security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

hst: reword and move constants
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Hakurei (push) Successful in 3m8s
Details
Test / Hpkg (push) Successful in 4m0s
Details
Test / Sandbox (race detector) (push) Successful in 4m25s
Details
Test / Hakurei (race detector) (push) Successful in 5m14s
Details
Test / Sandbox (push) Successful in 1m26s
Details
Test / Flake checks (push) Successful in 1m32s
Details

Browse Source 
These values are considered part of the stable, exported API, so move them to hst.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-10-05 17:40:32 +09:00
parent a63a372fe0
commit ae7b343cde
7 changed files with 43 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
internal/app/finalise.go
View File

@@ -83,8 +83,8 @@ func (k *outcome) finalise(ctx context.Context, msg container.Msg, id *state.ID,
k.ct = ct
}
// allowed identity range 0 to 9999, this is checked again in hsu
if config.Identity < 0 || config.Identity > 9999 {
// this is checked again in hsu
if config.Identity < hst.IdentityMin || config.Identity > hst.IdentityMax {
return newWithMessage(fmt.Sprintf("identity %d out of range", config.Identity))
}
@@ -187,9 +187,9 @@ func (k *outcome) finalise(ctx context.Context, msg container.Msg, id *state.ID,
// enforce bounds and default early
if s.Container.WaitDelay <= 0 {
kp.waitDelay = hst.DefaultWaitDelay
} else if s.Container.WaitDelay > hst.MaxWaitDelay {
kp.waitDelay = hst.MaxWaitDelay
kp.waitDelay = hst.WaitDelayDefault
} else if s.Container.WaitDelay > hst.WaitDelayMax {
kp.waitDelay = hst.WaitDelayMax
} else {
kp.waitDelay = s.Container.WaitDelay
}

23
internal/app/shim.go
View File

@@ -15,6 +15,7 @@ import (
"hakurei.app/container"
"hakurei.app/container/seccomp"
"hakurei.app/hst"
)
//#include "shim-signal.h"
@@ -23,27 +24,21 @@ import "C"
const shimEnv = "HAKUREI_SHIM"
type shimParams struct {
// monitor pid, checked against ppid in signal handler
// Priv side pid, checked against ppid in signal handler for the syscall.SIGCONT hack.
Monitor int
// duration to wait for after interrupting a container's initial process before the container is killed;
// zero value defaults to [DefaultShimWaitDelay], values exceeding [MaxShimWaitDelay] becomes [MaxShimWaitDelay]
// Duration to wait for after interrupting a container's initial process before the container is killed.
// Limits are enforced on the priv side.
WaitDelay time.Duration
// finalised container params
// Finalised container params.
// TODO(ophestra): transmit outcomeState instead (params to shim)
Container *container.Params
// verbosity pass through
// Verbosity pass through.
Verbose bool
}
const (
// ShimExitRequest is returned when the monitor process requests shim exit.
ShimExitRequest = 254
// ShimExitOrphan is returned when the shim is orphaned before monitor delivers a signal.
ShimExitOrphan = 3
)
// ShimMain is the main function of the shim process and runs as the unconstrained target user.
func ShimMain() {
log.SetPrefix("shim: ")
@@ -107,12 +102,12 @@ func ShimMain() {
// setup has not completed, terminate immediately
msg.Resume()
os.Exit(ShimExitRequest)
os.Exit(hst.ShimExitRequest)
return
case 1: // got SIGCONT after adoption: monitor died before delivering signal
msg.BeforeExit()
os.Exit(ShimExitOrphan)
os.Exit(hst.ShimExitOrphan)
return
case 2: // unreachable