hakurei: move container toplevel

Signed-off-by: Ophestra <cat@gensokyo.uk>

cmd/hakurei/internal/app/instance/common/container.go

@@ -8,10 +8,10 @@ import (
 	"path"
 	"syscall"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/dbus"
 	"git.gensokyo.uk/security/hakurei/hst"
 	"git.gensokyo.uk/security/hakurei/internal/sys"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 )
 
@@ -21,12 +21,12 @@ const preallocateOpsCount = 1 << 5
 
 // NewContainer initialises [sandbox.Params] via [hst.ContainerConfig].
 // Note that remaining container setup must be queued by the caller.
-func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox.Params, map[string]string, error) {
+func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*hakurei.Params, map[string]string, error) {
 	if s == nil {
 		return nil, nil, syscall.EBADE
 	}
 
-	container := &sandbox.Params{
+	container := &hakurei.Params{
 		Hostname:       s.Hostname,
 		SeccompFlags:   s.SeccompFlags,
 		SeccompPresets: s.SeccompPresets,
@@ -35,7 +35,7 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
 	}
 
 	{
-		ops := make(sandbox.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover))
+		ops := make(hakurei.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover))
 		container.Ops = &ops
 	}
 
@@ -64,8 +64,8 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
 		container.Gid = os.Getgid()
 		*gid = container.Gid
 	} else {
-		*uid = sandbox.OverflowUid()
-		*gid = sandbox.OverflowGid()
+		*uid = hakurei.OverflowUid()
+		*gid = hakurei.OverflowGid()
 	}
 
 	container.
@@ -75,7 +75,7 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
 	if !s.Device {
 		container.Dev("/dev").Mqueue("/dev/mqueue")
 	} else {
-		container.Bind("/dev", "/dev", sandbox.BindWritable|sandbox.BindDevice)
+		container.Bind("/dev", "/dev", hakurei.BindWritable|hakurei.BindDevice)
 	}
 
 	/* retrieve paths and hide them if they're made available in the sandbox;
@@ -154,13 +154,13 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
 
 		var flags int
 		if c.Write {
-			flags |= sandbox.BindWritable
+			flags |= hakurei.BindWritable
 		}
 		if c.Device {
-			flags |= sandbox.BindDevice | sandbox.BindWritable
+			flags |= hakurei.BindDevice | hakurei.BindWritable
 		}
 		if !c.Must {
-			flags |= sandbox.BindOptional
+			flags |= hakurei.BindOptional
 		}
 		container.Bind(c.Src, dest, flags)
 	}

cmd/hakurei/internal/app/internal/setuid/app_nixos_test.go

@@ -1,11 +1,11 @@
 package setuid_test
 
 import (
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/acl"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/dbus"
 	"git.gensokyo.uk/security/hakurei/hst"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 	"git.gensokyo.uk/security/hakurei/system"
 )
@@ -94,7 +94,7 @@ var testCasesNixos = []sealTestCase{
 			}).
 			UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", acl.Read, acl.Write),
-		&sandbox.Params{
+		&hakurei.Params{
 			Uid:  1971,
 			Gid:  100,
 			Dir:  "/var/lib/persist/module/hakurei/0/1",
@@ -114,7 +114,7 @@ var testCasesNixos = []sealTestCase{
 				"XDG_SESSION_CLASS=user",
 				"XDG_SESSION_TYPE=tty",
 			},
-			Ops: new(sandbox.Ops).
+			Ops: new(hakurei.Ops).
 				Proc("/proc").
 				Tmpfs(hst.Tmp, 4096, 0755).
 				Dev("/dev").Mqueue("/dev/mqueue").
@@ -122,18 +122,18 @@ var testCasesNixos = []sealTestCase{
 				Bind("/usr/bin", "/usr/bin", 0).
 				Bind("/nix/store", "/nix/store", 0).
 				Bind("/run/current-system", "/run/current-system", 0).
-				Bind("/sys/block", "/sys/block", sandbox.BindOptional).
-				Bind("/sys/bus", "/sys/bus", sandbox.BindOptional).
-				Bind("/sys/class", "/sys/class", sandbox.BindOptional).
-				Bind("/sys/dev", "/sys/dev", sandbox.BindOptional).
-				Bind("/sys/devices", "/sys/devices", sandbox.BindOptional).
+				Bind("/sys/block", "/sys/block", hakurei.BindOptional).
+				Bind("/sys/bus", "/sys/bus", hakurei.BindOptional).
+				Bind("/sys/class", "/sys/class", hakurei.BindOptional).
+				Bind("/sys/dev", "/sys/dev", hakurei.BindOptional).
+				Bind("/sys/devices", "/sys/devices", hakurei.BindOptional).
 				Bind("/run/opengl-driver", "/run/opengl-driver", 0).
-				Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional).
+				Bind("/dev/dri", "/dev/dri", hakurei.BindDevice|hakurei.BindWritable|hakurei.BindOptional).
 				Etc("/etc", "8e2c76b066dabe574cf073bdb46eb5c1").
 				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", sandbox.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", sandbox.BindWritable).
-				Bind("/var/lib/persist/module/hakurei/0/1", "/var/lib/persist/module/hakurei/0/1", sandbox.BindWritable).
+				Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", hakurei.BindWritable).
+				Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", hakurei.BindWritable).
+				Bind("/var/lib/persist/module/hakurei/0/1", "/var/lib/persist/module/hakurei/0/1", hakurei.BindWritable).
 				Place("/etc/passwd", []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
 				Place("/etc/group", []byte("hakurei:x:100:\n")).
 				Bind("/run/user/1971/wayland-0", "/run/user/1971/wayland-0", 0).

cmd/hakurei/internal/app/internal/setuid/app_pd_test.go

@@ -3,11 +3,11 @@ package setuid_test
 import (
 	"os"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/acl"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/dbus"
 	"git.gensokyo.uk/security/hakurei/hst"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 	"git.gensokyo.uk/security/hakurei/system"
 )
@@ -28,7 +28,7 @@ var testCasesPd = []sealTestCase{
 			Ensure("/tmp/hakurei.1971/runtime/0", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime/0", acl.Read, acl.Write, acl.Execute).
 			Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/hakurei.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute),
-		&sandbox.Params{
+		&hakurei.Params{
 			Dir:  "/home/chronos",
 			Path: "/run/current-system/sw/bin/zsh",
 			Args: []string{"/run/current-system/sw/bin/zsh"},
@@ -41,30 +41,30 @@ var testCasesPd = []sealTestCase{
 				"XDG_SESSION_CLASS=user",
 				"XDG_SESSION_TYPE=tty",
 			},
-			Ops: new(sandbox.Ops).
+			Ops: new(hakurei.Ops).
 				Proc("/proc").
 				Tmpfs(hst.Tmp, 4096, 0755).
 				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/bin", "/bin", sandbox.BindWritable).
-				Bind("/boot", "/boot", sandbox.BindWritable).
-				Bind("/home", "/home", sandbox.BindWritable).
-				Bind("/lib", "/lib", sandbox.BindWritable).
-				Bind("/lib64", "/lib64", sandbox.BindWritable).
-				Bind("/nix", "/nix", sandbox.BindWritable).
-				Bind("/root", "/root", sandbox.BindWritable).
-				Bind("/run", "/run", sandbox.BindWritable).
-				Bind("/srv", "/srv", sandbox.BindWritable).
-				Bind("/sys", "/sys", sandbox.BindWritable).
-				Bind("/usr", "/usr", sandbox.BindWritable).
-				Bind("/var", "/var", sandbox.BindWritable).
-				Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
+				Bind("/bin", "/bin", hakurei.BindWritable).
+				Bind("/boot", "/boot", hakurei.BindWritable).
+				Bind("/home", "/home", hakurei.BindWritable).
+				Bind("/lib", "/lib", hakurei.BindWritable).
+				Bind("/lib64", "/lib64", hakurei.BindWritable).
+				Bind("/nix", "/nix", hakurei.BindWritable).
+				Bind("/root", "/root", hakurei.BindWritable).
+				Bind("/run", "/run", hakurei.BindWritable).
+				Bind("/srv", "/srv", hakurei.BindWritable).
+				Bind("/sys", "/sys", hakurei.BindWritable).
+				Bind("/usr", "/usr", hakurei.BindWritable).
+				Bind("/var", "/var", hakurei.BindWritable).
+				Bind("/dev/kvm", "/dev/kvm", hakurei.BindWritable|hakurei.BindDevice|hakurei.BindOptional).
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
 				Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac").
 				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", sandbox.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", sandbox.BindWritable).
-				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
+				Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", hakurei.BindWritable).
+				Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", hakurei.BindWritable).
+				Bind("/home/chronos", "/home/chronos", hakurei.BindWritable).
 				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 				Place("/etc/group", []byte("hakurei:x:65534:\n")).
 				Tmpfs("/var/run/nscd", 8192, 0755),
@@ -166,7 +166,7 @@ var testCasesPd = []sealTestCase{
 			}).
 			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
-		&sandbox.Params{
+		&hakurei.Params{
 			Dir:  "/home/chronos",
 			Path: "/run/current-system/sw/bin/zsh",
 			Args: []string{"zsh", "-c", "exec chromium "},
@@ -184,31 +184,31 @@ var testCasesPd = []sealTestCase{
 				"XDG_SESSION_CLASS=user",
 				"XDG_SESSION_TYPE=tty",
 			},
-			Ops: new(sandbox.Ops).
+			Ops: new(hakurei.Ops).
 				Proc("/proc").
 				Tmpfs(hst.Tmp, 4096, 0755).
 				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/bin", "/bin", sandbox.BindWritable).
-				Bind("/boot", "/boot", sandbox.BindWritable).
-				Bind("/home", "/home", sandbox.BindWritable).
-				Bind("/lib", "/lib", sandbox.BindWritable).
-				Bind("/lib64", "/lib64", sandbox.BindWritable).
-				Bind("/nix", "/nix", sandbox.BindWritable).
-				Bind("/root", "/root", sandbox.BindWritable).
-				Bind("/run", "/run", sandbox.BindWritable).
-				Bind("/srv", "/srv", sandbox.BindWritable).
-				Bind("/sys", "/sys", sandbox.BindWritable).
-				Bind("/usr", "/usr", sandbox.BindWritable).
-				Bind("/var", "/var", sandbox.BindWritable).
-				Bind("/dev/dri", "/dev/dri", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
-				Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
+				Bind("/bin", "/bin", hakurei.BindWritable).
+				Bind("/boot", "/boot", hakurei.BindWritable).
+				Bind("/home", "/home", hakurei.BindWritable).
+				Bind("/lib", "/lib", hakurei.BindWritable).
+				Bind("/lib64", "/lib64", hakurei.BindWritable).
+				Bind("/nix", "/nix", hakurei.BindWritable).
+				Bind("/root", "/root", hakurei.BindWritable).
+				Bind("/run", "/run", hakurei.BindWritable).
+				Bind("/srv", "/srv", hakurei.BindWritable).
+				Bind("/sys", "/sys", hakurei.BindWritable).
+				Bind("/usr", "/usr", hakurei.BindWritable).
+				Bind("/var", "/var", hakurei.BindWritable).
+				Bind("/dev/dri", "/dev/dri", hakurei.BindWritable|hakurei.BindDevice|hakurei.BindOptional).
+				Bind("/dev/kvm", "/dev/kvm", hakurei.BindWritable|hakurei.BindDevice|hakurei.BindOptional).
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
 				Etc("/etc", "ebf083d1b175911782d413369b64ce7c").
 				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", sandbox.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", sandbox.BindWritable).
-				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
+				Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", hakurei.BindWritable).
+				Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", hakurei.BindWritable).
+				Bind("/home/chronos", "/home/chronos", hakurei.BindWritable).
 				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 				Place("/etc/group", []byte("hakurei:x:65534:\n")).
 				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0", 0).

cmd/hakurei/internal/app/internal/setuid/app_test.go

@@ -7,11 +7,11 @@ import (
 	"testing"
 	"time"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app/internal/setuid"
 	"git.gensokyo.uk/security/hakurei/hst"
 	"git.gensokyo.uk/security/hakurei/internal/sys"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/system"
 )
 
@@ -21,7 +21,7 @@ type sealTestCase struct {
 	config        *hst.Config
 	id            app.ID
 	wantSys       *system.I
-	wantContainer *sandbox.Params
+	wantContainer *hakurei.Params
 }
 
 func TestApp(t *testing.T) {
@@ -32,7 +32,7 @@ func TestApp(t *testing.T) {
 			a := setuid.NewWithID(tc.id, tc.os)
 			var (
 				gotSys       *system.I
-				gotContainer *sandbox.Params
+				gotContainer *hakurei.Params
 			)
 			if !t.Run("seal", func(t *testing.T) {
 				if sa, err := a.Seal(tc.config); err != nil {

cmd/hakurei/internal/app/internal/setuid/export_test.go

@@ -1,9 +1,9 @@
 package setuid
 
 import (
+	"git.gensokyo.uk/security/hakurei"
 	. "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/internal/sys"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/system"
 )
 
@@ -14,7 +14,7 @@ func NewWithID(id ID, os sys.State) App {
 	return a
 }
 
-func AppIParams(a App, sa SealedApp) (*system.I, *sandbox.Params) {
+func AppIParams(a App, sa SealedApp) (*system.I, *hakurei.Params) {
 	v := a.(*app)
 	seal := sa.(*outcome)
 	if v.outcome != seal || v.id != seal.id {

cmd/hakurei/internal/app/internal/setuid/process.go

@@ -12,11 +12,11 @@ import (
 	"syscall"
 	"time"
 
+	"git.gensokyo.uk/security/hakurei"
 	. "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/state"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/system"
 )
 
@@ -94,7 +94,7 @@ func (seal *outcome) Run(rs *RunState) error {
 	cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGCONT) }
 
 	var e *gob.Encoder
-	if fd, encoder, err := sandbox.Setup(&cmd.ExtraFiles); err != nil {
+	if fd, encoder, err := hakurei.Setup(&cmd.ExtraFiles); err != nil {
 		return hlog.WrapErrSuffix(err,
 			"cannot create shim setup pipe:")
 	} else {

cmd/hakurei/internal/app/internal/setuid/seal.go

@@ -16,6 +16,7 @@ import (
 	"sync/atomic"
 	"syscall"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/acl"
 	. "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app/instance/common"
@@ -24,7 +25,6 @@ import (
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
 	"git.gensokyo.uk/security/hakurei/internal/sys"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/sandbox/wl"
 	"git.gensokyo.uk/security/hakurei/system"
 )
@@ -80,7 +80,7 @@ type outcome struct {
 	sys  *system.I
 	ctx  context.Context
 
-	container *sandbox.Params
+	container *hakurei.Params
 	env       map[string]string
 	sync      *os.File
 
@@ -334,7 +334,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		seal.sys.Ensure(runtimeDirInst, 0700)
 		seal.sys.UpdatePermType(system.User, runtimeDirInst, acl.Read, acl.Write, acl.Execute)
 		seal.container.Tmpfs("/run/user", 1<<12, 0755)
-		seal.container.Bind(runtimeDirInst, innerRuntimeDir, sandbox.BindWritable)
+		seal.container.Bind(runtimeDirInst, innerRuntimeDir, hakurei.BindWritable)
 	}
 
 	{
@@ -345,7 +345,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		seal.sys.Ensure(tmpdirInst, 01700)
 		seal.sys.UpdatePermType(system.User, tmpdirInst, acl.Read, acl.Write, acl.Execute)
 		// mount inner /tmp from share so it shares persistence and storage behaviour of host /tmp
-		seal.container.Bind(tmpdirInst, "/tmp", sandbox.BindWritable)
+		seal.container.Bind(tmpdirInst, "/tmp", hakurei.BindWritable)
 	}
 
 	{
@@ -357,7 +357,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		if seal.user.username != "" {
 			username = seal.user.username
 		}
-		seal.container.Bind(seal.user.data, homeDir, sandbox.BindWritable)
+		seal.container.Bind(seal.user.data, homeDir, hakurei.BindWritable)
 		seal.container.Dir = homeDir
 		seal.env["HOME"] = homeDir
 		seal.env["USER"] = username

cmd/hakurei/internal/app/internal/setuid/shim.go

@@ -10,9 +10,9 @@ import (
 	"syscall"
 	"time"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 )
 
@@ -74,7 +74,7 @@ type shimParams struct {
 	Monitor int
 
 	// finalised container params
-	Container *sandbox.Params
+	Container *hakurei.Params
 	// path to outer home directory
 	Home string
 
@@ -86,7 +86,7 @@ type shimParams struct {
 func ShimMain() {
 	hlog.Prepare("shim")
 
-	if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil {
+	if err := hakurei.SetDumpable(hakurei.SUID_DUMP_DISABLE); err != nil {
 		log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
 	}
 
@@ -94,11 +94,11 @@ func ShimMain() {
 		params     shimParams
 		closeSetup func() error
 	)
-	if f, err := sandbox.Receive(shimEnv, &params, nil); err != nil {
-		if errors.Is(err, sandbox.ErrInvalid) {
+	if f, err := hakurei.Receive(shimEnv, &params, nil); err != nil {
+		if errors.Is(err, hakurei.ErrInvalid) {
 			log.Fatal("invalid config descriptor")
 		}
-		if errors.Is(err, sandbox.ErrNotSet) {
+		if errors.Is(err, hakurei.ErrNotSet) {
 			log.Fatal("HAKUREI_SHIM not set")
 		}
 
@@ -149,7 +149,7 @@ func ShimMain() {
 	}
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 	defer stop() // unreachable
-	container := sandbox.New(ctx, name)
+	container := hakurei.New(ctx, name)
 	container.Params = *params.Container
 	container.Stdin, container.Stdout, container.Stderr = os.Stdin, os.Stdout, os.Stderr
 	container.Cancel = func(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) }

cmd/hakurei/main.go

@@ -9,10 +9,10 @@ import (
 	"log"
 	"os"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
 	"git.gensokyo.uk/security/hakurei/internal/sys"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 )
 
 var (
@@ -28,9 +28,9 @@ var std sys.State = new(sys.Std)
 
 func main() {
 	// early init path, skips root check and duplicate PR_SET_DUMPABLE
-	sandbox.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput)
+	hakurei.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput)
 
-	if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil {
+	if err := hakurei.SetDumpable(hakurei.SUID_DUMP_DISABLE); err != nil {
 		log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
 		// not fatal: this program runs as the privileged user
 	}