroot": true "special": true
}, },
{ {
"type": "ephemeral", "type": "ephemeral",

10
internal/app/container_linux.go
View File

@ -40,9 +40,13 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
ForwardCancel: s.WaitDelay >= 0, ForwardCancel: s.WaitDelay >= 0,
} }
as := &hst.ApplyState{
AutoEtcPrefix: prefix,
}
{ {
ops := make(container.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)) ops := make(container.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link))
params.Ops = &ops params.Ops = &ops
as.Ops = &ops
} }
if s.Multiarch { if s.Multiarch {
@ -81,10 +85,10 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
// if the first element targets /, it is inserted early and excluded from path hiding // if the first element targets /, it is inserted early and excluded from path hiding
rootfs := filesystem[0].FilesystemConfig rootfs := filesystem[0].FilesystemConfig
filesystem = filesystem[1:] filesystem = filesystem[1:]
rootfs.Apply(params.Ops) rootfs.Apply(as)
// autoroot requires special handling during path hiding // autoroot requires special handling during path hiding
if b, ok := rootfs.(*hst.FSBind); ok && b.Valid() && b.AutoRoot { if b, ok := rootfs.(*hst.FSBind); ok && b.IsAutoRoot() {
autoroot = b autoroot = b
} }
} }
@ -143,7 +147,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
if !c.Valid() { if !c.Valid() {
return nil, nil, fmt.Errorf("invalid filesystem at index %d", i) return nil, nil, fmt.Errorf("invalid filesystem at index %d", i)
} }
c.Apply(params.Ops) c.Apply(as)
// fs counter // fs counter
hidePathSourceCount += len(c.Host()) hidePathSourceCount += len(c.Host())

8
internal/app/seal_linux.go
View File

@ -246,10 +246,10 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
Filesystem: []hst.FilesystemConfigJSON{ Filesystem: []hst.FilesystemConfigJSON{
{&hst.FSBind{ {&hst.FSBind{
Target: container.AbsFHSRoot, Target: container.AbsFHSRoot,
Source: container.AbsFHSRoot, Source: container.AbsFHSRoot,
Write: true, Write: true,
AutoRoot: true, Special: true,
}}, }},
}, },
} }