hakurei: move container toplevel

Signed-off-by: Ophestra <cat@gensokyo.uk>

cmd/hakurei/internal/app/instance/common/container.go

@@ -8,10 +8,10 @@ import (
 	"path"
 	"syscall"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/dbus"
 	"git.gensokyo.uk/security/hakurei/hst"
 	"git.gensokyo.uk/security/hakurei/internal/sys"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 )
 
@@ -21,12 +21,12 @@ const preallocateOpsCount = 1 << 5
 
 // NewContainer initialises [sandbox.Params] via [hst.ContainerConfig].
 // Note that remaining container setup must be queued by the caller.
-func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox.Params, map[string]string, error) {
+func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*hakurei.Params, map[string]string, error) {
 	if s == nil {
 		return nil, nil, syscall.EBADE
 	}
 
-	container := &sandbox.Params{
+	container := &hakurei.Params{
 		Hostname:       s.Hostname,
 		SeccompFlags:   s.SeccompFlags,
 		SeccompPresets: s.SeccompPresets,
@@ -35,7 +35,7 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
 	}
 
 	{
-		ops := make(sandbox.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover))
+		ops := make(hakurei.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover))
 		container.Ops = &ops
 	}
 
@@ -64,8 +64,8 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
 		container.Gid = os.Getgid()
 		*gid = container.Gid
 	} else {
-		*uid = sandbox.OverflowUid()
+		*uid = hakurei.OverflowUid()
-		*gid = sandbox.OverflowGid()
+		*gid = hakurei.OverflowGid()
 	}
 
 	container.
@@ -75,7 +75,7 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
 	if !s.Device {
 		container.Dev("/dev").Mqueue("/dev/mqueue")
 	} else {
-		container.Bind("/dev", "/dev", sandbox.BindWritable|sandbox.BindDevice)
+		container.Bind("/dev", "/dev", hakurei.BindWritable|hakurei.BindDevice)
 	}
 
 	/* retrieve paths and hide them if they're made available in the sandbox;
@@ -154,13 +154,13 @@ func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
 
 		var flags int
 		if c.Write {
-			flags |= sandbox.BindWritable
+			flags |= hakurei.BindWritable
 		}
 		if c.Device {
-			flags |= sandbox.BindDevice | sandbox.BindWritable
+			flags |= hakurei.BindDevice | hakurei.BindWritable
 		}
 		if !c.Must {
-			flags |= sandbox.BindOptional
+			flags |= hakurei.BindOptional
 		}
 		container.Bind(c.Src, dest, flags)
 	}

cmd/hakurei/internal/app/internal/setuid/app_nixos_test.go

@@ -1,11 +1,11 @@
 package setuid_test
 
 import (
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/acl"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/dbus"
 	"git.gensokyo.uk/security/hakurei/hst"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 	"git.gensokyo.uk/security/hakurei/system"
 )
@@ -94,7 +94,7 @@ var testCasesNixos = []sealTestCase{
 			}).
 			UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", acl.Read, acl.Write),
-		&sandbox.Params{
+		&hakurei.Params{
 			Uid:  1971,
 			Gid:  100,
 			Dir:  "/var/lib/persist/module/hakurei/0/1",
@@ -114,7 +114,7 @@ var testCasesNixos = []sealTestCase{
 				"XDG_SESSION_CLASS=user",
 				"XDG_SESSION_TYPE=tty",
 			},
-			Ops: new(sandbox.Ops).
+			Ops: new(hakurei.Ops).
 				Proc("/proc").
 				Tmpfs(hst.Tmp, 4096, 0755).
 				Dev("/dev").Mqueue("/dev/mqueue").
@@ -122,18 +122,18 @@ var testCasesNixos = []sealTestCase{
 				Bind("/usr/bin", "/usr/bin", 0).
 				Bind("/nix/store", "/nix/store", 0).
 				Bind("/run/current-system", "/run/current-system", 0).
-				Bind("/sys/block", "/sys/block", sandbox.BindOptional).
+				Bind("/sys/block", "/sys/block", hakurei.BindOptional).
-				Bind("/sys/bus", "/sys/bus", sandbox.BindOptional).
+				Bind("/sys/bus", "/sys/bus", hakurei.BindOptional).
-				Bind("/sys/class", "/sys/class", sandbox.BindOptional).
+				Bind("/sys/class", "/sys/class", hakurei.BindOptional).
-				Bind("/sys/dev", "/sys/dev", sandbox.BindOptional).
+				Bind("/sys/dev", "/sys/dev", hakurei.BindOptional).
-				Bind("/sys/devices", "/sys/devices", sandbox.BindOptional).
+				Bind("/sys/devices", "/sys/devices", hakurei.BindOptional).
 				Bind("/run/opengl-driver", "/run/opengl-driver", 0).
-				Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional).
+				Bind("/dev/dri", "/dev/dri", hakurei.BindDevice|hakurei.BindWritable|hakurei.BindOptional).
 				Etc("/etc", "8e2c76b066dabe574cf073bdb46eb5c1").
 				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", sandbox.BindWritable).
+				Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", hakurei.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", sandbox.BindWritable).
+				Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", hakurei.BindWritable).
-				Bind("/var/lib/persist/module/hakurei/0/1", "/var/lib/persist/module/hakurei/0/1", sandbox.BindWritable).
+				Bind("/var/lib/persist/module/hakurei/0/1", "/var/lib/persist/module/hakurei/0/1", hakurei.BindWritable).
 				Place("/etc/passwd", []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
 				Place("/etc/group", []byte("hakurei:x:100:\n")).
 				Bind("/run/user/1971/wayland-0", "/run/user/1971/wayland-0", 0).

cmd/hakurei/internal/app/internal/setuid/app_pd_test.go

@@ -3,11 +3,11 @@ package setuid_test
 import (
 	"os"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/acl"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/dbus"
 	"git.gensokyo.uk/security/hakurei/hst"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 	"git.gensokyo.uk/security/hakurei/system"
 )
@@ -28,7 +28,7 @@ var testCasesPd = []sealTestCase{
 			Ensure("/tmp/hakurei.1971/runtime/0", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime/0", acl.Read, acl.Write, acl.Execute).
 			Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute).
 			Ensure("/tmp/hakurei.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute),
-		&sandbox.Params{
+		&hakurei.Params{
 			Dir:  "/home/chronos",
 			Path: "/run/current-system/sw/bin/zsh",
 			Args: []string{"/run/current-system/sw/bin/zsh"},
@@ -41,30 +41,30 @@ var testCasesPd = []sealTestCase{
 				"XDG_SESSION_CLASS=user",
 				"XDG_SESSION_TYPE=tty",
 			},
-			Ops: new(sandbox.Ops).
+			Ops: new(hakurei.Ops).
 				Proc("/proc").
 				Tmpfs(hst.Tmp, 4096, 0755).
 				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/bin", "/bin", sandbox.BindWritable).
+				Bind("/bin", "/bin", hakurei.BindWritable).
-				Bind("/boot", "/boot", sandbox.BindWritable).
+				Bind("/boot", "/boot", hakurei.BindWritable).
-				Bind("/home", "/home", sandbox.BindWritable).
+				Bind("/home", "/home", hakurei.BindWritable).
-				Bind("/lib", "/lib", sandbox.BindWritable).
+				Bind("/lib", "/lib", hakurei.BindWritable).
-				Bind("/lib64", "/lib64", sandbox.BindWritable).
+				Bind("/lib64", "/lib64", hakurei.BindWritable).
-				Bind("/nix", "/nix", sandbox.BindWritable).
+				Bind("/nix", "/nix", hakurei.BindWritable).
-				Bind("/root", "/root", sandbox.BindWritable).
+				Bind("/root", "/root", hakurei.BindWritable).
-				Bind("/run", "/run", sandbox.BindWritable).
+				Bind("/run", "/run", hakurei.BindWritable).
-				Bind("/srv", "/srv", sandbox.BindWritable).
+				Bind("/srv", "/srv", hakurei.BindWritable).
-				Bind("/sys", "/sys", sandbox.BindWritable).
+				Bind("/sys", "/sys", hakurei.BindWritable).
-				Bind("/usr", "/usr", sandbox.BindWritable).
+				Bind("/usr", "/usr", hakurei.BindWritable).
-				Bind("/var", "/var", sandbox.BindWritable).
+				Bind("/var", "/var", hakurei.BindWritable).
-				Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
+				Bind("/dev/kvm", "/dev/kvm", hakurei.BindWritable|hakurei.BindDevice|hakurei.BindOptional).
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
 				Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac").
 				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", sandbox.BindWritable).
+				Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", hakurei.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", sandbox.BindWritable).
+				Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", hakurei.BindWritable).
-				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
+				Bind("/home/chronos", "/home/chronos", hakurei.BindWritable).
 				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 				Place("/etc/group", []byte("hakurei:x:65534:\n")).
 				Tmpfs("/var/run/nscd", 8192, 0755),
@@ -166,7 +166,7 @@ var testCasesPd = []sealTestCase{
 			}).
 			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
 			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
-		&sandbox.Params{
+		&hakurei.Params{
 			Dir:  "/home/chronos",
 			Path: "/run/current-system/sw/bin/zsh",
 			Args: []string{"zsh", "-c", "exec chromium "},
@@ -184,31 +184,31 @@ var testCasesPd = []sealTestCase{
 				"XDG_SESSION_CLASS=user",
 				"XDG_SESSION_TYPE=tty",
 			},
-			Ops: new(sandbox.Ops).
+			Ops: new(hakurei.Ops).
 				Proc("/proc").
 				Tmpfs(hst.Tmp, 4096, 0755).
 				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/bin", "/bin", sandbox.BindWritable).
+				Bind("/bin", "/bin", hakurei.BindWritable).
-				Bind("/boot", "/boot", sandbox.BindWritable).
+				Bind("/boot", "/boot", hakurei.BindWritable).
-				Bind("/home", "/home", sandbox.BindWritable).
+				Bind("/home", "/home", hakurei.BindWritable).
-				Bind("/lib", "/lib", sandbox.BindWritable).
+				Bind("/lib", "/lib", hakurei.BindWritable).
-				Bind("/lib64", "/lib64", sandbox.BindWritable).
+				Bind("/lib64", "/lib64", hakurei.BindWritable).
-				Bind("/nix", "/nix", sandbox.BindWritable).
+				Bind("/nix", "/nix", hakurei.BindWritable).
-				Bind("/root", "/root", sandbox.BindWritable).
+				Bind("/root", "/root", hakurei.BindWritable).
-				Bind("/run", "/run", sandbox.BindWritable).
+				Bind("/run", "/run", hakurei.BindWritable).
-				Bind("/srv", "/srv", sandbox.BindWritable).
+				Bind("/srv", "/srv", hakurei.BindWritable).
-				Bind("/sys", "/sys", sandbox.BindWritable).
+				Bind("/sys", "/sys", hakurei.BindWritable).
-				Bind("/usr", "/usr", sandbox.BindWritable).
+				Bind("/usr", "/usr", hakurei.BindWritable).
-				Bind("/var", "/var", sandbox.BindWritable).
+				Bind("/var", "/var", hakurei.BindWritable).
-				Bind("/dev/dri", "/dev/dri", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
+				Bind("/dev/dri", "/dev/dri", hakurei.BindWritable|hakurei.BindDevice|hakurei.BindOptional).
-				Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
+				Bind("/dev/kvm", "/dev/kvm", hakurei.BindWritable|hakurei.BindDevice|hakurei.BindOptional).
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
 				Etc("/etc", "ebf083d1b175911782d413369b64ce7c").
 				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", sandbox.BindWritable).
+				Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", hakurei.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", sandbox.BindWritable).
+				Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", hakurei.BindWritable).
-				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
+				Bind("/home/chronos", "/home/chronos", hakurei.BindWritable).
 				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 				Place("/etc/group", []byte("hakurei:x:65534:\n")).
 				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0", 0).

cmd/hakurei/internal/app/internal/setuid/app_test.go

@@ -7,11 +7,11 @@ import (
 	"testing"
 	"time"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app/internal/setuid"
 	"git.gensokyo.uk/security/hakurei/hst"
 	"git.gensokyo.uk/security/hakurei/internal/sys"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/system"
 )
 
@@ -21,7 +21,7 @@ type sealTestCase struct {
 	config        *hst.Config
 	id            app.ID
 	wantSys       *system.I
-	wantContainer *sandbox.Params
+	wantContainer *hakurei.Params
 }
 
 func TestApp(t *testing.T) {
@@ -32,7 +32,7 @@ func TestApp(t *testing.T) {
 			a := setuid.NewWithID(tc.id, tc.os)
 			var (
 				gotSys       *system.I
-				gotContainer *sandbox.Params
+				gotContainer *hakurei.Params
 			)
 			if !t.Run("seal", func(t *testing.T) {
 				if sa, err := a.Seal(tc.config); err != nil {

cmd/hakurei/internal/app/internal/setuid/export_test.go

@@ -1,9 +1,9 @@
 package setuid
 
 import (
+	"git.gensokyo.uk/security/hakurei"
 	. "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/internal/sys"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/system"
 )
 
@@ -14,7 +14,7 @@ func NewWithID(id ID, os sys.State) App {
 	return a
 }
 
-func AppIParams(a App, sa SealedApp) (*system.I, *sandbox.Params) {
+func AppIParams(a App, sa SealedApp) (*system.I, *hakurei.Params) {
 	v := a.(*app)
 	seal := sa.(*outcome)
 	if v.outcome != seal || v.id != seal.id {

cmd/hakurei/internal/app/internal/setuid/process.go

@@ -12,11 +12,11 @@ import (
 	"syscall"
 	"time"
 
+	"git.gensokyo.uk/security/hakurei"
 	. "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/state"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/system"
 )
 
@@ -94,7 +94,7 @@ func (seal *outcome) Run(rs *RunState) error {
 	cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGCONT) }
 
 	var e *gob.Encoder
-	if fd, encoder, err := sandbox.Setup(&cmd.ExtraFiles); err != nil {
+	if fd, encoder, err := hakurei.Setup(&cmd.ExtraFiles); err != nil {
 		return hlog.WrapErrSuffix(err,
 			"cannot create shim setup pipe:")
 	} else {

cmd/hakurei/internal/app/internal/setuid/seal.go

@@ -16,6 +16,7 @@ import (
 	"sync/atomic"
 	"syscall"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/acl"
 	. "git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/cmd/hakurei/internal/app/instance/common"
@@ -24,7 +25,6 @@ import (
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
 	"git.gensokyo.uk/security/hakurei/internal/sys"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/sandbox/wl"
 	"git.gensokyo.uk/security/hakurei/system"
 )
@@ -80,7 +80,7 @@ type outcome struct {
 	sys  *system.I
 	ctx  context.Context
 
-	container *sandbox.Params
+	container *hakurei.Params
 	env       map[string]string
 	sync      *os.File
 
@@ -334,7 +334,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		seal.sys.Ensure(runtimeDirInst, 0700)
 		seal.sys.UpdatePermType(system.User, runtimeDirInst, acl.Read, acl.Write, acl.Execute)
 		seal.container.Tmpfs("/run/user", 1<<12, 0755)
-		seal.container.Bind(runtimeDirInst, innerRuntimeDir, sandbox.BindWritable)
+		seal.container.Bind(runtimeDirInst, innerRuntimeDir, hakurei.BindWritable)
 	}
 
 	{
@@ -345,7 +345,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		seal.sys.Ensure(tmpdirInst, 01700)
 		seal.sys.UpdatePermType(system.User, tmpdirInst, acl.Read, acl.Write, acl.Execute)
 		// mount inner /tmp from share so it shares persistence and storage behaviour of host /tmp
-		seal.container.Bind(tmpdirInst, "/tmp", sandbox.BindWritable)
+		seal.container.Bind(tmpdirInst, "/tmp", hakurei.BindWritable)
 	}
 
 	{
@@ -357,7 +357,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		if seal.user.username != "" {
 			username = seal.user.username
 		}
-		seal.container.Bind(seal.user.data, homeDir, sandbox.BindWritable)
+		seal.container.Bind(seal.user.data, homeDir, hakurei.BindWritable)
 		seal.container.Dir = homeDir
 		seal.env["HOME"] = homeDir
 		seal.env["USER"] = username

cmd/hakurei/internal/app/internal/setuid/shim.go

@@ -10,9 +10,9 @@ import (
 	"syscall"
 	"time"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 )
 
@@ -74,7 +74,7 @@ type shimParams struct {
 	Monitor int
 
 	// finalised container params
-	Container *sandbox.Params
+	Container *hakurei.Params
 	// path to outer home directory
 	Home string
 
@@ -86,7 +86,7 @@ type shimParams struct {
 func ShimMain() {
 	hlog.Prepare("shim")
 
-	if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil {
+	if err := hakurei.SetDumpable(hakurei.SUID_DUMP_DISABLE); err != nil {
 		log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
 	}
 
@@ -94,11 +94,11 @@ func ShimMain() {
 		params     shimParams
 		closeSetup func() error
 	)
-	if f, err := sandbox.Receive(shimEnv, &params, nil); err != nil {
+	if f, err := hakurei.Receive(shimEnv, &params, nil); err != nil {
-		if errors.Is(err, sandbox.ErrInvalid) {
+		if errors.Is(err, hakurei.ErrInvalid) {
 			log.Fatal("invalid config descriptor")
 		}
-		if errors.Is(err, sandbox.ErrNotSet) {
+		if errors.Is(err, hakurei.ErrNotSet) {
 			log.Fatal("HAKUREI_SHIM not set")
 		}
 
@@ -149,7 +149,7 @@ func ShimMain() {
 	}
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 	defer stop() // unreachable
-	container := sandbox.New(ctx, name)
+	container := hakurei.New(ctx, name)
 	container.Params = *params.Container
 	container.Stdin, container.Stdout, container.Stderr = os.Stdin, os.Stdout, os.Stderr
 	container.Cancel = func(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) }

cmd/hakurei/main.go

@@ -9,10 +9,10 @@ import (
 	"log"
 	"os"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
 	"git.gensokyo.uk/security/hakurei/internal/sys"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 )
 
 var (
@@ -28,9 +28,9 @@ var std sys.State = new(sys.Std)
 
 func main() {
 	// early init path, skips root check and duplicate PR_SET_DUMPABLE
-	sandbox.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput)
+	hakurei.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput)
 
-	if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil {
+	if err := hakurei.SetDumpable(hakurei.SUID_DUMP_DISABLE); err != nil {
 		log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
 		// not fatal: this program runs as the privileged user
 	}

container.go

@@ -1,5 +1,5 @@
-// Package sandbox implements unprivileged Linux container with hardening options useful for creating application sandboxes.
+// Package hakurei implements unprivileged Linux containers with built-in support for syscall filtering.
-package sandbox
+package hakurei
 
 import (
 	"context"

container_test.go

@@ -1,4 +1,4 @@
-package sandbox_test
+package hakurei_test
 
 import (
 	"bytes"
@@ -12,11 +12,11 @@ import (
 	"testing"
 	"time"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/hst"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
 	"git.gensokyo.uk/security/hakurei/ldd"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 	"git.gensokyo.uk/security/hakurei/sandbox/vfs"
 )
@@ -29,10 +29,10 @@ const (
 func TestContainer(t *testing.T) {
 	{
 		oldVerbose := hlog.Load()
-		oldOutput := sandbox.GetOutput()
+		oldOutput := hakurei.GetOutput()
 		internal.InstallOutput(true)
 		t.Cleanup(func() { hlog.Store(oldVerbose) })
-		t.Cleanup(func() { sandbox.SetOutput(oldOutput) })
+		t.Cleanup(func() { hakurei.SetOutput(oldOutput) })
 	}
 
 	testCases := []struct {
@@ -40,7 +40,7 @@ func TestContainer(t *testing.T) {
 		filter  bool
 		session bool
 		net     bool
-		ops     *sandbox.Ops
+		ops     *hakurei.Ops
 		mnt     []*vfs.MountInfoEntry
 		host    string
 		rules   []seccomp.NativeRule
@@ -48,28 +48,28 @@ func TestContainer(t *testing.T) {
 		presets seccomp.FilterPreset
 	}{
 		{"minimal", true, false, false,
-			new(sandbox.Ops), nil, "test-minimal",
+			new(hakurei.Ops), nil, "test-minimal",
 			nil, 0, seccomp.PresetStrict},
 		{"allow", true, true, true,
-			new(sandbox.Ops), nil, "test-minimal",
+			new(hakurei.Ops), nil, "test-minimal",
 			nil, 0, seccomp.PresetExt | seccomp.PresetDenyDevel},
 		{"no filter", false, true, true,
-			new(sandbox.Ops), nil, "test-no-filter",
+			new(hakurei.Ops), nil, "test-no-filter",
 			nil, 0, seccomp.PresetExt},
 		{"custom rules", true, true, true,
-			new(sandbox.Ops), nil, "test-no-filter",
+			new(hakurei.Ops), nil, "test-no-filter",
 			[]seccomp.NativeRule{
 				{seccomp.ScmpSyscall(syscall.SYS_SETUID), seccomp.ScmpErrno(syscall.EPERM), nil},
 			}, 0, seccomp.PresetExt},
 		{"tmpfs", true, false, false,
-			new(sandbox.Ops).
+			new(hakurei.Ops).
 				Tmpfs(hst.Tmp, 0, 0755),
 			[]*vfs.MountInfoEntry{
 				e("/", hst.Tmp, "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 			}, "test-tmpfs",
 			nil, 0, seccomp.PresetStrict},
 		{"dev", true, true /* go test output is not a tty */, false,
-			new(sandbox.Ops).
+			new(hakurei.Ops).
 				Dev("/dev").
 				Mqueue("/dev/mqueue"),
 			[]*vfs.MountInfoEntry{
@@ -91,7 +91,7 @@ func TestContainer(t *testing.T) {
 			ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
 			defer cancel()
 
-			container := sandbox.New(ctx, "/usr/bin/sandbox.test", "-test.v",
+			container := hakurei.New(ctx, "/usr/bin/sandbox.test", "-test.v",
 				"-test.run=TestHelperCheckContainer", "--", "check", tc.host)
 			container.Uid = 1000
 			container.Gid = 100
@@ -185,7 +185,7 @@ func e(root, target, vfsOptstr, fsType, source, fsOptstr string) *vfs.MountInfoE
 }
 
 func TestContainerString(t *testing.T) {
-	container := sandbox.New(t.Context(), "ldd", "/usr/bin/env")
+	container := hakurei.New(t.Context(), "ldd", "/usr/bin/env")
 	container.SeccompFlags |= seccomp.AllowMultiarch
 	container.SeccompRules = seccomp.Preset(
 		seccomp.PresetExt|seccomp.PresetDenyNS|seccomp.PresetDenyTTY,
@@ -201,8 +201,8 @@ func TestHelperInit(t *testing.T) {
 	if len(os.Args) != 5 || os.Args[4] != "init" {
 		return
 	}
-	sandbox.SetOutput(hlog.Output{})
+	hakurei.SetOutput(hlog.Output{})
-	sandbox.Init(hlog.Prepare, internal.InstallOutput)
+	hakurei.Init(hlog.Prepare, internal.InstallOutput)
 }
 
 func TestHelperCheckContainer(t *testing.T) {

dbus/dbus_test.go

@@ -13,11 +13,11 @@ import (
 	"testing"
 	"time"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/dbus"
 	"git.gensokyo.uk/security/hakurei/helper"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 )
 
 func TestFinalise(t *testing.T) {
@@ -134,7 +134,7 @@ func testProxyFinaliseStartWaitCloseString(t *testing.T, useSandbox bool) {
 			}
 			p.CmdF = func(v any) {
 				if useSandbox {
-					container := v.(*sandbox.Container)
+					container := v.(*hakurei.Container)
 					if container.Args[0] != dbus.ProxyName {
 						panic(fmt.Sprintf("unexpected argv0 %q", os.Args[0]))
 					}
@@ -208,6 +208,6 @@ func TestHelperInit(t *testing.T) {
 	if len(os.Args) != 5 || os.Args[4] != "init" {
 		return
 	}
-	sandbox.SetOutput(hlog.Output{})
+	hakurei.SetOutput(hlog.Output{})
-	sandbox.Init(hlog.Prepare, internal.InstallOutput)
+	hakurei.Init(hlog.Prepare, internal.InstallOutput)
 }

dbus/proc.go

@@ -11,9 +11,9 @@ import (
 	"strconv"
 	"syscall"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/helper"
 	"git.gensokyo.uk/security/hakurei/ldd"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 )
 
@@ -65,7 +65,7 @@ func (p *Proxy) Start() error {
 		p.helper = helper.New(
 			ctx, toolPath,
 			p.final, true,
-			argF, func(container *sandbox.Container) {
+			argF, func(container *hakurei.Container) {
 				container.SeccompFlags |= seccomp.AllowMultiarch
 				container.SeccompPresets |= seccomp.PresetStrict
 				container.Hostname = "hakurei-dbus"
@@ -115,7 +115,7 @@ func (p *Proxy) Start() error {
 				slices.Sort(sockDirPaths)
 				sockDirPaths = slices.Compact(sockDirPaths)
 				for _, name := range sockDirPaths {
-					container.Bind(name, name, sandbox.BindWritable)
+					container.Bind(name, name, hakurei.BindWritable)
 				}
 
 				// xdg-dbus-proxy bin path

dist/release.sh

@@ -11,7 +11,7 @@ cp -rv "dist/comp" "${out}"
 go generate ./...
 go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
   -X git.gensokyo.uk/security/hakurei/internal.version=${VERSION}
-  -X git.gensokyo.uk/security/hakurei/internal.hakurei=/usr/bin/hakurei
+  -X git.gensokyo.uk/security/hakurei/internal.hmain=/usr/bin/hakurei
   -X git.gensokyo.uk/security/hakurei/internal.hsu=/usr/bin/hsu
   -X main.hmain=/usr/bin/hakurei" ./...
 

executable.go

@@ -1,4 +1,4 @@
-package sandbox
+package hakurei
 
 import (
 	"log"

executable_test.go

@@ -1,15 +1,15 @@
-package sandbox_test
+package hakurei_test
 
 import (
 	"os"
 	"testing"
 
-	"git.gensokyo.uk/security/hakurei/sandbox"
+	"git.gensokyo.uk/security/hakurei"
 )
 
 func TestExecutable(t *testing.T) {
 	for i := 0; i < 16; i++ {
-		if got := sandbox.MustExecutable(); got != os.Args[0] {
+		if got := hakurei.MustExecutable(); got != os.Args[0] {
 			t.Errorf("MustExecutable: %q, want %q",
 				got, os.Args[0])
 		}

helper/container.go

@@ -9,8 +9,8 @@ import (
 	"slices"
 	"sync"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/helper/proc"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 )
 
 // New initialises a Helper instance with wt as the null-terminated argument writer.
@@ -20,13 +20,13 @@ func New(
 	wt io.WriterTo,
 	stat bool,
 	argF func(argsFd, statFd int) []string,
-	cmdF func(container *sandbox.Container),
+	cmdF func(container *hakurei.Container),
 	extraFiles []*os.File,
 ) Helper {
 	var args []string
 	h := new(helperContainer)
 	h.helperFiles, args = newHelperFiles(ctx, wt, stat, argF, extraFiles)
-	h.Container = sandbox.New(ctx, name, args...)
+	h.Container = hakurei.New(ctx, name, args...)
 	h.WaitDelay = WaitDelay
 	if cmdF != nil {
 		cmdF(h.Container)
@@ -40,7 +40,7 @@ type helperContainer struct {
 
 	mu sync.Mutex
 	*helperFiles
-	*sandbox.Container
+	*hakurei.Container
 }
 
 func (h *helperContainer) Start() error {

helper/container_test.go

@@ -7,10 +7,10 @@ import (
 	"os/exec"
 	"testing"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/helper"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 )
 
 func TestContainer(t *testing.T) {
@@ -34,7 +34,7 @@ func TestContainer(t *testing.T) {
 
 	t.Run("implementation compliance", func(t *testing.T) {
 		testHelper(t, func(ctx context.Context, setOutput func(stdoutP, stderrP *io.Writer), stat bool) helper.Helper {
-			return helper.New(ctx, os.Args[0], argsWt, stat, argF, func(container *sandbox.Container) {
+			return helper.New(ctx, os.Args[0], argsWt, stat, argF, func(container *hakurei.Container) {
 				setOutput(&container.Stdout, &container.Stderr)
 				container.CommandContext = func(ctx context.Context) (cmd *exec.Cmd) {
 					return exec.CommandContext(ctx, os.Args[0], "-test.v",
@@ -52,6 +52,6 @@ func TestHelperInit(t *testing.T) {
 	if len(os.Args) != 5 || os.Args[4] != "init" {
 		return
 	}
-	sandbox.SetOutput(hlog.Output{})
+	hakurei.SetOutput(hlog.Output{})
-	sandbox.Init(hlog.Prepare, func(bool) { internal.InstallOutput(false) })
+	hakurei.Init(hlog.Prepare, func(bool) { internal.InstallOutput(false) })
 }

init.go

@@ -1,4 +1,4 @@
-package sandbox
+package hakurei
 
 import (
 	"errors"

internal/output.go

@@ -1,13 +1,13 @@
 package internal
 
 import (
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 	"git.gensokyo.uk/security/hakurei/system"
 )
 
 func InstallOutput(verbose bool) {
 	hlog.Store(verbose)
-	sandbox.SetOutput(hlog.Output{})
+	hakurei.SetOutput(hlog.Output{})
 	system.SetOutput(hlog.Output{})
 }

internal/path.go

@@ -8,12 +8,12 @@ import (
 )
 
 var (
-	hakurei = compPoison
+	hmain = compPoison
-	hsu     = compPoison
+	hsu   = compPoison
 )
 
 func MustHakureiPath() string {
-	if name, ok := checkPath(hakurei); ok {
+	if name, ok := checkPath(hmain); ok {
 		return name
 	}
 	hlog.BeforeExit()

internal/sys/std.go

@@ -12,10 +12,10 @@ import (
 	"sync"
 	"syscall"
 
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/hst"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
-	"git.gensokyo.uk/security/hakurei/sandbox"
 )
 
 // Std implements System using the standard library.
@@ -36,7 +36,7 @@ func (s *Std) Getgid() int                                  { return os.Getgid()
 func (s *Std) LookupEnv(key string) (string, bool)          { return os.LookupEnv(key) }
 func (s *Std) TempDir() string                              { return os.TempDir() }
 func (s *Std) LookPath(file string) (string, error)         { return exec.LookPath(file) }
-func (s *Std) MustExecutable() string                       { return sandbox.MustExecutable() }
+func (s *Std) MustExecutable() string                       { return hakurei.MustExecutable() }
 func (s *Std) LookupGroup(name string) (*user.Group, error) { return user.LookupGroup(name) }
 func (s *Std) ReadDir(name string) ([]os.DirEntry, error)   { return os.ReadDir(name) }
 func (s *Std) Stat(name string) (fs.FileInfo, error)        { return os.Stat(name) }

ldd/exec.go

@@ -8,7 +8,7 @@ import (
 	"os/exec"
 	"time"
 
-	"git.gensokyo.uk/security/hakurei/sandbox"
+	"git.gensokyo.uk/security/hakurei"
 	"git.gensokyo.uk/security/hakurei/sandbox/seccomp"
 )
 
@@ -27,7 +27,7 @@ func ExecFilter(ctx context.Context,
 	p string) ([]*Entry, error) {
 	c, cancel := context.WithTimeout(ctx, lddTimeout)
 	defer cancel()
-	container := sandbox.New(c, "ldd", p)
+	container := hakurei.New(c, "ldd", p)
 	container.CommandContext = commandContext
 	container.Hostname = "hakurei-ldd"
 	container.SeccompFlags |= seccomp.AllowMultiarch

mount.go

@@ -1,4 +1,4 @@
-package sandbox
+package hakurei
 
 import (
 	"errors"

msg.go

@@ -1,4 +1,4 @@
-package sandbox
+package hakurei
 
 import (
 	"log"

ops.go

@@ -1,4 +1,4 @@
-package sandbox
+package hakurei
 
 import (
 	"encoding/gob"

output.go

@@ -1,4 +1,4 @@
-package sandbox
+package hakurei
 
 var msg Msg = new(DefaultMsg)
 

package.nix

@@ -76,7 +76,7 @@ buildGoModule rec {
       )
       {
         version = "v${version}";
-        hakurei = "${placeholder "out"}/libexec/hakurei";
+        hmain = "${placeholder "out"}/libexec/hakurei";
         hsu = "/run/wrappers/bin/hsu";
       };
 

params.go

@@ -1,4 +1,4 @@
-package sandbox
+package hakurei
 
 import (
 	"encoding/gob"

path.go

@@ -1,4 +1,4 @@
-package sandbox
+package hakurei
 
 import (
 	"errors"

syscall.go

@@ -1,4 +1,4 @@
-package sandbox
+package hakurei
 
 import (
 	"syscall"

sysctl.go

@@ -1,4 +1,4 @@
-package sandbox
+package hakurei
 
 import (
 	"bytes"

system/output.go

@@ -1,12 +1,14 @@
 package system
 
-import "git.gensokyo.uk/security/hakurei/sandbox"
+import (
+	"git.gensokyo.uk/security/hakurei"
+)
 
-var msg sandbox.Msg = new(sandbox.DefaultMsg)
+var msg hakurei.Msg = new(hakurei.DefaultMsg)
 
-func SetOutput(v sandbox.Msg) {
+func SetOutput(v hakurei.Msg) {
 	if v == nil {
-		msg = new(sandbox.DefaultMsg)
+		msg = new(hakurei.DefaultMsg)
 	} else {
 		msg = v
 	}