diff --git a/hst/config.go b/hst/config.go index 08a23f0..bc542cc 100644 --- a/hst/config.go +++ b/hst/config.go @@ -3,122 +3,40 @@ package hst import ( "errors" "strconv" - "time" "hakurei.app/container/check" ) -// PrivateTmp is a private writable path in a hakurei container. -const PrivateTmp = "/.hakurei" +// Config configures an application container, implemented in internal/app. +type Config struct { + // Reverse-DNS style configured arbitrary identifier string. + // Passed to wayland security-context-v1 and used as part of defaults in dbus session proxy. + ID string `json:"id"` -// AbsPrivateTmp is a [check.Absolute] representation of [PrivateTmp]. -var AbsPrivateTmp = check.MustAbs(PrivateTmp) + // System services to make available in the container. + Enablements *Enablements `json:"enablements,omitempty"` -const ( - // WaitDelayDefault is used when WaitDelay has its zero value. - WaitDelayDefault = 5 * time.Second - // WaitDelayMax is used if WaitDelay exceeds its value. - WaitDelayMax = 30 * time.Second + // Session D-Bus proxy configuration. + // If set to nil, session bus proxy assume built-in defaults. + SessionBus *BusConfig `json:"session_bus,omitempty"` + // System D-Bus proxy configuration. + // If set to nil, system bus proxy is disabled. + SystemBus *BusConfig `json:"system_bus,omitempty"` + // Direct access to wayland socket, no attempt is made to attach security-context-v1 + // and the bare socket is made available to the container. + DirectWayland bool `json:"direct_wayland,omitempty"` - // IdentityMin is the minimum value of [Config.Identity]. This is enforced by cmd/hsu. - IdentityMin = 0 - // IdentityMax is the maximum value of [Config.Identity]. This is enforced by cmd/hsu. - IdentityMax = 9999 + // Extra acl update ops to perform before setuid. + ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"` - // ShimExitRequest is returned when the priv side process requests shim exit. - ShimExitRequest = 254 - // ShimExitOrphan is returned when the shim is orphaned before priv side delivers a signal. - ShimExitOrphan = 3 -) + // Numerical application id, passed to hsu, used to derive init user namespace credentials. + Identity int `json:"identity"` + // Init user namespace supplementary groups inherited by all container processes. + Groups []string `json:"groups"` -type ( - // Config configures an application container, implemented in internal/app. - Config struct { - // Reverse-DNS style configured arbitrary identifier string. - // Passed to wayland security-context-v1 and used as part of defaults in dbus session proxy. - ID string `json:"id"` - - // System services to make available in the container. - Enablements *Enablements `json:"enablements,omitempty"` - - // Session D-Bus proxy configuration. - // If set to nil, session bus proxy assume built-in defaults. - SessionBus *BusConfig `json:"session_bus,omitempty"` - // System D-Bus proxy configuration. - // If set to nil, system bus proxy is disabled. - SystemBus *BusConfig `json:"system_bus,omitempty"` - // Direct access to wayland socket, no attempt is made to attach security-context-v1 - // and the bare socket is made available to the container. - DirectWayland bool `json:"direct_wayland,omitempty"` - - // Extra acl update ops to perform before setuid. - ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"` - - // Numerical application id, passed to hsu, used to derive init user namespace credentials. - Identity int `json:"identity"` - // Init user namespace supplementary groups inherited by all container processes. - Groups []string `json:"groups"` - - // High level configuration applied to the underlying [container]. - Container *ContainerConfig `json:"container"` - } - - // ContainerConfig describes the container configuration to be applied to an underlying [container]. - ContainerConfig struct { - // Container UTS namespace hostname. - Hostname string `json:"hostname,omitempty"` - - // Duration in nanoseconds to wait for after interrupting the initial process. - // Defaults to [WaitDelayDefault] if zero, or [WaitDelayMax] if greater than [WaitDelayMax]. - // Values lesser than zero is equivalent to zero, bypassing [WaitDelayDefault]. - WaitDelay time.Duration `json:"wait_delay,omitempty"` - - // Emit Flatpak-compatible seccomp filter programs. - SeccompCompat bool `json:"seccomp_compat,omitempty"` - // Allow ptrace and friends. - Devel bool `json:"devel,omitempty"` - // Allow userns creation and container setup syscalls. - Userns bool `json:"userns,omitempty"` - // Share host net namespace. - HostNet bool `json:"host_net,omitempty"` - // Share abstract unix socket scope. - HostAbstract bool `json:"host_abstract,omitempty"` - // Allow dangerous terminal I/O (faking input). - Tty bool `json:"tty,omitempty"` - // Allow multiarch. - Multiarch bool `json:"multiarch,omitempty"` - - // Initial process environment variables. - Env map[string]string `json:"env"` - - /* Map target user uid to privileged user uid in the container user namespace. - - Some programs fail to connect to dbus session running as a different uid, - this option works around it by mapping priv-side caller uid in container. */ - MapRealUID bool `json:"map_real_uid"` - - // Mount /dev/ from the init mount namespace as-is in the container mount namespace. - Device bool `json:"device,omitempty"` - - /* Container mount points. - - If the first element targets /, it is inserted early and excluded from path hiding. */ - Filesystem []FilesystemConfigJSON `json:"filesystem"` - - // String used as the username of the emulated user, validated against the default NAME_REGEX from adduser. - // Defaults to passwd name of target uid or chronos. - Username string `json:"username,omitempty"` - // Pathname of shell in the container filesystem to use for the emulated user. - Shell *check.Absolute `json:"shell"` - // Directory in the container filesystem to enter and use as the home directory of the emulated user. - Home *check.Absolute `json:"home"` - - // Pathname to executable file in the container filesystem. - Path *check.Absolute `json:"path,omitempty"` - // Final args passed to the initial program. - Args []string `json:"args"` - } -) + // High level configuration applied to the underlying [container]. + Container *ContainerConfig `json:"container"` +} var ( // ErrConfigNull is returned by [Config.Validate] for an invalid configuration that contains a null value for any diff --git a/hst/container.go b/hst/container.go new file mode 100644 index 0000000..ca75c17 --- /dev/null +++ b/hst/container.go @@ -0,0 +1,86 @@ +package hst + +import ( + "time" + + "hakurei.app/container/check" +) + +// PrivateTmp is a private writable path in a hakurei container. +const PrivateTmp = "/.hakurei" + +// AbsPrivateTmp is a [check.Absolute] representation of [PrivateTmp]. +var AbsPrivateTmp = check.MustAbs(PrivateTmp) + +const ( + // WaitDelayDefault is used when WaitDelay has its zero value. + WaitDelayDefault = 5 * time.Second + // WaitDelayMax is used if WaitDelay exceeds its value. + WaitDelayMax = 30 * time.Second + + // IdentityMin is the minimum value of [Config.Identity]. This is enforced by cmd/hsu. + IdentityMin = 0 + // IdentityMax is the maximum value of [Config.Identity]. This is enforced by cmd/hsu. + IdentityMax = 9999 + + // ShimExitRequest is returned when the priv side process requests shim exit. + ShimExitRequest = 254 + // ShimExitOrphan is returned when the shim is orphaned before priv side delivers a signal. + ShimExitOrphan = 3 +) + +// ContainerConfig describes the container configuration to be applied to an underlying [container]. +type ContainerConfig struct { + // Container UTS namespace hostname. + Hostname string `json:"hostname,omitempty"` + + // Duration in nanoseconds to wait for after interrupting the initial process. + // Defaults to [WaitDelayDefault] if zero, or [WaitDelayMax] if greater than [WaitDelayMax]. + // Values lesser than zero is equivalent to zero, bypassing [WaitDelayDefault]. + WaitDelay time.Duration `json:"wait_delay,omitempty"` + + // Emit Flatpak-compatible seccomp filter programs. + SeccompCompat bool `json:"seccomp_compat,omitempty"` + // Allow ptrace and friends. + Devel bool `json:"devel,omitempty"` + // Allow userns creation and container setup syscalls. + Userns bool `json:"userns,omitempty"` + // Share host net namespace. + HostNet bool `json:"host_net,omitempty"` + // Share abstract unix socket scope. + HostAbstract bool `json:"host_abstract,omitempty"` + // Allow dangerous terminal I/O (faking input). + Tty bool `json:"tty,omitempty"` + // Allow multiarch. + Multiarch bool `json:"multiarch,omitempty"` + + // Initial process environment variables. + Env map[string]string `json:"env"` + + /* Map target user uid to privileged user uid in the container user namespace. + + Some programs fail to connect to dbus session running as a different uid, + this option works around it by mapping priv-side caller uid in container. */ + MapRealUID bool `json:"map_real_uid"` + + // Mount /dev/ from the init mount namespace as-is in the container mount namespace. + Device bool `json:"device,omitempty"` + + /* Container mount points. + + If the first element targets /, it is inserted early and excluded from path hiding. */ + Filesystem []FilesystemConfigJSON `json:"filesystem"` + + // String used as the username of the emulated user, validated against the default NAME_REGEX from adduser. + // Defaults to passwd name of target uid or chronos. + Username string `json:"username,omitempty"` + // Pathname of shell in the container filesystem to use for the emulated user. + Shell *check.Absolute `json:"shell"` + // Directory in the container filesystem to enter and use as the home directory of the emulated user. + Home *check.Absolute `json:"home"` + + // Pathname to executable file in the container filesystem. + Path *check.Absolute `json:"path,omitempty"` + // Final args passed to the initial program. + Args []string `json:"args"` +}