security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 7 Wiki Activity

internal/app: apply pd behaviour to outcomeState
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 2m6s
Details
Test / Hakurei (push) Successful in 3m8s
Details
Test / Hpkg (push) Successful in 4m1s
Details
Test / Sandbox (race detector) (push) Successful in 4m29s
Details
Test / Hakurei (race detector) (push) Successful in 2m56s
Details
Test / Flake checks (push) Successful in 1m34s
Details

Browse Source 
This avoids needlessly clobbering hst.Config.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-10-05 03:31:43 +09:00
parent 8ace214832
commit 92b83bd599
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
2 changed files with 17 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
internal/app/finalise.go
View File

@ -102,14 +102,22 @@ func (k *outcome) finalise(ctx context.Context, msg container.Msg, id *state.ID,
} }
} }
s := outcomeState{
ID: id,
Identity: config.Identity,
UserID: (&Hsu{k: k}).MustIDMsg(msg),
EnvPaths: copyPaths(k.syscallDispatcher),
Container: config.Container,
}
// permissive defaults // permissive defaults
if config.Container == nil { if s.Container == nil {
msg.Verbose("container configuration not supplied, PROCEED WITH CAUTION") msg.Verbose("container configuration not supplied, PROCEED WITH CAUTION")
if config.Shell == nil { if config.Shell == nil {
config.Shell = container.AbsFHSRoot.Append("bin", "sh") config.Shell = container.AbsFHSRoot.Append("bin", "sh")
s, _ := k.lookupEnv("SHELL") shell, _ := k.lookupEnv("SHELL")
if a, err := container.NewAbs(s); err == nil { if a, err := container.NewAbs(shell); err == nil {
config.Shell = a config.Shell = a
} }
} }
@ -166,7 +174,7 @@ func (k *outcome) finalise(ctx context.Context, msg container.Msg, id *state.ID,
}}, }},
) )
config.Container = conf s.Container = conf
} }
// late nil checks for pd behaviour // late nil checks for pd behaviour
@ -179,23 +187,14 @@ func (k *outcome) finalise(ctx context.Context, msg container.Msg, id *state.ID,
// enforce bounds and default early // enforce bounds and default early
kp.waitDelay = shimWaitTimeout kp.waitDelay = shimWaitTimeout
if config.Container.WaitDelay <= 0 { if s.Container.WaitDelay <= 0 {
kp.waitDelay += DefaultShimWaitDelay kp.waitDelay += DefaultShimWaitDelay
} else if config.Container.WaitDelay > MaxShimWaitDelay { } else if s.Container.WaitDelay > MaxShimWaitDelay {
kp.waitDelay += MaxShimWaitDelay kp.waitDelay += MaxShimWaitDelay
} else { } else {
kp.waitDelay += config.Container.WaitDelay kp.waitDelay += s.Container.WaitDelay
} }
s := outcomeState{
ID: id,
Identity: config.Identity,
UserID: (&Hsu{k: k}).MustIDMsg(msg),
EnvPaths: copyPaths(k.syscallDispatcher),
// TODO(ophestra): apply pd behaviour here instead of clobbering hst.Config
Container: config.Container,
}
if s.Container.MapRealUID { if s.Container.MapRealUID {
s.Mapuid, s.Mapgid = k.getuid(), k.getgid() s.Mapuid, s.Mapgid = k.getuid(), k.getgid()
} else { } else {

4
internal/app/spx11.go
View File

@ -20,7 +20,7 @@ type spX11Op struct {
Display string Display string
} }
func (s *spX11Op) toSystem(state *outcomeStateSys, config *hst.Config) error { func (s *spX11Op) toSystem(state *outcomeStateSys, _ *hst.Config) error {
if d, ok := state.k.lookupEnv("DISPLAY"); !ok { if d, ok := state.k.lookupEnv("DISPLAY"); !ok {
return newWithMessage("DISPLAY is not set") return newWithMessage("DISPLAY is not set")
} else { } else {
@ -46,7 +46,7 @@ func (s *spX11Op) toSystem(state *outcomeStateSys, config *hst.Config) error {
} }
} else { } else {
state.sys.UpdatePermType(hst.EX11, socketPath, acl.Read, acl.Write, acl.Execute) state.sys.UpdatePermType(hst.EX11, socketPath, acl.Read, acl.Write, acl.Execute)
if !config.Container.HostAbstract { if !state.Container.HostAbstract {
s.Display = "unix:" + socketPath.String() s.Display = "unix:" + socketPath.String()
} }
} }