diff --git a/cmd/hakurei/internal/app/instance/common/container.go b/cmd/hakurei/internal/app/instance/common/container.go index d634238..e423e1c 100644 --- a/cmd/hakurei/internal/app/instance/common/container.go +++ b/cmd/hakurei/internal/app/instance/common/container.go @@ -8,10 +8,10 @@ import ( "path" "syscall" + "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/dbus" "git.gensokyo.uk/security/hakurei/hst" "git.gensokyo.uk/security/hakurei/internal/sys" - "git.gensokyo.uk/security/hakurei/sandbox" "git.gensokyo.uk/security/hakurei/sandbox/seccomp" ) @@ -21,12 +21,12 @@ const preallocateOpsCount = 1 << 5 // NewContainer initialises [sandbox.Params] via [hst.ContainerConfig]. // Note that remaining container setup must be queued by the caller. -func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox.Params, map[string]string, error) { +func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*hakurei.Params, map[string]string, error) { if s == nil { return nil, nil, syscall.EBADE } - container := &sandbox.Params{ + container := &hakurei.Params{ Hostname: s.Hostname, SeccompFlags: s.SeccompFlags, SeccompPresets: s.SeccompPresets, @@ -35,7 +35,7 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox } { - ops := make(sandbox.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover)) + ops := make(hakurei.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover)) container.Ops = &ops } @@ -64,8 +64,8 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox container.Gid = os.Getgid() *gid = container.Gid } else { - *uid = sandbox.OverflowUid() - *gid = sandbox.OverflowGid() + *uid = hakurei.OverflowUid() + *gid = hakurei.OverflowGid() } container. @@ -75,7 +75,7 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox if !s.Device { container.Dev("/dev").Mqueue("/dev/mqueue") } else { - container.Bind("/dev", "/dev", sandbox.BindWritable|sandbox.BindDevice) + container.Bind("/dev", "/dev", hakurei.BindWritable|hakurei.BindDevice) } /* retrieve paths and hide them if they're made available in the sandbox; @@ -154,13 +154,13 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox var flags int if c.Write { - flags |= sandbox.BindWritable + flags |= hakurei.BindWritable } if c.Device { - flags |= sandbox.BindDevice | sandbox.BindWritable + flags |= hakurei.BindDevice | hakurei.BindWritable } if !c.Must { - flags |= sandbox.BindOptional + flags |= hakurei.BindOptional } container.Bind(c.Src, dest, flags) } diff --git a/cmd/hakurei/internal/app/internal/setuid/app_nixos_test.go b/cmd/hakurei/internal/app/internal/setuid/app_nixos_test.go index 6dd01e9..0b7243e 100644 --- a/cmd/hakurei/internal/app/internal/setuid/app_nixos_test.go +++ b/cmd/hakurei/internal/app/internal/setuid/app_nixos_test.go @@ -1,11 +1,11 @@ package setuid_test import ( + "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/acl" "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app" "git.gensokyo.uk/security/hakurei/dbus" "git.gensokyo.uk/security/hakurei/hst" - "git.gensokyo.uk/security/hakurei/sandbox" "git.gensokyo.uk/security/hakurei/sandbox/seccomp" "git.gensokyo.uk/security/hakurei/system" ) @@ -94,7 +94,7 @@ var testCasesNixos = []sealTestCase{ }). UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", acl.Read, acl.Write). UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", acl.Read, acl.Write), - &sandbox.Params{ + &hakurei.Params{ Uid: 1971, Gid: 100, Dir: "/var/lib/persist/module/hakurei/0/1", @@ -114,7 +114,7 @@ var testCasesNixos = []sealTestCase{ "XDG_SESSION_CLASS=user", "XDG_SESSION_TYPE=tty", }, - Ops: new(sandbox.Ops). + Ops: new(hakurei.Ops). Proc("/proc"). Tmpfs(hst.Tmp, 4096, 0755). Dev("/dev").Mqueue("/dev/mqueue"). @@ -122,18 +122,18 @@ var testCasesNixos = []sealTestCase{ Bind("/usr/bin", "/usr/bin", 0). Bind("/nix/store", "/nix/store", 0). Bind("/run/current-system", "/run/current-system", 0). - Bind("/sys/block", "/sys/block", sandbox.BindOptional). - Bind("/sys/bus", "/sys/bus", sandbox.BindOptional). - Bind("/sys/class", "/sys/class", sandbox.BindOptional). - Bind("/sys/dev", "/sys/dev", sandbox.BindOptional). - Bind("/sys/devices", "/sys/devices", sandbox.BindOptional). + Bind("/sys/block", "/sys/block", hakurei.BindOptional). + Bind("/sys/bus", "/sys/bus", hakurei.BindOptional). + Bind("/sys/class", "/sys/class", hakurei.BindOptional). + Bind("/sys/dev", "/sys/dev", hakurei.BindOptional). + Bind("/sys/devices", "/sys/devices", hakurei.BindOptional). Bind("/run/opengl-driver", "/run/opengl-driver", 0). - Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional). + Bind("/dev/dri", "/dev/dri", hakurei.BindDevice|hakurei.BindWritable|hakurei.BindOptional). Etc("/etc", "8e2c76b066dabe574cf073bdb46eb5c1"). Tmpfs("/run/user", 4096, 0755). - Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", sandbox.BindWritable). - Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", sandbox.BindWritable). - Bind("/var/lib/persist/module/hakurei/0/1", "/var/lib/persist/module/hakurei/0/1", sandbox.BindWritable). + Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", hakurei.BindWritable). + Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", hakurei.BindWritable). + Bind("/var/lib/persist/module/hakurei/0/1", "/var/lib/persist/module/hakurei/0/1", hakurei.BindWritable). Place("/etc/passwd", []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")). Place("/etc/group", []byte("hakurei:x:100:\n")). Bind("/run/user/1971/wayland-0", "/run/user/1971/wayland-0", 0). diff --git a/cmd/hakurei/internal/app/internal/setuid/app_pd_test.go b/cmd/hakurei/internal/app/internal/setuid/app_pd_test.go index 49759aa..15fd3e5 100644 --- a/cmd/hakurei/internal/app/internal/setuid/app_pd_test.go +++ b/cmd/hakurei/internal/app/internal/setuid/app_pd_test.go @@ -3,11 +3,11 @@ package setuid_test import ( "os" + "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/acl" "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app" "git.gensokyo.uk/security/hakurei/dbus" "git.gensokyo.uk/security/hakurei/hst" - "git.gensokyo.uk/security/hakurei/sandbox" "git.gensokyo.uk/security/hakurei/sandbox/seccomp" "git.gensokyo.uk/security/hakurei/system" ) @@ -28,7 +28,7 @@ var testCasesPd = []sealTestCase{ Ensure("/tmp/hakurei.1971/runtime/0", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime/0", acl.Read, acl.Write, acl.Execute). Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute). Ensure("/tmp/hakurei.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute), - &sandbox.Params{ + &hakurei.Params{ Dir: "/home/chronos", Path: "/run/current-system/sw/bin/zsh", Args: []string{"/run/current-system/sw/bin/zsh"}, @@ -41,30 +41,30 @@ var testCasesPd = []sealTestCase{ "XDG_SESSION_CLASS=user", "XDG_SESSION_TYPE=tty", }, - Ops: new(sandbox.Ops). + Ops: new(hakurei.Ops). Proc("/proc"). Tmpfs(hst.Tmp, 4096, 0755). Dev("/dev").Mqueue("/dev/mqueue"). - Bind("/bin", "/bin", sandbox.BindWritable). - Bind("/boot", "/boot", sandbox.BindWritable). - Bind("/home", "/home", sandbox.BindWritable). - Bind("/lib", "/lib", sandbox.BindWritable). - Bind("/lib64", "/lib64", sandbox.BindWritable). - Bind("/nix", "/nix", sandbox.BindWritable). - Bind("/root", "/root", sandbox.BindWritable). - Bind("/run", "/run", sandbox.BindWritable). - Bind("/srv", "/srv", sandbox.BindWritable). - Bind("/sys", "/sys", sandbox.BindWritable). - Bind("/usr", "/usr", sandbox.BindWritable). - Bind("/var", "/var", sandbox.BindWritable). - Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional). + Bind("/bin", "/bin", hakurei.BindWritable). + Bind("/boot", "/boot", hakurei.BindWritable). + Bind("/home", "/home", hakurei.BindWritable). + Bind("/lib", "/lib", hakurei.BindWritable). + Bind("/lib64", "/lib64", hakurei.BindWritable). + Bind("/nix", "/nix", hakurei.BindWritable). + Bind("/root", "/root", hakurei.BindWritable). + Bind("/run", "/run", hakurei.BindWritable). + Bind("/srv", "/srv", hakurei.BindWritable). + Bind("/sys", "/sys", hakurei.BindWritable). + Bind("/usr", "/usr", hakurei.BindWritable). + Bind("/var", "/var", hakurei.BindWritable). + Bind("/dev/kvm", "/dev/kvm", hakurei.BindWritable|hakurei.BindDevice|hakurei.BindOptional). Tmpfs("/run/user/1971", 8192, 0755). Tmpfs("/run/dbus", 8192, 0755). Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac"). Tmpfs("/run/user", 4096, 0755). - Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", sandbox.BindWritable). - Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", sandbox.BindWritable). - Bind("/home/chronos", "/home/chronos", sandbox.BindWritable). + Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", hakurei.BindWritable). + Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", hakurei.BindWritable). + Bind("/home/chronos", "/home/chronos", hakurei.BindWritable). Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")). Place("/etc/group", []byte("hakurei:x:65534:\n")). Tmpfs("/var/run/nscd", 8192, 0755), @@ -166,7 +166,7 @@ var testCasesPd = []sealTestCase{ }). UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write). UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write), - &sandbox.Params{ + &hakurei.Params{ Dir: "/home/chronos", Path: "/run/current-system/sw/bin/zsh", Args: []string{"zsh", "-c", "exec chromium "}, @@ -184,31 +184,31 @@ var testCasesPd = []sealTestCase{ "XDG_SESSION_CLASS=user", "XDG_SESSION_TYPE=tty", }, - Ops: new(sandbox.Ops). + Ops: new(hakurei.Ops). Proc("/proc"). Tmpfs(hst.Tmp, 4096, 0755). Dev("/dev").Mqueue("/dev/mqueue"). - Bind("/bin", "/bin", sandbox.BindWritable). - Bind("/boot", "/boot", sandbox.BindWritable). - Bind("/home", "/home", sandbox.BindWritable). - Bind("/lib", "/lib", sandbox.BindWritable). - Bind("/lib64", "/lib64", sandbox.BindWritable). - Bind("/nix", "/nix", sandbox.BindWritable). - Bind("/root", "/root", sandbox.BindWritable). - Bind("/run", "/run", sandbox.BindWritable). - Bind("/srv", "/srv", sandbox.BindWritable). - Bind("/sys", "/sys", sandbox.BindWritable). - Bind("/usr", "/usr", sandbox.BindWritable). - Bind("/var", "/var", sandbox.BindWritable). - Bind("/dev/dri", "/dev/dri", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional). - Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional). + Bind("/bin", "/bin", hakurei.BindWritable). + Bind("/boot", "/boot", hakurei.BindWritable). + Bind("/home", "/home", hakurei.BindWritable). + Bind("/lib", "/lib", hakurei.BindWritable). + Bind("/lib64", "/lib64", hakurei.BindWritable). + Bind("/nix", "/nix", hakurei.BindWritable). + Bind("/root", "/root", hakurei.BindWritable). + Bind("/run", "/run", hakurei.BindWritable). + Bind("/srv", "/srv", hakurei.BindWritable). + Bind("/sys", "/sys", hakurei.BindWritable). + Bind("/usr", "/usr", hakurei.BindWritable). + Bind("/var", "/var", hakurei.BindWritable). + Bind("/dev/dri", "/dev/dri", hakurei.BindWritable|hakurei.BindDevice|hakurei.BindOptional). + Bind("/dev/kvm", "/dev/kvm", hakurei.BindWritable|hakurei.BindDevice|hakurei.BindOptional). Tmpfs("/run/user/1971", 8192, 0755). Tmpfs("/run/dbus", 8192, 0755). Etc("/etc", "ebf083d1b175911782d413369b64ce7c"). Tmpfs("/run/user", 4096, 0755). - Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", sandbox.BindWritable). - Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", sandbox.BindWritable). - Bind("/home/chronos", "/home/chronos", sandbox.BindWritable). + Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", hakurei.BindWritable). + Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", hakurei.BindWritable). + Bind("/home/chronos", "/home/chronos", hakurei.BindWritable). Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")). Place("/etc/group", []byte("hakurei:x:65534:\n")). Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0", 0). diff --git a/cmd/hakurei/internal/app/internal/setuid/app_test.go b/cmd/hakurei/internal/app/internal/setuid/app_test.go index 072f4c1..18f5ec3 100644 --- a/cmd/hakurei/internal/app/internal/setuid/app_test.go +++ b/cmd/hakurei/internal/app/internal/setuid/app_test.go @@ -7,11 +7,11 @@ import ( "testing" "time" + "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app" "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app/internal/setuid" "git.gensokyo.uk/security/hakurei/hst" "git.gensokyo.uk/security/hakurei/internal/sys" - "git.gensokyo.uk/security/hakurei/sandbox" "git.gensokyo.uk/security/hakurei/system" ) @@ -21,7 +21,7 @@ type sealTestCase struct { config *hst.Config id app.ID wantSys *system.I - wantContainer *sandbox.Params + wantContainer *hakurei.Params } func TestApp(t *testing.T) { @@ -32,7 +32,7 @@ func TestApp(t *testing.T) { a := setuid.NewWithID(tc.id, tc.os) var ( gotSys *system.I - gotContainer *sandbox.Params + gotContainer *hakurei.Params ) if !t.Run("seal", func(t *testing.T) { if sa, err := a.Seal(tc.config); err != nil { diff --git a/cmd/hakurei/internal/app/internal/setuid/export_test.go b/cmd/hakurei/internal/app/internal/setuid/export_test.go index 2606fc7..66d16a1 100644 --- a/cmd/hakurei/internal/app/internal/setuid/export_test.go +++ b/cmd/hakurei/internal/app/internal/setuid/export_test.go @@ -1,9 +1,9 @@ package setuid import ( + "git.gensokyo.uk/security/hakurei" . "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app" "git.gensokyo.uk/security/hakurei/internal/sys" - "git.gensokyo.uk/security/hakurei/sandbox" "git.gensokyo.uk/security/hakurei/system" ) @@ -14,7 +14,7 @@ func NewWithID(id ID, os sys.State) App { return a } -func AppIParams(a App, sa SealedApp) (*system.I, *sandbox.Params) { +func AppIParams(a App, sa SealedApp) (*system.I, *hakurei.Params) { v := a.(*app) seal := sa.(*outcome) if v.outcome != seal || v.id != seal.id { diff --git a/cmd/hakurei/internal/app/internal/setuid/process.go b/cmd/hakurei/internal/app/internal/setuid/process.go index c5597d1..50d1723 100644 --- a/cmd/hakurei/internal/app/internal/setuid/process.go +++ b/cmd/hakurei/internal/app/internal/setuid/process.go @@ -12,11 +12,11 @@ import ( "syscall" "time" + "git.gensokyo.uk/security/hakurei" . "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app" "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/state" "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" - "git.gensokyo.uk/security/hakurei/sandbox" "git.gensokyo.uk/security/hakurei/system" ) @@ -94,7 +94,7 @@ func (seal *outcome) Run(rs *RunState) error { cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGCONT) } var e *gob.Encoder - if fd, encoder, err := sandbox.Setup(&cmd.ExtraFiles); err != nil { + if fd, encoder, err := hakurei.Setup(&cmd.ExtraFiles); err != nil { return hlog.WrapErrSuffix(err, "cannot create shim setup pipe:") } else { diff --git a/cmd/hakurei/internal/app/internal/setuid/seal.go b/cmd/hakurei/internal/app/internal/setuid/seal.go index 2ec2610..3c50d58 100644 --- a/cmd/hakurei/internal/app/internal/setuid/seal.go +++ b/cmd/hakurei/internal/app/internal/setuid/seal.go @@ -16,6 +16,7 @@ import ( "sync/atomic" "syscall" + "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/acl" . "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app" "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app/instance/common" @@ -24,7 +25,6 @@ import ( "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" "git.gensokyo.uk/security/hakurei/internal/sys" - "git.gensokyo.uk/security/hakurei/sandbox" "git.gensokyo.uk/security/hakurei/sandbox/wl" "git.gensokyo.uk/security/hakurei/system" ) @@ -80,7 +80,7 @@ type outcome struct { sys *system.I ctx context.Context - container *sandbox.Params + container *hakurei.Params env map[string]string sync *os.File @@ -334,7 +334,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co seal.sys.Ensure(runtimeDirInst, 0700) seal.sys.UpdatePermType(system.User, runtimeDirInst, acl.Read, acl.Write, acl.Execute) seal.container.Tmpfs("/run/user", 1<<12, 0755) - seal.container.Bind(runtimeDirInst, innerRuntimeDir, sandbox.BindWritable) + seal.container.Bind(runtimeDirInst, innerRuntimeDir, hakurei.BindWritable) } { @@ -345,7 +345,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co seal.sys.Ensure(tmpdirInst, 01700) seal.sys.UpdatePermType(system.User, tmpdirInst, acl.Read, acl.Write, acl.Execute) // mount inner /tmp from share so it shares persistence and storage behaviour of host /tmp - seal.container.Bind(tmpdirInst, "/tmp", sandbox.BindWritable) + seal.container.Bind(tmpdirInst, "/tmp", hakurei.BindWritable) } { @@ -357,7 +357,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co if seal.user.username != "" { username = seal.user.username } - seal.container.Bind(seal.user.data, homeDir, sandbox.BindWritable) + seal.container.Bind(seal.user.data, homeDir, hakurei.BindWritable) seal.container.Dir = homeDir seal.env["HOME"] = homeDir seal.env["USER"] = username diff --git a/cmd/hakurei/internal/app/internal/setuid/shim.go b/cmd/hakurei/internal/app/internal/setuid/shim.go index 1646cd5..19566be 100644 --- a/cmd/hakurei/internal/app/internal/setuid/shim.go +++ b/cmd/hakurei/internal/app/internal/setuid/shim.go @@ -10,9 +10,9 @@ import ( "syscall" "time" + "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" - "git.gensokyo.uk/security/hakurei/sandbox" "git.gensokyo.uk/security/hakurei/sandbox/seccomp" ) @@ -74,7 +74,7 @@ type shimParams struct { Monitor int // finalised container params - Container *sandbox.Params + Container *hakurei.Params // path to outer home directory Home string @@ -86,7 +86,7 @@ type shimParams struct { func ShimMain() { hlog.Prepare("shim") - if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil { + if err := hakurei.SetDumpable(hakurei.SUID_DUMP_DISABLE); err != nil { log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err) } @@ -94,11 +94,11 @@ func ShimMain() { params shimParams closeSetup func() error ) - if f, err := sandbox.Receive(shimEnv, ¶ms, nil); err != nil { - if errors.Is(err, sandbox.ErrInvalid) { + if f, err := hakurei.Receive(shimEnv, ¶ms, nil); err != nil { + if errors.Is(err, hakurei.ErrInvalid) { log.Fatal("invalid config descriptor") } - if errors.Is(err, sandbox.ErrNotSet) { + if errors.Is(err, hakurei.ErrNotSet) { log.Fatal("HAKUREI_SHIM not set") } @@ -149,7 +149,7 @@ func ShimMain() { } ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM) defer stop() // unreachable - container := sandbox.New(ctx, name) + container := hakurei.New(ctx, name) container.Params = *params.Container container.Stdin, container.Stdout, container.Stderr = os.Stdin, os.Stdout, os.Stderr container.Cancel = func(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) } diff --git a/cmd/hakurei/main.go b/cmd/hakurei/main.go index 4cfe7eb..ef6b3e5 100644 --- a/cmd/hakurei/main.go +++ b/cmd/hakurei/main.go @@ -9,10 +9,10 @@ import ( "log" "os" + "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" "git.gensokyo.uk/security/hakurei/internal/sys" - "git.gensokyo.uk/security/hakurei/sandbox" ) var ( @@ -28,9 +28,9 @@ var std sys.State = new(sys.Std) func main() { // early init path, skips root check and duplicate PR_SET_DUMPABLE - sandbox.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput) + hakurei.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput) - if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil { + if err := hakurei.SetDumpable(hakurei.SUID_DUMP_DISABLE); err != nil { log.Printf("cannot set SUID_DUMP_DISABLE: %s", err) // not fatal: this program runs as the privileged user } diff --git a/sandbox/container.go b/container.go similarity index 97% rename from sandbox/container.go rename to container.go index 88b0358..57e3c6f 100644 --- a/sandbox/container.go +++ b/container.go @@ -1,5 +1,5 @@ -// Package sandbox implements unprivileged Linux container with hardening options useful for creating application sandboxes. -package sandbox +// Package hakurei implements unprivileged Linux containers with built-in support for syscall filtering. +package hakurei import ( "context" diff --git a/sandbox/container_test.go b/container_test.go similarity index 93% rename from sandbox/container_test.go rename to container_test.go index 72c5069..aa1ed0a 100644 --- a/sandbox/container_test.go +++ b/container_test.go @@ -1,4 +1,4 @@ -package sandbox_test +package hakurei_test import ( "bytes" @@ -12,11 +12,11 @@ import ( "testing" "time" + "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/hst" "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" "git.gensokyo.uk/security/hakurei/ldd" - "git.gensokyo.uk/security/hakurei/sandbox" "git.gensokyo.uk/security/hakurei/sandbox/seccomp" "git.gensokyo.uk/security/hakurei/sandbox/vfs" ) @@ -29,10 +29,10 @@ const ( func TestContainer(t *testing.T) { { oldVerbose := hlog.Load() - oldOutput := sandbox.GetOutput() + oldOutput := hakurei.GetOutput() internal.InstallOutput(true) t.Cleanup(func() { hlog.Store(oldVerbose) }) - t.Cleanup(func() { sandbox.SetOutput(oldOutput) }) + t.Cleanup(func() { hakurei.SetOutput(oldOutput) }) } testCases := []struct { @@ -40,7 +40,7 @@ func TestContainer(t *testing.T) { filter bool session bool net bool - ops *sandbox.Ops + ops *hakurei.Ops mnt []*vfs.MountInfoEntry host string rules []seccomp.NativeRule @@ -48,28 +48,28 @@ func TestContainer(t *testing.T) { presets seccomp.FilterPreset }{ {"minimal", true, false, false, - new(sandbox.Ops), nil, "test-minimal", + new(hakurei.Ops), nil, "test-minimal", nil, 0, seccomp.PresetStrict}, {"allow", true, true, true, - new(sandbox.Ops), nil, "test-minimal", + new(hakurei.Ops), nil, "test-minimal", nil, 0, seccomp.PresetExt | seccomp.PresetDenyDevel}, {"no filter", false, true, true, - new(sandbox.Ops), nil, "test-no-filter", + new(hakurei.Ops), nil, "test-no-filter", nil, 0, seccomp.PresetExt}, {"custom rules", true, true, true, - new(sandbox.Ops), nil, "test-no-filter", + new(hakurei.Ops), nil, "test-no-filter", []seccomp.NativeRule{ {seccomp.ScmpSyscall(syscall.SYS_SETUID), seccomp.ScmpErrno(syscall.EPERM), nil}, }, 0, seccomp.PresetExt}, {"tmpfs", true, false, false, - new(sandbox.Ops). + new(hakurei.Ops). Tmpfs(hst.Tmp, 0, 0755), []*vfs.MountInfoEntry{ e("/", hst.Tmp, "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore), }, "test-tmpfs", nil, 0, seccomp.PresetStrict}, {"dev", true, true /* go test output is not a tty */, false, - new(sandbox.Ops). + new(hakurei.Ops). Dev("/dev"). Mqueue("/dev/mqueue"), []*vfs.MountInfoEntry{ @@ -91,7 +91,7 @@ func TestContainer(t *testing.T) { ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second) defer cancel() - container := sandbox.New(ctx, "/usr/bin/sandbox.test", "-test.v", + container := hakurei.New(ctx, "/usr/bin/sandbox.test", "-test.v", "-test.run=TestHelperCheckContainer", "--", "check", tc.host) container.Uid = 1000 container.Gid = 100 @@ -185,7 +185,7 @@ func e(root, target, vfsOptstr, fsType, source, fsOptstr string) *vfs.MountInfoE } func TestContainerString(t *testing.T) { - container := sandbox.New(t.Context(), "ldd", "/usr/bin/env") + container := hakurei.New(t.Context(), "ldd", "/usr/bin/env") container.SeccompFlags |= seccomp.AllowMultiarch container.SeccompRules = seccomp.Preset( seccomp.PresetExt|seccomp.PresetDenyNS|seccomp.PresetDenyTTY, @@ -201,8 +201,8 @@ func TestHelperInit(t *testing.T) { if len(os.Args) != 5 || os.Args[4] != "init" { return } - sandbox.SetOutput(hlog.Output{}) - sandbox.Init(hlog.Prepare, internal.InstallOutput) + hakurei.SetOutput(hlog.Output{}) + hakurei.Init(hlog.Prepare, internal.InstallOutput) } func TestHelperCheckContainer(t *testing.T) { diff --git a/dbus/dbus_test.go b/dbus/dbus_test.go index 8965e0f..caf7098 100644 --- a/dbus/dbus_test.go +++ b/dbus/dbus_test.go @@ -13,11 +13,11 @@ import ( "testing" "time" + "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/dbus" "git.gensokyo.uk/security/hakurei/helper" "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" - "git.gensokyo.uk/security/hakurei/sandbox" ) func TestFinalise(t *testing.T) { @@ -134,7 +134,7 @@ func testProxyFinaliseStartWaitCloseString(t *testing.T, useSandbox bool) { } p.CmdF = func(v any) { if useSandbox { - container := v.(*sandbox.Container) + container := v.(*hakurei.Container) if container.Args[0] != dbus.ProxyName { panic(fmt.Sprintf("unexpected argv0 %q", os.Args[0])) } @@ -208,6 +208,6 @@ func TestHelperInit(t *testing.T) { if len(os.Args) != 5 || os.Args[4] != "init" { return } - sandbox.SetOutput(hlog.Output{}) - sandbox.Init(hlog.Prepare, internal.InstallOutput) + hakurei.SetOutput(hlog.Output{}) + hakurei.Init(hlog.Prepare, internal.InstallOutput) } diff --git a/dbus/proc.go b/dbus/proc.go index 283f31c..bbb72f9 100644 --- a/dbus/proc.go +++ b/dbus/proc.go @@ -11,9 +11,9 @@ import ( "strconv" "syscall" + "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/helper" "git.gensokyo.uk/security/hakurei/ldd" - "git.gensokyo.uk/security/hakurei/sandbox" "git.gensokyo.uk/security/hakurei/sandbox/seccomp" ) @@ -65,7 +65,7 @@ func (p *Proxy) Start() error { p.helper = helper.New( ctx, toolPath, p.final, true, - argF, func(container *sandbox.Container) { + argF, func(container *hakurei.Container) { container.SeccompFlags |= seccomp.AllowMultiarch container.SeccompPresets |= seccomp.PresetStrict container.Hostname = "hakurei-dbus" @@ -115,7 +115,7 @@ func (p *Proxy) Start() error { slices.Sort(sockDirPaths) sockDirPaths = slices.Compact(sockDirPaths) for _, name := range sockDirPaths { - container.Bind(name, name, sandbox.BindWritable) + container.Bind(name, name, hakurei.BindWritable) } // xdg-dbus-proxy bin path diff --git a/dist/release.sh b/dist/release.sh index 004b686..3330e6f 100755 --- a/dist/release.sh +++ b/dist/release.sh @@ -11,7 +11,7 @@ cp -rv "dist/comp" "${out}" go generate ./... go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static' -X git.gensokyo.uk/security/hakurei/internal.version=${VERSION} - -X git.gensokyo.uk/security/hakurei/internal.hakurei=/usr/bin/hakurei + -X git.gensokyo.uk/security/hakurei/internal.hmain=/usr/bin/hakurei -X git.gensokyo.uk/security/hakurei/internal.hsu=/usr/bin/hsu -X main.hmain=/usr/bin/hakurei" ./... diff --git a/sandbox/executable.go b/executable.go similarity index 95% rename from sandbox/executable.go rename to executable.go index 5f73d23..2214156 100644 --- a/sandbox/executable.go +++ b/executable.go @@ -1,4 +1,4 @@ -package sandbox +package hakurei import ( "log" diff --git a/sandbox/executable_test.go b/executable_test.go similarity index 57% rename from sandbox/executable_test.go rename to executable_test.go index 8a11864..27b6223 100644 --- a/sandbox/executable_test.go +++ b/executable_test.go @@ -1,15 +1,15 @@ -package sandbox_test +package hakurei_test import ( "os" "testing" - "git.gensokyo.uk/security/hakurei/sandbox" + "git.gensokyo.uk/security/hakurei" ) func TestExecutable(t *testing.T) { for i := 0; i < 16; i++ { - if got := sandbox.MustExecutable(); got != os.Args[0] { + if got := hakurei.MustExecutable(); got != os.Args[0] { t.Errorf("MustExecutable: %q, want %q", got, os.Args[0]) } diff --git a/helper/container.go b/helper/container.go index e0c6fc8..861ae4a 100644 --- a/helper/container.go +++ b/helper/container.go @@ -9,8 +9,8 @@ import ( "slices" "sync" + "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/helper/proc" - "git.gensokyo.uk/security/hakurei/sandbox" ) // New initialises a Helper instance with wt as the null-terminated argument writer. @@ -20,13 +20,13 @@ func New( wt io.WriterTo, stat bool, argF func(argsFd, statFd int) []string, - cmdF func(container *sandbox.Container), + cmdF func(container *hakurei.Container), extraFiles []*os.File, ) Helper { var args []string h := new(helperContainer) h.helperFiles, args = newHelperFiles(ctx, wt, stat, argF, extraFiles) - h.Container = sandbox.New(ctx, name, args...) + h.Container = hakurei.New(ctx, name, args...) h.WaitDelay = WaitDelay if cmdF != nil { cmdF(h.Container) @@ -40,7 +40,7 @@ type helperContainer struct { mu sync.Mutex *helperFiles - *sandbox.Container + *hakurei.Container } func (h *helperContainer) Start() error { diff --git a/helper/container_test.go b/helper/container_test.go index e8ee7f3..e6e5a21 100644 --- a/helper/container_test.go +++ b/helper/container_test.go @@ -7,10 +7,10 @@ import ( "os/exec" "testing" + "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/helper" "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" - "git.gensokyo.uk/security/hakurei/sandbox" ) func TestContainer(t *testing.T) { @@ -34,7 +34,7 @@ func TestContainer(t *testing.T) { t.Run("implementation compliance", func(t *testing.T) { testHelper(t, func(ctx context.Context, setOutput func(stdoutP, stderrP *io.Writer), stat bool) helper.Helper { - return helper.New(ctx, os.Args[0], argsWt, stat, argF, func(container *sandbox.Container) { + return helper.New(ctx, os.Args[0], argsWt, stat, argF, func(container *hakurei.Container) { setOutput(&container.Stdout, &container.Stderr) container.CommandContext = func(ctx context.Context) (cmd *exec.Cmd) { return exec.CommandContext(ctx, os.Args[0], "-test.v", @@ -52,6 +52,6 @@ func TestHelperInit(t *testing.T) { if len(os.Args) != 5 || os.Args[4] != "init" { return } - sandbox.SetOutput(hlog.Output{}) - sandbox.Init(hlog.Prepare, func(bool) { internal.InstallOutput(false) }) + hakurei.SetOutput(hlog.Output{}) + hakurei.Init(hlog.Prepare, func(bool) { internal.InstallOutput(false) }) } diff --git a/sandbox/init.go b/init.go similarity index 99% rename from sandbox/init.go rename to init.go index 2cd7f6c..74ff929 100644 --- a/sandbox/init.go +++ b/init.go @@ -1,4 +1,4 @@ -package sandbox +package hakurei import ( "errors" diff --git a/internal/output.go b/internal/output.go index 36eb810..a15be77 100644 --- a/internal/output.go +++ b/internal/output.go @@ -1,13 +1,13 @@ package internal import ( + "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/internal/hlog" - "git.gensokyo.uk/security/hakurei/sandbox" "git.gensokyo.uk/security/hakurei/system" ) func InstallOutput(verbose bool) { hlog.Store(verbose) - sandbox.SetOutput(hlog.Output{}) + hakurei.SetOutput(hlog.Output{}) system.SetOutput(hlog.Output{}) } diff --git a/internal/path.go b/internal/path.go index 6b7b220..e910287 100644 --- a/internal/path.go +++ b/internal/path.go @@ -8,12 +8,12 @@ import ( ) var ( - hakurei = compPoison - hsu = compPoison + hmain = compPoison + hsu = compPoison ) func MustHakureiPath() string { - if name, ok := checkPath(hakurei); ok { + if name, ok := checkPath(hmain); ok { return name } hlog.BeforeExit() diff --git a/internal/sys/std.go b/internal/sys/std.go index c3913a7..098eb3c 100644 --- a/internal/sys/std.go +++ b/internal/sys/std.go @@ -12,10 +12,10 @@ import ( "sync" "syscall" + "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/hst" "git.gensokyo.uk/security/hakurei/internal" "git.gensokyo.uk/security/hakurei/internal/hlog" - "git.gensokyo.uk/security/hakurei/sandbox" ) // Std implements System using the standard library. @@ -36,7 +36,7 @@ func (s *Std) Getgid() int { return os.Getgid() func (s *Std) LookupEnv(key string) (string, bool) { return os.LookupEnv(key) } func (s *Std) TempDir() string { return os.TempDir() } func (s *Std) LookPath(file string) (string, error) { return exec.LookPath(file) } -func (s *Std) MustExecutable() string { return sandbox.MustExecutable() } +func (s *Std) MustExecutable() string { return hakurei.MustExecutable() } func (s *Std) LookupGroup(name string) (*user.Group, error) { return user.LookupGroup(name) } func (s *Std) ReadDir(name string) ([]os.DirEntry, error) { return os.ReadDir(name) } func (s *Std) Stat(name string) (fs.FileInfo, error) { return os.Stat(name) } diff --git a/ldd/exec.go b/ldd/exec.go index dbbe205..ec38f68 100644 --- a/ldd/exec.go +++ b/ldd/exec.go @@ -8,7 +8,7 @@ import ( "os/exec" "time" - "git.gensokyo.uk/security/hakurei/sandbox" + "git.gensokyo.uk/security/hakurei" "git.gensokyo.uk/security/hakurei/sandbox/seccomp" ) @@ -27,7 +27,7 @@ func ExecFilter(ctx context.Context, p string) ([]*Entry, error) { c, cancel := context.WithTimeout(ctx, lddTimeout) defer cancel() - container := sandbox.New(c, "ldd", p) + container := hakurei.New(c, "ldd", p) container.CommandContext = commandContext container.Hostname = "hakurei-ldd" container.SeccompFlags |= seccomp.AllowMultiarch diff --git a/sandbox/mount.go b/mount.go similarity index 99% rename from sandbox/mount.go rename to mount.go index 4dc7c0e..68d689f 100644 --- a/sandbox/mount.go +++ b/mount.go @@ -1,4 +1,4 @@ -package sandbox +package hakurei import ( "errors" diff --git a/sandbox/msg.go b/msg.go similarity index 98% rename from sandbox/msg.go rename to msg.go index 5ee1850..aa7a272 100644 --- a/sandbox/msg.go +++ b/msg.go @@ -1,4 +1,4 @@ -package sandbox +package hakurei import ( "log" diff --git a/sandbox/ops.go b/ops.go similarity index 99% rename from sandbox/ops.go rename to ops.go index 016b265..8d5a9e3 100644 --- a/sandbox/ops.go +++ b/ops.go @@ -1,4 +1,4 @@ -package sandbox +package hakurei import ( "encoding/gob" diff --git a/sandbox/output.go b/output.go similarity index 96% rename from sandbox/output.go rename to output.go index 5d74395..d64d471 100644 --- a/sandbox/output.go +++ b/output.go @@ -1,4 +1,4 @@ -package sandbox +package hakurei var msg Msg = new(DefaultMsg) diff --git a/package.nix b/package.nix index bb64517..129921c 100644 --- a/package.nix +++ b/package.nix @@ -76,7 +76,7 @@ buildGoModule rec { ) { version = "v${version}"; - hakurei = "${placeholder "out"}/libexec/hakurei"; + hmain = "${placeholder "out"}/libexec/hakurei"; hsu = "/run/wrappers/bin/hsu"; }; diff --git a/sandbox/params.go b/params.go similarity index 98% rename from sandbox/params.go rename to params.go index 5b69874..4744123 100644 --- a/sandbox/params.go +++ b/params.go @@ -1,4 +1,4 @@ -package sandbox +package hakurei import ( "encoding/gob" diff --git a/sandbox/path.go b/path.go similarity index 99% rename from sandbox/path.go rename to path.go index 84dfbc3..bc4cccb 100644 --- a/sandbox/path.go +++ b/path.go @@ -1,4 +1,4 @@ -package sandbox +package hakurei import ( "errors" diff --git a/sandbox/syscall.go b/syscall.go similarity index 99% rename from sandbox/syscall.go rename to syscall.go index 9e46baf..4b22c23 100644 --- a/sandbox/syscall.go +++ b/syscall.go @@ -1,4 +1,4 @@ -package sandbox +package hakurei import ( "syscall" diff --git a/sandbox/sysctl.go b/sysctl.go similarity index 98% rename from sandbox/sysctl.go rename to sysctl.go index 22046b6..aa74da4 100644 --- a/sandbox/sysctl.go +++ b/sysctl.go @@ -1,4 +1,4 @@ -package sandbox +package hakurei import ( "bytes" diff --git a/system/output.go b/system/output.go index a1d677a..ad0559b 100644 --- a/system/output.go +++ b/system/output.go @@ -1,12 +1,14 @@ package system -import "git.gensokyo.uk/security/hakurei/sandbox" +import ( + "git.gensokyo.uk/security/hakurei" +) -var msg sandbox.Msg = new(sandbox.DefaultMsg) +var msg hakurei.Msg = new(hakurei.DefaultMsg) -func SetOutput(v sandbox.Msg) { +func SetOutput(v hakurei.Msg) { if v == nil { - msg = new(sandbox.DefaultMsg) + msg = new(hakurei.DefaultMsg) } else { msg = v }