security/hakurei
6
3
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

treewide: rename to hakurei
All checks were successful
Test / Create distribution (push) Successful in 43s
Details
Test / Sandbox (push) Successful in 2m18s
Details
Test / Hakurei (push) Successful in 3m10s
Details
Test / Sandbox (race detector) (push) Successful in 3m30s
Details
Test / Hakurei (race detector) (push) Successful in 4m43s
Details
Test / Fpkg (push) Successful in 5m4s
Details
Test / Flake checks (push) Successful in 1m12s
Details

Browse Source 
Fortify makes little sense for a container tool.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-06-25 03:59:52 +09:00
parent 3992073212
commit 87e008d56d
137 changed files with 1044 additions and 1098 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
sandbox/container.go
View File

@@ -14,7 +14,7 @@ import (
"syscall"
"time"
"git.gensokyo.uk/security/fortify/sandbox/seccomp"
"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
)
type HardeningFlags uintptr

32
sandbox/container_test.go
View File

@@ -12,13 +12,13 @@ import (
"testing"
"time"
"git.gensokyo.uk/security/fortify/fst"
"git.gensokyo.uk/security/fortify/internal"
"git.gensokyo.uk/security/fortify/internal/fmsg"
"git.gensokyo.uk/security/fortify/ldd"
"git.gensokyo.uk/security/fortify/sandbox"
"git.gensokyo.uk/security/fortify/sandbox/seccomp"
"git.gensokyo.uk/security/fortify/sandbox/vfs"
"git.gensokyo.uk/security/hakurei/hst"
"git.gensokyo.uk/security/hakurei/internal"
"git.gensokyo.uk/security/hakurei/internal/hlog"
"git.gensokyo.uk/security/hakurei/ldd"
"git.gensokyo.uk/security/hakurei/sandbox"
"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
"git.gensokyo.uk/security/hakurei/sandbox/vfs"
)
const (
@@ -28,10 +28,10 @@ const (
func TestContainer(t *testing.T) {
{
oldVerbose := fmsg.Load()
oldVerbose := hlog.Load()
oldOutput := sandbox.GetOutput()
internal.InstallFmsg(true)
t.Cleanup(func() { fmsg.Store(oldVerbose) })
t.Cleanup(func() { hlog.Store(oldVerbose) })
t.Cleanup(func() { sandbox.SetOutput(oldOutput) })
}
@@ -47,9 +47,9 @@ func TestContainer(t *testing.T) {
new(sandbox.Ops), nil, "test-minimal"},
{"tmpfs", 0,
new(sandbox.Ops).
Tmpfs(fst.Tmp, 0, 0755),
Tmpfs(hst.Tmp, 0, 0755),
[]*vfs.MountInfoEntry{
e("/", fst.Tmp, "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
e("/", hst.Tmp, "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
}, "test-tmpfs"},
{"dev", sandbox.FAllowTTY, // go test output is not a tty
new(sandbox.Ops).
@@ -132,14 +132,14 @@ func TestContainer(t *testing.T) {
container.Stdin = want
if err := container.Start(); err != nil {
fmsg.PrintBaseError(err, "start:")
hlog.PrintBaseError(err, "start:")
t.Fatalf("cannot start container: %v", err)
} else if err = container.Serve(); err != nil {
fmsg.PrintBaseError(err, "serve:")
hlog.PrintBaseError(err, "serve:")
t.Errorf("cannot serve setup params: %v", err)
}
if err := container.Wait(); err != nil {
fmsg.PrintBaseError(err, "wait:")
hlog.PrintBaseError(err, "wait:")
t.Fatalf("wait: %v", err)
}
})
@@ -175,8 +175,8 @@ func TestHelperInit(t *testing.T) {
if len(os.Args) != 5 || os.Args[4] != "init" {
return
}
sandbox.SetOutput(fmsg.Output{})
sandbox.Init(fmsg.Prepare, internal.InstallFmsg)
sandbox.SetOutput(hlog.Output{})
sandbox.Init(hlog.Prepare, internal.InstallFmsg)
}
func TestHelperCheckContainer(t *testing.T) {

2
sandbox/executable_test.go
View File

@@ -4,7 +4,7 @@ import (
"os"
"testing"
"git.gensokyo.uk/security/fortify/sandbox"
"git.gensokyo.uk/security/hakurei/sandbox"
)
func TestExecutable(t *testing.T) {

6
sandbox/init.go
View File

@@ -13,7 +13,7 @@ import (
"syscall"
"time"
"git.gensokyo.uk/security/fortify/sandbox/seccomp"
"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
)
const (
@@ -24,7 +24,7 @@ const (
basePath = "/tmp"
// setup params file descriptor
setupEnv = "FORTIFY_SETUP"
setupEnv = "HAKUREI_SETUP"
)
type initParams struct {
@@ -56,7 +56,7 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
log.Fatal("invalid setup descriptor")
}
if errors.Is(err, ErrNotSet) {
log.Fatal("FORTIFY_SETUP not set")
log.Fatal("HAKUREI_SETUP not set")
}
log.Fatalf("cannot decode init setup payload: %v", err)

2
sandbox/mount.go
View File

@@ -7,7 +7,7 @@ import (
"path/filepath"
"syscall"
"git.gensokyo.uk/security/fortify/sandbox/vfs"
"git.gensokyo.uk/security/hakurei/sandbox/vfs"
)
func (p *procPaths) bindMount(source, target string, flags uintptr, eq bool) error {

2
sandbox/path.go
View File

@@ -10,7 +10,7 @@ import (
"strings"
"syscall"
"git.gensokyo.uk/security/fortify/sandbox/vfs"
"git.gensokyo.uk/security/hakurei/sandbox/vfs"
)
const (

2
sandbox/seccomp/api.go
View File

@@ -5,7 +5,7 @@ import (
"errors"
"syscall"
"git.gensokyo.uk/security/fortify/helper/proc"
"git.gensokyo.uk/security/hakurei/helper/proc"
)
const (

4
sandbox/seccomp/export_test.go
View File

@@ -8,7 +8,7 @@ import (
"syscall"
"testing"
"git.gensokyo.uk/security/fortify/sandbox/seccomp"
"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
)
func TestExport(t *testing.T) {
@@ -72,7 +72,7 @@ func TestExport(t *testing.T) {
0x80, 0x8b, 0x1a, 0x6f, 0x84, 0xf3, 0x2b, 0xbd,
0xe1, 0xaa, 0x02, 0xae, 0x30, 0xee, 0xdc, 0xfa,
}, false},
{"fortify default", seccomp.FilterExt | seccomp.FilterDenyDevel, []byte{
{"hakurei default", seccomp.FilterExt | seccomp.FilterDenyDevel, []byte{
0xc6, 0x98, 0xb0, 0x81, 0xff, 0x95, 0x7a, 0xfe,
0x17, 0xa6, 0xd9, 0x43, 0x74, 0x53, 0x7d, 0x37,
0xf2, 0xa6, 0x3f, 0x6f, 0x9d, 0xd7, 0x5d, 0xa7,

4
sandbox/seccomp/output.go
View File

@@ -22,8 +22,8 @@ func GetOutput() func(v ...any) {
}
}
//export f_println
func f_println(v *C.char) {
//export hakurei_println
func hakurei_println(v *C.char) {
if fp := printlnP.Load(); fp != nil {
(*fp)(C.GoString(v))
}

52
sandbox/seccomp/seccomp-build.c
View File

@@ -18,7 +18,7 @@
#error This package requires libseccomp >= v2.5.1
#endif
struct f_syscall_act {
struct hakurei_syscall_act {
int syscall;
int m_errno;
struct scmp_arg_cmp *arg;
@@ -28,8 +28,8 @@ struct f_syscall_act {
#define SECCOMP_RULESET_ADD(ruleset) \
do { \
if (opts & F_VERBOSE) \
f_println("adding seccomp ruleset \"" #ruleset "\""); \
if (opts & HAKUREI_VERBOSE) \
hakurei_println("adding seccomp ruleset \"" #ruleset "\""); \
for (int i = 0; i < LEN(ruleset); i++) { \
assert(ruleset[i].m_errno == EPERM || ruleset[i].m_errno == ENOSYS); \
\
@@ -50,18 +50,18 @@ struct f_syscall_act {
} \
} while (0)
int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
f_filter_opts opts) {
int32_t hakurei_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
hakurei_filter_opts opts) {
int32_t res = 0; /* refer to resPrefix for message */
int allow_multiarch = opts & F_MULTIARCH;
int allow_multiarch = opts & HAKUREI_MULTIARCH;
int allowed_personality = PER_LINUX;
if (opts & F_LINUX32)
if (opts & HAKUREI_LINUX32)
allowed_personality = PER_LINUX32;
/* flatpak commit 4c3bf179e2e4a2a298cd1db1d045adaf3f564532 */
struct f_syscall_act deny_common[] = {
struct hakurei_syscall_act deny_common[] = {
/* Block dmesg */
{SCMP_SYS(syslog), EPERM},
/* Useless old syscall */
@@ -84,8 +84,8 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
{SCMP_SYS(migrate_pages), EPERM},
};
/* fortify: project-specific extensions */
struct f_syscall_act deny_common_ext[] = {
/* hakurei: project-specific extensions */
struct hakurei_syscall_act deny_common_ext[] = {
/* system calls for changing the system clock */
{SCMP_SYS(adjtimex), EPERM},
{SCMP_SYS(clock_adjtime), EPERM},
@@ -109,7 +109,7 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
{SCMP_SYS(swapon), EPERM},
};
struct f_syscall_act deny_ns[] = {
struct hakurei_syscall_act deny_ns[] = {
/* Don't allow subnamespace setups: */
{SCMP_SYS(unshare), EPERM},
{SCMP_SYS(setns), EPERM},
@@ -149,8 +149,8 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
{SCMP_SYS(mount_setattr), ENOSYS},
};
/* fortify: project-specific extensions */
struct f_syscall_act deny_ns_ext[] = {
/* hakurei: project-specific extensions */
struct hakurei_syscall_act deny_ns_ext[] = {
/* changing file ownership */
{SCMP_SYS(chown), EPERM},
{SCMP_SYS(chown32), EPERM},
@@ -177,7 +177,7 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
{SCMP_SYS(setuid32), EPERM},
};
struct f_syscall_act deny_tty[] = {
struct hakurei_syscall_act deny_tty[] = {
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
{SCMP_SYS(ioctl), EPERM,
&SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)},
@@ -188,7 +188,7 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
&SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCLINUX)},
};
struct f_syscall_act deny_devel[] = {
struct hakurei_syscall_act deny_devel[] = {
/* Profiling operations; we expect these to be done by tools from outside
* the sandbox. In particular perf has been the source of many CVEs. */
{SCMP_SYS(perf_event_open), EPERM},
@@ -198,7 +198,7 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
{SCMP_SYS(ptrace), EPERM}};
struct f_syscall_act deny_emu[] = {
struct hakurei_syscall_act deny_emu[] = {
/* modify_ldt is a historic source of interesting information leaks,
* so it's disabled as a hardening measure.
* However, it is required to run old 16-bit applications
@@ -206,8 +206,8 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
{SCMP_SYS(modify_ldt), EPERM},
};
/* fortify: project-specific extensions */
struct f_syscall_act deny_emu_ext[] = {
/* hakurei: project-specific extensions */
struct hakurei_syscall_act deny_emu_ext[] = {
{SCMP_SYS(subpage_prot), ENOSYS},
{SCMP_SYS(switch_endian), ENOSYS},
{SCMP_SYS(vm86), ENOSYS},
@@ -217,7 +217,7 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
/* Blocklist all but unix, inet, inet6 and netlink */
struct {
int family;
f_filter_opts flags_mask;
hakurei_filter_opts flags_mask;
} socket_family_allowlist[] = {
/* NOTE: Keep in numerical order */
{AF_UNSPEC, 0},
@@ -225,8 +225,8 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
{AF_INET, 0},
{AF_INET6, 0},
{AF_NETLINK, 0},
{AF_CAN, F_CAN},
{AF_BLUETOOTH, F_BLUETOOTH},
{AF_CAN, HAKUREI_CAN},
{AF_BLUETOOTH, HAKUREI_BLUETOOTH},
};
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
@@ -260,17 +260,17 @@ int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
}
SECCOMP_RULESET_ADD(deny_common);
if (opts & F_DENY_NS)
if (opts & HAKUREI_DENY_NS)
SECCOMP_RULESET_ADD(deny_ns);
if (opts & F_DENY_TTY)
if (opts & HAKUREI_DENY_TTY)
SECCOMP_RULESET_ADD(deny_tty);
if (opts & F_DENY_DEVEL)
if (opts & HAKUREI_DENY_DEVEL)
SECCOMP_RULESET_ADD(deny_devel);
if (!allow_multiarch)
SECCOMP_RULESET_ADD(deny_emu);
if (opts & F_EXT) {
if (opts & HAKUREI_EXT) {
SECCOMP_RULESET_ADD(deny_common_ext);
if (opts & F_DENY_NS)
if (opts & HAKUREI_DENY_NS)
SECCOMP_RULESET_ADD(deny_ns_ext);
if (!allow_multiarch)
SECCOMP_RULESET_ADD(deny_emu_ext);

26
sandbox/seccomp/seccomp-build.h
View File

@@ -7,17 +7,17 @@
#endif
typedef enum {
F_VERBOSE = 1 << 0,
F_EXT = 1 << 1,
F_DENY_NS = 1 << 2,
F_DENY_TTY = 1 << 3,
F_DENY_DEVEL = 1 << 4,
F_MULTIARCH = 1 << 5,
F_LINUX32 = 1 << 6,
F_CAN = 1 << 7,
F_BLUETOOTH = 1 << 8,
} f_filter_opts;
HAKUREI_VERBOSE = 1 << 0,
HAKUREI_EXT = 1 << 1,
HAKUREI_DENY_NS = 1 << 2,
HAKUREI_DENY_TTY = 1 << 3,
HAKUREI_DENY_DEVEL = 1 << 4,
HAKUREI_MULTIARCH = 1 << 5,
HAKUREI_LINUX32 = 1 << 6,
HAKUREI_CAN = 1 << 7,
HAKUREI_BLUETOOTH = 1 << 8,
} hakurei_filter_opts;
extern void f_println(char *v);
int32_t f_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
f_filter_opts opts);
extern void hakurei_println(char *v);
int32_t hakurei_build_filter(int *ret_p, int fd, uint32_t arch, uint32_t multiarch,
hakurei_filter_opts opts);

24
sandbox/seccomp/seccomp.go
View File

@@ -57,26 +57,26 @@ var resPrefix = [...]string{
7: "seccomp_load failed",
}
type FilterOpts = C.f_filter_opts
type FilterOpts = C.hakurei_filter_opts
const (
filterVerbose FilterOpts = C.F_VERBOSE
filterVerbose FilterOpts = C.HAKUREI_VERBOSE
// FilterExt are project-specific extensions.
FilterExt FilterOpts = C.F_EXT
FilterExt FilterOpts = C.HAKUREI_EXT
// FilterDenyNS denies namespace setup syscalls.
FilterDenyNS FilterOpts = C.F_DENY_NS
FilterDenyNS FilterOpts = C.HAKUREI_DENY_NS
// FilterDenyTTY denies faking input.
FilterDenyTTY FilterOpts = C.F_DENY_TTY
FilterDenyTTY FilterOpts = C.HAKUREI_DENY_TTY
// FilterDenyDevel denies development-related syscalls.
FilterDenyDevel FilterOpts = C.F_DENY_DEVEL
FilterDenyDevel FilterOpts = C.HAKUREI_DENY_DEVEL
// FilterMultiarch allows multiarch/emulation.
FilterMultiarch FilterOpts = C.F_MULTIARCH
FilterMultiarch FilterOpts = C.HAKUREI_MULTIARCH
// FilterLinux32 sets PER_LINUX32.
FilterLinux32 FilterOpts = C.F_LINUX32
FilterLinux32 FilterOpts = C.HAKUREI_LINUX32
// FilterCan allows AF_CAN.
FilterCan FilterOpts = C.F_CAN
FilterCan FilterOpts = C.HAKUREI_CAN
// FilterBluetooth allows AF_BLUETOOTH.
FilterBluetooth FilterOpts = C.F_BLUETOOTH
FilterBluetooth FilterOpts = C.HAKUREI_BLUETOOTH
)
func buildFilter(fd int, opts FilterOpts) error {
@@ -98,13 +98,13 @@ func buildFilter(fd int, opts FilterOpts) error {
}
// this removes repeated transitions between C and Go execution
// when producing log output via F_println and CPrintln is nil
// when producing log output via hakurei_println and CPrintln is nil
if fp := printlnP.Load(); fp != nil {
opts |= filterVerbose
}
var ret C.int
res, err := C.f_build_filter(&ret, C.int(fd), arch, multiarch, opts)
res, err := C.hakurei_build_filter(&ret, C.int(fd), arch, multiarch, opts)
if prefix := resPrefix[res]; prefix != "" {
return &LibraryError{
prefix,

2
sandbox/seccomp/seccomp_test.go
View File

@@ -6,7 +6,7 @@ import (
"syscall"
"testing"
"git.gensokyo.uk/security/fortify/sandbox/seccomp"
"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
)
func TestLibraryError(t *testing.T) {

2
sandbox/vfs/mangle_test.go
View File

@@ -3,7 +3,7 @@ package vfs_test
import (
"testing"
"git.gensokyo.uk/security/fortify/sandbox/vfs"
"git.gensokyo.uk/security/hakurei/sandbox/vfs"
)
func TestUnmangle(t *testing.T) {

2
sandbox/vfs/mountinfo_test.go
View File

@@ -12,7 +12,7 @@ import (
"syscall"
"testing"
"git.gensokyo.uk/security/fortify/sandbox/vfs"
"git.gensokyo.uk/security/hakurei/sandbox/vfs"
)
func TestMountInfo(t *testing.T) {

2
sandbox/vfs/unfold_test.go
View File

@@ -8,7 +8,7 @@ import (
"syscall"
"testing"
"git.gensokyo.uk/security/fortify/sandbox/vfs"
"git.gensokyo.uk/security/hakurei/sandbox/vfs"
)
func TestUnfold(t *testing.T) {

4
sandbox/wl/wayland-bind.c
View File

@@ -28,7 +28,7 @@ static const struct wl_registry_listener registry_listener = {
.global_remove = registry_handle_global_remove,
};
int32_t f_bind_wayland_fd(char *socket_path, int fd, const char *app_id,
int32_t hakurei_bind_wayland_fd(char *socket_path, int fd, const char *app_id,
const char *instance_id, int sync_fd) {
int32_t res = 0; /* refer to resErr for corresponding Go error */
@@ -74,7 +74,7 @@ int32_t f_bind_wayland_fd(char *socket_path, int fd, const char *app_id,
security_context = wp_security_context_manager_v1_create_listener(
security_context_manager, listen_fd, sync_fd);
wp_security_context_v1_set_sandbox_engine(security_context,
"uk.gensokyo.fortify");
"uk.gensokyo.hakurei");
wp_security_context_v1_set_app_id(security_context, app_id);
wp_security_context_v1_set_instance_id(security_context, instance_id);

2
sandbox/wl/wayland-bind.h
View File

@@ -1,4 +1,4 @@
#include <stdint.h>
int32_t f_bind_wayland_fd(char *socket_path, int fd, const char *app_id,
int32_t hakurei_bind_wayland_fd(char *socket_path, int fd, const char *app_id,
const char *instance_id, int sync_fd);

2
sandbox/wl/wl.go
View File

@@ -29,7 +29,7 @@ func bindWaylandFd(socketPath string, fd uintptr, appID, instanceID string, sync
if hasNull(appID) || hasNull(instanceID) {
return ErrContainsNull
}
res := C.f_bind_wayland_fd(C.CString(socketPath), C.int(fd), C.CString(appID), C.CString(instanceID), C.int(syncFd))
res := C.hakurei_bind_wayland_fd(C.CString(socketPath), C.int(fd), C.CString(appID), C.CString(instanceID), C.int(syncFd))
return resErr[int32(res)]
}