security/hakurei
security/hakurei
6
3
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 9 Wiki Activity

cmd/hakurei: expose current instance identifier
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m25s
Details
Test / Hakurei (push) Successful in 4m36s
Details
Test / Sandbox (race detector) (push) Successful in 4m31s
Details
Test / Hpkg (push) Successful in 4m52s
Details
Test / Hakurei (race detector) (push) Successful in 6m4s
Details
Test / Flake checks (push) Successful in 1m24s
Details

Browse Source 
This writes the 16-byte instance identifier to file descriptor specified by --identifier-fd if set, and closes the file.

This enables safely obtaining the new instance's identifier.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-11-10 07:51:00 +09:00
parent fad419c2a2
commit bb92e3ada9
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
4 changed files with 44 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
cmd/hakurei/command.go
View File

@ -52,20 +52,26 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
c.Command("shim", command.UsageInternal, func([]string) error { outcome.Shim(msg); return errSuccess })
c.Command("app", "Load and start container from configuration file", func(args []string) error {
{
var (
flagIdentifierFile int
)
c.NewCommand("app", "Load and start container from configuration file", func(args []string) error {
if len(args) < 1 {
log.Fatal("app requires at least 1 argument")
}
// config extraArgs...
config := tryPath(msg, args[0])
if config != nil && config.Container != nil {
config.Container.Args = append(config.Container.Args, args[1:]...)
}
outcome.Main(ctx, msg, config)
outcome.Main(ctx, msg, config, flagIdentifierFile)
panic("unreachable")
})
}).
Flag(&flagIdentifierFile, "identifier-fd", command.IntFlag(-1),
"Write identifier of current instance to fd after successful startup")
}
{
var (
@ -257,7 +263,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
}
}
outcome.Main(ctx, msg, config)
outcome.Main(ctx, msg, config, -1)
panic("unreachable")
}).
Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),

8
internal/outcome/main.go
View File

@ -10,21 +10,21 @@ import (
)
// Main runs an app according to [hst.Config] and terminates. Main does not return.
func Main(ctx context.Context, msg message.Msg, config *hst.Config) {
func Main(ctx context.Context, msg message.Msg, config *hst.Config, fd int) {
var id hst.ID
if err := hst.NewInstanceID(&id); err != nil {
log.Fatal(err.Error())
}
seal := outcome{syscallDispatcher: direct{msg}}
k := outcome{syscallDispatcher: direct{msg}}
finaliseTime := time.Now()
if err := seal.finalise(ctx, msg, &id, config); err != nil {
if err := k.finalise(ctx, msg, &id, config); err != nil {
printMessageError(msg.GetLogger().Fatalln, "cannot seal app:", err)
panic("unreachable")
}
msg.Verbosef("finalise took %.2f ms", float64(time.Since(finaliseTime).Nanoseconds())/1e6)
seal.main(msg)
k.main(msg, fd)
panic("unreachable")
}

17
internal/outcome/process.go
View File

@ -33,7 +33,7 @@ const (
func NewStore(sc *hst.Paths) *store.Store { return store.New(sc.SharePath.Append("state")) }
// main carries out outcome and terminates. main does not return.
func (k *outcome) main(msg message.Msg) {
func (k *outcome) main(msg message.Msg, identifierFd int) {
if k.ctx == nil || k.sys == nil || k.state == nil {
panic("outcome: did not finalise")
}
@ -163,6 +163,21 @@ func (k *outcome) main(msg message.Msg) {
continue
}
if f := os.NewFile(uintptr(identifierFd), "identifier"); f != nil {
_, err = f.Write(k.state.id.v[:])
if err != nil {
unlock()
// transition here to avoid the commit/revert cycle on the doomed instance
perrorFatal(&hst.AppError{Step: "write instance identifier", Err: err},
"write instance identifier", processLifecycle)
continue
}
msg.Verbosef("wrote identifier to %d", identifierFd)
if err = f.Close(); err != nil {
msg.Verbose(err.Error())
}
}
err = k.sys.Commit()
unlock()
if err != nil {

5
test/test.py
View File

@ -172,6 +172,11 @@ machine.send_chars("exit\n")
machine.wait_for_file("/tmp/p0-exit-ok", timeout=15)
machine.fail("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10000")
# Check invalid identifier fd behaviour:
machine.fail('echo \'{"container":{"shell":"/proc/nonexistent","home":"/proc/nonexistent","path":"/proc/nonexistent"}}\' | sudo -u alice -i hakurei -v app --identifier-fd 32767 - 2>&1 | tee > /tmp/invalid-identifier-fd')
machine.wait_for_file("/tmp/invalid-identifier-fd")
print(machine.succeed('grep "^hakurei: cannot write identifier: bad file descriptor$" /tmp/invalid-identifier-fd'))
# Check interrupt shim behaviour:
swaymsg("exec sh -c 'ne-foot; echo -n $? > /tmp/monitor-exit-code'")
wait_for_window(f"u0_a{hakurei_identity(0)}@machine")