security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 7 Wiki Activity

internal/app: do not encode config early
All checks were successful
Test / Create distribution (push) Successful in 36s
Details
Test / Sandbox (push) Successful in 2m11s
Details
Test / Hpkg (push) Successful in 4m10s
Details
Test / Sandbox (race detector) (push) Successful in 4m40s
Details
Test / Hakurei (race detector) (push) Successful in 5m21s
Details
Test / Hakurei (push) Successful in 2m18s
Details
Test / Flake checks (push) Successful in 1m32s
Details

Browse Source 
Finalise no longer clobbers hst.Config.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-10-09 04:38:54 +09:00
parent a40d182706
commit df9b77b077
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
5 changed files with 79 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
internal/app/finalise.go
View File

@ -1,12 +1,9 @@
package app package app
import ( import (
"bytes"
"context" "context"
"encoding/gob"
"errors" "errors"
"fmt" "fmt"
"io"
"os" "os"
"os/user" "os/user"
"sync/atomic" "sync/atomic"
@ -24,16 +21,14 @@ func newWithMessageError(msg string, err error) error {
// An outcome is the runnable state of a hakurei container via [hst.Config]. // An outcome is the runnable state of a hakurei container via [hst.Config].
type outcome struct { type outcome struct {
// initial [hst.Config] gob stream for state data;
// this is prepared ahead of time as config is clobbered during seal creation
ct io.WriterTo
// Supplementary group ids. Populated during finalise. // Supplementary group ids. Populated during finalise.
supp []string supp []string
// Resolved priv side operating system interactions. Populated during finalise. // Resolved priv side operating system interactions. Populated during finalise.
sys *system.I sys *system.I
// Transmitted to shim. Populated during finalise. // Transmitted to shim. Populated during finalise.
state *outcomeState state *outcomeState
// Kept for saving to [state].
config *hst.Config
// Whether the current process is in outcome.main. // Whether the current process is in outcome.main.
active atomic.Bool active atomic.Bool
@ -57,16 +52,6 @@ func (k *outcome) finalise(ctx context.Context, msg container.Msg, id *state.ID,
return err return err
} }
// TODO(ophestra): do not clobber during finalise
{
// encode initial configuration for state tracking
ct := new(bytes.Buffer)
if err := gob.NewEncoder(ct).Encode(config); err != nil {
return &hst.AppError{Step: "encode initial config", Err: err}
}
k.ct = ct
}
// hsu expects numerical group ids // hsu expects numerical group ids
supp := make([]string, len(config.Groups)) supp := make([]string, len(config.Groups))
for i, name := range config.Groups { for i, name := range config.Groups {
@ -106,5 +91,6 @@ func (k *outcome) finalise(ctx context.Context, msg container.Msg, id *state.ID,
k.sys = sys k.sys = sys
k.supp = supp k.supp = supp
k.state = &s k.state = &s
k.config = config
return nil return nil
} }

9
internal/app/process.go
View File

@ -289,10 +289,11 @@ func (k *outcome) main(msg container.Msg) {
// shim accepted setup payload, create process state // shim accepted setup payload, create process state
if ok, err := ms.store.Do(k.state.identity.unwrap(), func(c state.Cursor) { if ok, err := ms.store.Do(k.state.identity.unwrap(), func(c state.Cursor) {
if err := c.Save(&state.State{ if err := c.Save(&state.State{
ID: k.state.id.unwrap(), ID: k.state.id.unwrap(),
PID: ms.cmd.Process.Pid, PID: ms.cmd.Process.Pid,
Time: *ms.Time, Config: k.config,
}, k.ct); err != nil { Time: *ms.Time,
}); err != nil {
ms.fatal("cannot save state entry:", err) ms.fatal("cannot save state entry:", err)
} }
}); err != nil { }); err != nil {

185
internal/app/state/multi.go
View File

@ -1,11 +1,9 @@
package state package state
import ( import (
"encoding/binary"
"encoding/gob" "encoding/gob"
"errors" "errors"
"fmt" "fmt"
"io"
"io/fs" "io/fs"
"os" "os"
"path" "path"
@ -43,13 +41,13 @@ func (s *multiStore) Do(identity int, f func(c Cursor)) (bool, error) {
// ensure directory // ensure directory
if err := os.MkdirAll(b.path, 0700); err != nil && !errors.Is(err, fs.ErrExist) { if err := os.MkdirAll(b.path, 0700); err != nil && !errors.Is(err, fs.ErrExist) {
s.backends.CompareAndDelete(identity, b) s.backends.CompareAndDelete(identity, b)
return false, err return false, &hst.AppError{Step: "create store segment directory", Err: err}
} }
// open locker file // open locker file
if l, err := os.OpenFile(b.path+".lock", os.O_RDWR|os.O_CREATE, 0600); err != nil { if l, err := os.OpenFile(b.path+".lock", os.O_RDWR|os.O_CREATE, 0600); err != nil {
s.backends.CompareAndDelete(identity, b) s.backends.CompareAndDelete(identity, b)
return false, err return false, &hst.AppError{Step: "open store segment lock file", Err: err}
} else { } else {
b.lockfile = l b.lockfile = l
} }
@ -58,7 +56,7 @@ func (s *multiStore) Do(identity int, f func(c Cursor)) (bool, error) {
// lock backend // lock backend
if err := b.lockFile(); err != nil { if err := b.lockFile(); err != nil {
return false, err return false, &hst.AppError{Step: "lock store segment", Err: err}
} }
// expose backend methods without exporting the pointer // expose backend methods without exporting the pointer
@ -69,15 +67,18 @@ func (s *multiStore) Do(identity int, f func(c Cursor)) (bool, error) {
c.multiBackend = nil c.multiBackend = nil
// unlock backend // unlock backend
return true, b.unlockFile() if err := b.unlockFile(); err != nil {
return true, &hst.AppError{Step: "unlock store segment", Err: err}
}
return true, nil
} }
func (s *multiStore) List() ([]int, error) { func (s *multiStore) List() ([]int, error) {
var entries []os.DirEntry var entries []os.DirEntry
// read base directory to get all aids // read base directory to get all identities
if v, err := os.ReadDir(s.base); err != nil && !errors.Is(err, os.ErrNotExist) { if v, err := os.ReadDir(s.base); err != nil && !errors.Is(err, os.ErrNotExist) {
return nil, err return nil, &hst.AppError{Step: "read store directory", Err: err}
} else { } else {
entries = v entries = v
} }
@ -95,7 +96,7 @@ func (s *multiStore) List() ([]int, error) {
s.msg.Verbosef("skipped non-aid entry %q", e.Name()) s.msg.Verbosef("skipped non-aid entry %q", e.Name())
continue continue
} else { } else {
if v < 0 || v > 9999 { if v < hst.IdentityMin || v > hst.IdentityMax {
s.msg.Verbosef("skipped out of bounds entry %q", e.Name()) s.msg.Verbosef("skipped out of bounds entry %q", e.Name())
continue continue
} }
@ -130,9 +131,7 @@ type multiBackend struct {
mu sync.RWMutex mu sync.RWMutex
} }
func (b *multiBackend) filename(id *ID) string { func (b *multiBackend) filename(id *ID) string { return path.Join(b.path, id.String()) }
return path.Join(b.path, id.String())
}
func (b *multiBackend) lockFileAct(lt int) (err error) { func (b *multiBackend) lockFileAct(lt int) (err error) {
op := "LockAct" op := "LockAct"
@ -159,13 +158,8 @@ func (b *multiBackend) lockFileAct(lt int) (err error) {
return nil return nil
} }
func (b *multiBackend) lockFile() error { func (b *multiBackend) lockFile() error { return b.lockFileAct(syscall.LOCK_EX) }
return b.lockFileAct(syscall.LOCK_EX) func (b *multiBackend) unlockFile() error { return b.lockFileAct(syscall.LOCK_UN) }
}
func (b *multiBackend) unlockFile() error {
return b.lockFileAct(syscall.LOCK_UN)
}
// reads all launchers in simpleBackend // reads all launchers in simpleBackend
// file contents are ignored if decode is false // file contents are ignored if decode is false
@ -176,7 +170,7 @@ func (b *multiBackend) load(decode bool) (Entries, error) {
// read directory contents, should only contain files named after ids // read directory contents, should only contain files named after ids
var entries []os.DirEntry var entries []os.DirEntry
if pl, err := os.ReadDir(b.path); err != nil { if pl, err := os.ReadDir(b.path); err != nil {
return nil, err return nil, &hst.AppError{Step: "read store segment directory", Err: err}
} else { } else {
entries = pl entries = pl
} }
@ -190,34 +184,34 @@ func (b *multiBackend) load(decode bool) (Entries, error) {
return nil, fmt.Errorf("unexpected directory %q in store", e.Name()) return nil, fmt.Errorf("unexpected directory %q in store", e.Name())
} }
id := new(ID) var id ID
if err := ParseAppID(id, e.Name()); err != nil { if err := ParseAppID(&id, e.Name()); err != nil {
return nil, err return nil, &hst.AppError{Step: "parse state key", Err: err}
} }
// run in a function to better handle file closing // run in a function to better handle file closing
if err := func() error { if err := func() error {
// open state file for reading // open state file for reading
if f, err := os.Open(path.Join(b.path, e.Name())); err != nil { if f, err := os.Open(path.Join(b.path, e.Name())); err != nil {
return err return &hst.AppError{Step: "open state file", Err: err}
} else { } else {
defer func() { var s State
if f.Close() != nil { r[id] = &s
// unreachable
panic("foreign state file closed prematurely")
}
}()
s := new(State)
r[*id] = s
// append regardless, but only parse if required, implements Len // append regardless, but only parse if required, implements Len
if decode { if decode {
if err = b.decodeState(f, s); err != nil { if err = gob.NewDecoder(f).Decode(&s); err != nil {
return err _ = f.Close()
} return &hst.AppError{Step: "decode state data", Err: err}
if s.ID != *id { } else if s.ID != id {
_ = f.Close()
return fmt.Errorf("state entry %s has unexpected id %s", id, &s.ID) return fmt.Errorf("state entry %s has unexpected id %s", id, &s.ID)
} else if err = f.Close(); err != nil {
return &hst.AppError{Step: "close state file", Err: err}
}
if s.Config == nil {
return ErrNoConfig
} }
} }
@ -231,126 +225,47 @@ func (b *multiBackend) load(decode bool) (Entries, error) {
return r, nil return r, nil
} }
// state file consists of an eight byte header, followed by concatenated gobs
// of [hst.Config] and [State], if [State.Config] is not nil or offset < 0,
// the first gob is skipped
func (b *multiBackend) decodeState(r io.ReadSeeker, state *State) error {
offset := make([]byte, 8)
if l, err := r.Read(offset); err != nil {
if errors.Is(err, io.EOF) {
return fmt.Errorf("state file too short: %d bytes", l)
}
return err
}
// decode volatile state first
var skipConfig bool
{
o := int64(binary.LittleEndian.Uint64(offset))
skipConfig = o < 0
if !skipConfig {
if l, err := r.Seek(o, io.SeekCurrent); err != nil {
return err
} else if l != 8+o {
return fmt.Errorf("invalid seek offset %d", l)
}
}
}
if err := gob.NewDecoder(r).Decode(state); err != nil {
return err
}
// decode sealed config
if state.Config == nil {
// config must be provided either as part of volatile state,
// or in the config segment
if skipConfig {
return ErrNoConfig
}
state.Config = new(hst.Config)
if _, err := r.Seek(8, io.SeekStart); err != nil {
return err
}
return gob.NewDecoder(r).Decode(state.Config)
} else {
return nil
}
}
// Save writes process state to filesystem // Save writes process state to filesystem
func (b *multiBackend) Save(state *State, configWriter io.WriterTo) error { func (b *multiBackend) Save(state *State) error {
b.mu.Lock() b.mu.Lock()
defer b.mu.Unlock() defer b.mu.Unlock()
if configWriter == nil && state.Config == nil { if state.Config == nil {
return ErrNoConfig return ErrNoConfig
} }
statePath := b.filename(&state.ID) statePath := b.filename(&state.ID)
if f, err := os.OpenFile(statePath, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600); err != nil { if f, err := os.OpenFile(statePath, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600); err != nil {
return err return &hst.AppError{Step: "create state file", Err: err}
} else { } else if err = gob.NewEncoder(f).Encode(state); err != nil {
defer func() { _ = f.Close()
if f.Close() != nil { return &hst.AppError{Step: "encode state data", Err: err}
// unreachable } else if err = f.Close(); err != nil {
panic("state file closed prematurely") return &hst.AppError{Step: "close state file", Err: err}
}
}()
return b.encodeState(f, state, configWriter)
} }
} return nil
func (b *multiBackend) encodeState(w io.WriteSeeker, state *State, configWriter io.WriterTo) error {
offset := make([]byte, 8)
// skip header bytes
if _, err := w.Seek(8, io.SeekStart); err != nil {
return err
}
if configWriter != nil {
// write config gob and encode header
if l, err := configWriter.WriteTo(w); err != nil {
return err
} else {
binary.LittleEndian.PutUint64(offset, uint64(l))
}
} else {
// offset == -1 indicates absence of config gob
binary.LittleEndian.PutUint64(offset, 0xffffffffffffffff)
}
// encode volatile state
if err := gob.NewEncoder(w).Encode(state); err != nil {
return err
}
// write header
if _, err := w.Seek(0, io.SeekStart); err != nil {
return err
}
_, err := w.Write(offset)
return err
} }
func (b *multiBackend) Destroy(id ID) error { func (b *multiBackend) Destroy(id ID) error {
b.mu.Lock() b.mu.Lock()
defer b.mu.Unlock() defer b.mu.Unlock()
return os.Remove(b.filename(&id)) if err := os.Remove(b.filename(&id)); err != nil {
return &hst.AppError{Step: "destroy state entry", Err: err}
}
return nil
} }
func (b *multiBackend) Load() (Entries, error) { func (b *multiBackend) Load() (Entries, error) { return b.load(true) }
return b.load(true)
}
func (b *multiBackend) Len() (int, error) { func (b *multiBackend) Len() (int, error) {
// rn consists of only nil entries but has the correct length // rn consists of only nil entries but has the correct length
rn, err := b.load(false) rn, err := b.load(false)
return len(rn), err if err != nil {
return -1, &hst.AppError{Step: "count state entries", Err: err}
}
return len(rn), nil
} }
func (b *multiBackend) close() error { func (b *multiBackend) close() error {
@ -361,7 +276,7 @@ func (b *multiBackend) close() error {
if err == nil || errors.Is(err, os.ErrInvalid) || errors.Is(err, os.ErrClosed) { if err == nil || errors.Is(err, os.ErrInvalid) || errors.Is(err, os.ErrClosed) {
return nil return nil
} }
return err return &hst.AppError{Step: "close lock file", Err: err}
} }
// NewMulti returns an instance of the multi-file store. // NewMulti returns an instance of the multi-file store.

16
internal/app/state/state.go
View File

@ -3,12 +3,12 @@ package state
import ( import (
"errors" "errors"
"io"
"time" "time"
"hakurei.app/hst" "hakurei.app/hst"
) )
// ErrNoConfig is returned by [Cursor] when used with a nil [hst.Config].
var ErrNoConfig = errors.New("state does not contain config") var ErrNoConfig = errors.New("state does not contain config")
type Entries map[ID]*State type Entries map[ID]*State
@ -27,23 +27,23 @@ type Store interface {
Close() error Close() error
} }
// Cursor provides access to the store // Cursor provides access to the store of an identity.
type Cursor interface { type Cursor interface {
Save(state *State, configWriter io.WriterTo) error Save(state *State) error
Destroy(id ID) error Destroy(id ID) error
Load() (Entries, error) Load() (Entries, error)
Len() (int, error) Len() (int, error)
} }
// State is an instance state // State is the on-disk state of a container instance.
type State struct { type State struct {
// hakurei instance id // Unique instance id, generated by internal/app.
ID ID `json:"instance"` ID ID `json:"instance"`
// child process PID value // Shim process pid. This runs as the target user.
PID int `json:"pid"` PID int `json:"pid"`
// sealed app configuration // Configuration value used to start the container.
Config *hst.Config `json:"config"` Config *hst.Config `json:"config"`
// process start time // Exact point in time that the shim process was created.
Time time.Time `json:"time"` Time time.Time `json:"time"`
} }

38
internal/app/state/state_test.go
View File

@ -1,9 +1,6 @@
package state_test package state_test
import ( import (
"bytes"
"encoding/gob"
"io"
"math/rand/v2" "math/rand/v2"
"reflect" "reflect"
"slices" "slices"
@ -31,12 +28,9 @@ func testStore(t *testing.T, s state.Store) {
tl tl
) )
var tc [tl]struct { var tc [tl]state.State
state state.State
ct bytes.Buffer
}
for i := 0; i < tl; i++ { for i := 0; i < tl; i++ {
makeState(t, &tc[i].state, &tc[i].ct) makeState(t, &tc[i])
} }
do := func(identity int, f func(c state.Cursor)) { do := func(identity int, f func(c state.Cursor)) {
@ -47,8 +41,8 @@ func testStore(t *testing.T, s state.Store) {
insert := func(i, identity int) { insert := func(i, identity int) {
do(identity, func(c state.Cursor) { do(identity, func(c state.Cursor) {
if err := c.Save(&tc[i].state, &tc[i].ct); err != nil { if err := c.Save(&tc[i]); err != nil {
t.Fatalf("Save(&tc[%v]): error = %v", i, err) t.Fatalf("Save: error = %v", err)
} }
}) })
} }
@ -57,17 +51,13 @@ func testStore(t *testing.T, s state.Store) {
do(identity, func(c state.Cursor) { do(identity, func(c state.Cursor) {
if entries, err := c.Load(); err != nil { if entries, err := c.Load(); err != nil {
t.Fatalf("Load: error = %v", err) t.Fatalf("Load: error = %v", err)
} else if got, ok := entries[tc[i].state.ID]; !ok { } else if got, ok := entries[tc[i].ID]; !ok {
t.Fatalf("Load: entry %s missing", t.Fatalf("Load: entry %s missing", &tc[i].ID)
&tc[i].state.ID)
} else { } else {
got.Time = tc[i].state.Time got.Time = tc[i].Time
tc[i].state.Config = hst.Template() if !reflect.DeepEqual(got, &tc[i]) {
if !reflect.DeepEqual(got, &tc[i].state) { t.Fatalf("Load: entry %s got %#v, want %#v", &tc[i].ID, got, &tc[i])
t.Fatalf("Load: entry %s got %#v, want %#v",
&tc[i].state.ID, got, &tc[i].state)
} }
tc[i].state.Config = nil
} }
}) })
} }
@ -112,7 +102,7 @@ func testStore(t *testing.T, s state.Store) {
t.Run("clear identity 1", func(t *testing.T) { t.Run("clear identity 1", func(t *testing.T) {
do(1, func(c state.Cursor) { do(1, func(c state.Cursor) {
if err := c.Destroy(tc[insertEntryOtherApp].state.ID); err != nil { if err := c.Destroy(tc[insertEntryOtherApp].ID); err != nil {
t.Fatalf("Destroy: error = %v", err) t.Fatalf("Destroy: error = %v", err)
} }
}) })
@ -120,7 +110,7 @@ func testStore(t *testing.T, s state.Store) {
if l, err := c.Len(); err != nil { if l, err := c.Len(); err != nil {
t.Fatalf("Len: error = %v", err) t.Fatalf("Len: error = %v", err)
} else if l != 0 { } else if l != 0 {
t.Fatalf("Len() = %d, want 0", l) t.Fatalf("Len: %d, want 0", l)
} }
}) })
}) })
@ -132,13 +122,11 @@ func testStore(t *testing.T, s state.Store) {
}) })
} }
func makeState(t *testing.T, s *state.State, ct io.Writer) { func makeState(t *testing.T, s *state.State) {
if err := state.NewAppID(&s.ID); err != nil { if err := state.NewAppID(&s.ID); err != nil {
t.Fatalf("cannot create dummy state: %v", err) t.Fatalf("cannot create dummy state: %v", err)
} }
if err := gob.NewEncoder(ct).Encode(hst.Template()); err != nil {
t.Fatalf("cannot encode dummy config: %v", err)
}
s.PID = rand.Int() s.PID = rand.Int()
s.Config = hst.Template()
s.Time = time.Now() s.Time = time.Now()
} }