security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

internal/app: build container state in shim
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Sandbox (push) Successful in 39s
Details
Test / Sandbox (race detector) (push) Successful in 40s
Details
Test / Hakurei (race detector) (push) Successful in 44s
Details
Test / Hakurei (push) Successful in 44s
Details
Test / Hpkg (push) Successful in 41s
Details
Test / Flake checks (push) Successful in 1m21s
Details

Browse Source 
This significantly decreases ipc overhead.

Closes #3.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-10-08 22:30:14 +09:00
parent e5baaf416f
commit a40d182706
6 changed files with 160 additions and 198 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
internal/app/finalise.go
View File

@@ -7,7 +7,6 @@ import (
"errors"
"fmt"
"io"
"maps"
"os"
"os/user"
"sync/atomic"
@@ -29,29 +28,26 @@ type outcome struct {
// this is prepared ahead of time as config is clobbered during seal creation
ct io.WriterTo
// Supplementary group ids. Populated during finalise.
supp []string
// Resolved priv side operating system interactions. Populated during finalise.
sys *system.I
ctx context.Context
container container.Params
// Populated during outcome.finalise.
proc *finaliseProcess
// Transmitted to shim. Populated during finalise.
state *outcomeState
// Whether the current process is in outcome.main.
active atomic.Bool
ctx context.Context
syscallDispatcher
}
func (k *outcome) finalise(ctx context.Context, msg container.Msg, id *state.ID, config *hst.Config) error {
// only used for a nil configured env map
const envAllocSize = 1 << 6
if ctx == nil || id == nil {
// unreachable
panic("invalid call to finalise")
}
if k.ctx != nil || k.sys != nil || k.proc != nil {
if k.ctx != nil || k.sys != nil || k.state != nil {
// unreachable
panic("attempting to finalise twice")
}
@@ -71,10 +67,8 @@ func (k *outcome) finalise(ctx context.Context, msg container.Msg, id *state.ID,
k.ct = ct
}
var kp finaliseProcess
// hsu expects numerical group ids
kp.supp = make([]string, len(config.Groups))
supp := make([]string, len(config.Groups))
for i, name := range config.Groups {
if gid, err := k.lookupGroupId(name); err != nil {
var unknownGroupError user.UnknownGroupError
@@ -84,7 +78,7 @@ func (k *outcome) finalise(ctx context.Context, msg container.Msg, id *state.ID,
return &hst.AppError{Step: "look up group by name", Err: err}
}
} else {
kp.supp[i] = gid
supp[i] = gid
}
}
@@ -96,38 +90,21 @@ func (k *outcome) finalise(ctx context.Context, msg container.Msg, id *state.ID,
EnvPaths: copyPaths(k.syscallDispatcher),
Container: config.Container,
}
kp.waitDelay = s.populateEarly(k.syscallDispatcher, msg)
// TODO(ophestra): duplicate in shim (params to shim)
s.populateEarly(k.syscallDispatcher, msg, config)
if err := s.populateLocal(k.syscallDispatcher, msg); err != nil {
return err
}
kp.runDirPath, kp.identity, kp.id = s.sc.RunDirPath, s.identity, s.id
sys := system.New(k.ctx, msg, s.uid.unwrap())
ops := fromConfig(config)
stateSys := outcomeStateSys{sys: sys, outcomeState: &s}
for _, op := range ops {
for _, op := range s.Shim.Ops {
if err := op.toSystem(&stateSys, config); err != nil {
return err
}
}
// TODO(ophestra): move to shim
stateParams := outcomeStateParams{params: &k.container, outcomeState: &s}
if s.Container.Env == nil {
stateParams.env = make(map[string]string, envAllocSize)
} else {
stateParams.env = maps.Clone(s.Container.Env)
}
for _, op := range ops {
if err := op.toContainer(&stateParams); err != nil {
return err
}
}
k.sys = sys
k.proc = &kp
k.supp = supp
k.state = &s
return nil
}