diff --git a/container/autoroot_test.go b/container/autoroot_test.go index 129ff4e..a3889e7 100644 --- a/container/autoroot_test.go +++ b/container/autoroot_test.go @@ -5,8 +5,8 @@ import ( "os" "testing" - "hakurei.app/container/bits" "hakurei.app/container/check" + "hakurei.app/container/comp" "hakurei.app/container/stub" "hakurei.app/message" ) @@ -23,14 +23,14 @@ func TestAutoRootOp(t *testing.T) { checkOpBehaviour(t, []opBehaviourTestCase{ {"readdir", &Params{ParentPerm: 0750}, &AutoRootOp{ Host: check.MustAbs("/"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, }, []stub.Call{ call("readdir", stub.ExpectArgs{"/"}, stubDir(), stub.UniqueError(2)), }, stub.UniqueError(2), nil, nil}, {"early", &Params{ParentPerm: 0750}, &AutoRootOp{ Host: check.MustAbs("/"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, }, []stub.Call{ call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64", "lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil), @@ -39,7 +39,7 @@ func TestAutoRootOp(t *testing.T) { {"apply", &Params{ParentPerm: 0750}, &AutoRootOp{ Host: check.MustAbs("/"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, }, []stub.Call{ call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64", "lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil), @@ -60,7 +60,7 @@ func TestAutoRootOp(t *testing.T) { {"success pd", &Params{ParentPerm: 0750}, &AutoRootOp{ Host: check.MustAbs("/"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, }, []stub.Call{ call("readdir", stub.ExpectArgs{"/"}, stubDir("bin", "dev", "etc", "home", "lib64", "lost+found", "mnt", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var"), nil), @@ -127,10 +127,10 @@ func TestAutoRootOp(t *testing.T) { }) checkOpsBuilder(t, []opsBuilderTestCase{ - {"pd", new(Ops).Root(check.MustAbs("/"), bits.BindWritable), Ops{ + {"pd", new(Ops).Root(check.MustAbs("/"), comp.BindWritable), Ops{ &AutoRootOp{ Host: check.MustAbs("/"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, }, }}, }) @@ -140,42 +140,42 @@ func TestAutoRootOp(t *testing.T) { {"internal ne", &AutoRootOp{ Host: check.MustAbs("/"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, }, &AutoRootOp{ Host: check.MustAbs("/"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, resolved: []*BindMountOp{new(BindMountOp)}, }, true}, {"flags differs", &AutoRootOp{ Host: check.MustAbs("/"), - Flags: bits.BindWritable | bits.BindDevice, + Flags: comp.BindWritable | comp.BindDevice, }, &AutoRootOp{ Host: check.MustAbs("/"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, }, false}, {"host differs", &AutoRootOp{ Host: check.MustAbs("/tmp/"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, }, &AutoRootOp{ Host: check.MustAbs("/"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, }, false}, {"equals", &AutoRootOp{ Host: check.MustAbs("/"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, }, &AutoRootOp{ Host: check.MustAbs("/"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, }, true}, }) checkOpMeta(t, []opMetaTestCase{ {"root", &AutoRootOp{ Host: check.MustAbs("/"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, }, "setting up", `auto root "/" flags 0x2`}, }) } diff --git a/container/bits/bits.go b/container/bits/bits.go deleted file mode 100644 index 7aa2e44..0000000 --- a/container/bits/bits.go +++ /dev/null @@ -1,13 +0,0 @@ -// Package bits contains constants for configuring the container. -package bits - -const ( - // BindOptional skips nonexistent host paths. - BindOptional = 1 << iota - // BindWritable mounts filesystem read-write. - BindWritable - // BindDevice allows access to devices (special files) on this filesystem. - BindDevice - // BindEnsure attempts to create the host path if it does not exist. - BindEnsure -) diff --git a/container/bits/seccomp.go b/container/comp/bits.go similarity index 58% rename from container/bits/seccomp.go rename to container/comp/bits.go index 57e3e12..d099344 100644 --- a/container/bits/seccomp.go +++ b/container/comp/bits.go @@ -1,4 +1,16 @@ -package bits +// Package comp contains constants from container packages without depending on cgo. +package comp + +const ( + // BindOptional skips nonexistent host paths. + BindOptional = 1 << iota + // BindWritable mounts filesystem read-write. + BindWritable + // BindDevice allows access to devices (special files) on this filesystem. + BindDevice + // BindEnsure attempts to create the host path if it does not exist. + BindEnsure +) // FilterPreset specifies parts of the syscall filter preset to enable. type FilterPreset int diff --git a/container/container.go b/container/container.go index ae83fc3..fb031c3 100644 --- a/container/container.go +++ b/container/container.go @@ -14,8 +14,8 @@ import ( . "syscall" "time" - "hakurei.app/container/bits" "hakurei.app/container/check" + "hakurei.app/container/comp" "hakurei.app/container/fhs" "hakurei.app/container/seccomp" "hakurei.app/message" @@ -86,7 +86,7 @@ type ( // Extra seccomp flags. SeccompFlags seccomp.ExportFlag // Seccomp presets. Has no effect unless SeccompRules is zero-length. - SeccompPresets bits.FilterPreset + SeccompPresets comp.FilterPreset // Do not load seccomp program. SeccompDisable bool @@ -174,7 +174,7 @@ func (p *Container) Start() error { } if !p.RetainSession { - p.SeccompPresets |= bits.PresetDenyTTY + p.SeccompPresets |= comp.PresetDenyTTY } if p.AdoptWaitDelay == 0 { diff --git a/container/container_test.go b/container/container_test.go index 11f398b..b7d0e9d 100644 --- a/container/container_test.go +++ b/container/container_test.go @@ -20,8 +20,8 @@ import ( "hakurei.app/command" "hakurei.app/container" - "hakurei.app/container/bits" "hakurei.app/container/check" + "hakurei.app/container/comp" "hakurei.app/container/seccomp" "hakurei.app/container/vfs" "hakurei.app/hst" @@ -206,20 +206,20 @@ var containerTestCases = []struct { rules []seccomp.NativeRule flags seccomp.ExportFlag - presets bits.FilterPreset + presets comp.FilterPreset }{ {"minimal", true, false, false, true, emptyOps, emptyMnt, - 1000, 100, nil, 0, bits.PresetStrict}, + 1000, 100, nil, 0, comp.PresetStrict}, {"allow", true, true, true, false, emptyOps, emptyMnt, - 1000, 100, nil, 0, bits.PresetExt | bits.PresetDenyDevel}, + 1000, 100, nil, 0, comp.PresetExt | comp.PresetDenyDevel}, {"no filter", false, true, true, true, emptyOps, emptyMnt, - 1000, 100, nil, 0, bits.PresetExt}, + 1000, 100, nil, 0, comp.PresetExt}, {"custom rules", true, true, true, false, emptyOps, emptyMnt, - 1, 31, []seccomp.NativeRule{{Syscall: seccomp.ScmpSyscall(syscall.SYS_SETUID), Errno: seccomp.ScmpErrno(syscall.EPERM)}}, 0, bits.PresetExt}, + 1, 31, []seccomp.NativeRule{{Syscall: seccomp.ScmpSyscall(syscall.SYS_SETUID), Errno: seccomp.ScmpErrno(syscall.EPERM)}}, 0, comp.PresetExt}, {"tmpfs", true, false, false, true, earlyOps(new(container.Ops). @@ -228,7 +228,7 @@ var containerTestCases = []struct { earlyMnt( ent("/", hst.PrivateTmp, "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore), ), - 9, 9, nil, 0, bits.PresetStrict}, + 9, 9, nil, 0, comp.PresetStrict}, {"dev", true, true /* go test output is not a tty */, false, false, earlyOps(new(container.Ops). @@ -246,7 +246,7 @@ var containerTestCases = []struct { ent("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"), ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore), ), - 1971, 100, nil, 0, bits.PresetStrict}, + 1971, 100, nil, 0, comp.PresetStrict}, {"dev no mqueue", true, true /* go test output is not a tty */, false, false, earlyOps(new(container.Ops). @@ -263,7 +263,7 @@ var containerTestCases = []struct { ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"), ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore), ), - 1971, 100, nil, 0, bits.PresetStrict}, + 1971, 100, nil, 0, comp.PresetStrict}, {"overlay", true, false, false, true, func(t *testing.T) (*container.Ops, context.Context) { @@ -300,7 +300,7 @@ var containerTestCases = []struct { ",redirect_dir=nofollow,uuid=on,userxattr"), } }, - 1 << 3, 1 << 14, nil, 0, bits.PresetStrict}, + 1 << 3, 1 << 14, nil, 0, comp.PresetStrict}, {"overlay ephemeral", true, false, false, true, func(t *testing.T) (*container.Ops, context.Context) { @@ -324,7 +324,7 @@ var containerTestCases = []struct { ent("/", hst.PrivateTmp, "rw", "overlay", "overlay", ignore), } }, - 1 << 3, 1 << 14, nil, 0, bits.PresetStrict}, + 1 << 3, 1 << 14, nil, 0, comp.PresetStrict}, {"overlay readonly", true, false, false, true, func(t *testing.T) (*container.Ops, context.Context) { @@ -352,7 +352,7 @@ var containerTestCases = []struct { ",redirect_dir=nofollow,userxattr"), } }, - 1 << 3, 1 << 14, nil, 0, bits.PresetStrict}, + 1 << 3, 1 << 14, nil, 0, comp.PresetStrict}, } func TestContainer(t *testing.T) { @@ -560,9 +560,9 @@ func TestContainerString(t *testing.T) { c := container.NewCommand(t.Context(), msg, check.MustAbs("/run/current-system/sw/bin/ldd"), "ldd", "/usr/bin/env") c.SeccompFlags |= seccomp.AllowMultiarch c.SeccompRules = seccomp.Preset( - bits.PresetExt|bits.PresetDenyNS|bits.PresetDenyTTY, + comp.PresetExt|comp.PresetDenyNS|comp.PresetDenyTTY, c.SeccompFlags) - c.SeccompPresets = bits.PresetStrict + c.SeccompPresets = comp.PresetStrict want := `argv: ["ldd" "/usr/bin/env"], filter: true, rules: 65, flags: 0x1, presets: 0xf` if got := c.String(); got != want { t.Errorf("String: %s, want %s", got, want) diff --git a/container/init_test.go b/container/init_test.go index c0cfcfc..27f41a4 100644 --- a/container/init_test.go +++ b/container/init_test.go @@ -6,8 +6,8 @@ import ( "testing" "time" - "hakurei.app/container/bits" "hakurei.app/container/check" + "hakurei.app/container/comp" "hakurei.app/container/seccomp" "hakurei.app/container/stub" ) @@ -70,7 +70,7 @@ func TestInitEntrypoint(t *testing.T) { Gid: 1 << 31, Hostname: "hakurei-check", SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(79), nil), @@ -95,7 +95,7 @@ func TestInitEntrypoint(t *testing.T) { Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(78), nil), @@ -123,7 +123,7 @@ func TestInitEntrypoint(t *testing.T) { Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(76), nil), @@ -152,7 +152,7 @@ func TestInitEntrypoint(t *testing.T) { Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(74), nil), @@ -182,7 +182,7 @@ func TestInitEntrypoint(t *testing.T) { Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(72), nil), @@ -213,7 +213,7 @@ func TestInitEntrypoint(t *testing.T) { Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(70), nil), @@ -245,7 +245,7 @@ func TestInitEntrypoint(t *testing.T) { Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(68), nil), @@ -279,7 +279,7 @@ func TestInitEntrypoint(t *testing.T) { Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(66), nil), @@ -315,7 +315,7 @@ func TestInitEntrypoint(t *testing.T) { Hostname: "hakurei-check", Ops: (*Ops)(sliceAddr(make(Ops, 1))), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(64), nil), @@ -351,9 +351,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(nil, nil, bits.BindDevice), + Ops: new(Ops).Bind(nil, nil, comp.BindDevice), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(63), nil), @@ -389,9 +389,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(62), nil), @@ -428,9 +428,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(60), nil), @@ -467,9 +467,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(59), nil), @@ -507,9 +507,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(57), nil), @@ -548,9 +548,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(55), nil), @@ -590,9 +590,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(53), nil), @@ -633,9 +633,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(51), nil), @@ -677,9 +677,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(49), nil), @@ -722,9 +722,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(47), nil), @@ -768,9 +768,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(45), nil), @@ -823,9 +823,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(43), nil), @@ -878,9 +878,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(42), nil), @@ -934,9 +934,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(40), nil), @@ -991,9 +991,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(38), nil), @@ -1050,9 +1050,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(36), nil), @@ -1110,9 +1110,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(34), nil), @@ -1171,9 +1171,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(32), nil), @@ -1233,9 +1233,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(30), nil), @@ -1296,9 +1296,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(28), nil), @@ -1360,9 +1360,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(26), nil), @@ -1425,9 +1425,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(24), nil), @@ -1491,9 +1491,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(22), nil), @@ -1565,9 +1565,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(20), nil), @@ -1672,9 +1672,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(18), nil), @@ -1780,9 +1780,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(16), nil), @@ -1869,7 +1869,7 @@ func TestInitEntrypoint(t *testing.T) { call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil), call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil), call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil), - call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{bits.FilterPreset(0xf)}}, nil, nil), + call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{comp.FilterPreset(0xf)}}, nil, nil), call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, stub.UniqueError(15)), call("fatalf", stub.ExpectArgs{"cannot load syscall filter: %v", []any{stub.UniqueError(15)}}, nil, nil), }, @@ -1890,7 +1890,7 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 24, Gid: 1 << 47, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), SeccompDisable: true, ParentPerm: 0750, @@ -2004,7 +2004,7 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 24, Gid: 1 << 47, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), SeccompDisable: true, ParentPerm: 0750, @@ -2106,7 +2106,7 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 24, Gid: 1 << 47, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), SeccompDisable: true, ParentPerm: 0750, @@ -2199,7 +2199,7 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 24, Gid: 1 << 47, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), SeccompDisable: true, ParentPerm: 0750, @@ -2294,7 +2294,7 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 24, Gid: 1 << 47, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), SeccompDisable: true, ParentPerm: 0750, @@ -2396,7 +2396,7 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 24, Gid: 1 << 47, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), SeccompDisable: true, ParentPerm: 0750, @@ -2534,9 +2534,9 @@ func TestInitEntrypoint(t *testing.T) { Uid: 1 << 32, Gid: 1 << 31, Hostname: "hakurei-check", - Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), bits.BindDevice).Proc(check.MustAbs("/proc/")), + Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), comp.BindDevice).Proc(check.MustAbs("/proc/")), SeccompRules: make([]seccomp.NativeRule, 0), - SeccompPresets: bits.PresetStrict, + SeccompPresets: comp.PresetStrict, RetainSession: true, Privileged: true, }, 1000, 100, 3, true}, uintptr(9)}, stub.UniqueError(0), nil), @@ -2623,7 +2623,7 @@ func TestInitEntrypoint(t *testing.T) { call("capBoundingSetDrop", stub.ExpectArgs{uintptr(0x28)}, nil, nil), call("capAmbientRaise", stub.ExpectArgs{uintptr(0x15)}, nil, nil), call("capset", stub.ExpectArgs{&capHeader{_LINUX_CAPABILITY_VERSION_3, 0}, &[2]capData{{0, 0x200000, 0x200000}, {0, 0, 0}}}, nil, nil), - call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{bits.FilterPreset(0xf)}}, nil, nil), + call("verbosef", stub.ExpectArgs{"resolving presets %#x", []any{comp.FilterPreset(0xf)}}, nil, nil), call("seccompLoad", stub.ExpectArgs{seccomp.Preset(0xf, 0), seccomp.ExportFlag(0)}, nil, nil), call("verbosef", stub.ExpectArgs{"%d filter rules loaded", []any{73}}, nil, nil), call("newFile", stub.ExpectArgs{uintptr(10), "extra file 0"}, (*os.File)(nil), nil), diff --git a/container/initbind.go b/container/initbind.go index 54f0012..12ebf99 100644 --- a/container/initbind.go +++ b/container/initbind.go @@ -6,8 +6,8 @@ import ( "os" "syscall" - "hakurei.app/container/bits" "hakurei.app/container/check" + "hakurei.app/container/comp" ) func init() { gob.Register(new(BindMountOp)) } @@ -29,18 +29,18 @@ type BindMountOp struct { func (b *BindMountOp) Valid() bool { return b != nil && b.Source != nil && b.Target != nil && - b.Flags&(bits.BindOptional|bits.BindEnsure) != (bits.BindOptional|bits.BindEnsure) + b.Flags&(comp.BindOptional|comp.BindEnsure) != (comp.BindOptional|comp.BindEnsure) } func (b *BindMountOp) early(_ *setupState, k syscallDispatcher) error { - if b.Flags&bits.BindEnsure != 0 { + if b.Flags&comp.BindEnsure != 0 { if err := k.mkdirAll(b.Source.String(), 0700); err != nil { return err } } if pathname, err := k.evalSymlinks(b.Source.String()); err != nil { - if os.IsNotExist(err) && b.Flags&bits.BindOptional != 0 { + if os.IsNotExist(err) && b.Flags&comp.BindOptional != 0 { // leave sourceFinal as nil return nil } @@ -53,7 +53,7 @@ func (b *BindMountOp) early(_ *setupState, k syscallDispatcher) error { func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error { if b.sourceFinal == nil { - if b.Flags&bits.BindOptional == 0 { + if b.Flags&comp.BindOptional == 0 { // unreachable return OpStateError("bind") } @@ -76,10 +76,10 @@ func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error { } var flags uintptr = syscall.MS_REC - if b.Flags&bits.BindWritable == 0 { + if b.Flags&comp.BindWritable == 0 { flags |= syscall.MS_RDONLY } - if b.Flags&bits.BindDevice == 0 { + if b.Flags&comp.BindDevice == 0 { flags |= syscall.MS_NODEV } diff --git a/container/initbind_test.go b/container/initbind_test.go index 323a032..86ab1f9 100644 --- a/container/initbind_test.go +++ b/container/initbind_test.go @@ -6,8 +6,8 @@ import ( "syscall" "testing" - "hakurei.app/container/bits" "hakurei.app/container/check" + "hakurei.app/container/comp" "hakurei.app/container/stub" ) @@ -25,7 +25,7 @@ func TestBindMountOp(t *testing.T) { {"skip optional", new(Params), &BindMountOp{ Source: check.MustAbs("/bin/"), Target: check.MustAbs("/bin/"), - Flags: bits.BindOptional, + Flags: comp.BindOptional, }, []stub.Call{ call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "", syscall.ENOENT), }, nil, nil, nil}, @@ -33,7 +33,7 @@ func TestBindMountOp(t *testing.T) { {"success optional", new(Params), &BindMountOp{ Source: check.MustAbs("/bin/"), Target: check.MustAbs("/bin/"), - Flags: bits.BindOptional, + Flags: comp.BindOptional, }, []stub.Call{ call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil), }, nil, []stub.Call{ @@ -46,7 +46,7 @@ func TestBindMountOp(t *testing.T) { {"ensureFile device", new(Params), &BindMountOp{ Source: check.MustAbs("/dev/null"), Target: check.MustAbs("/dev/null"), - Flags: bits.BindWritable | bits.BindDevice, + Flags: comp.BindWritable | comp.BindDevice, }, []stub.Call{ call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil), }, nil, []stub.Call{ @@ -57,7 +57,7 @@ func TestBindMountOp(t *testing.T) { {"mkdirAll ensure", new(Params), &BindMountOp{ Source: check.MustAbs("/bin/"), Target: check.MustAbs("/bin/"), - Flags: bits.BindEnsure, + Flags: comp.BindEnsure, }, []stub.Call{ call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, stub.UniqueError(4)), }, stub.UniqueError(4), nil, nil}, @@ -65,7 +65,7 @@ func TestBindMountOp(t *testing.T) { {"success ensure", new(Params), &BindMountOp{ Source: check.MustAbs("/bin/"), Target: check.MustAbs("/usr/bin/"), - Flags: bits.BindEnsure, + Flags: comp.BindEnsure, }, []stub.Call{ call("mkdirAll", stub.ExpectArgs{"/bin/", os.FileMode(0700)}, nil, nil), call("evalSymlinks", stub.ExpectArgs{"/bin/"}, "/usr/bin", nil), @@ -79,7 +79,7 @@ func TestBindMountOp(t *testing.T) { {"success device ro", new(Params), &BindMountOp{ Source: check.MustAbs("/dev/null"), Target: check.MustAbs("/dev/null"), - Flags: bits.BindDevice, + Flags: comp.BindDevice, }, []stub.Call{ call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil), }, nil, []stub.Call{ @@ -92,7 +92,7 @@ func TestBindMountOp(t *testing.T) { {"success device", new(Params), &BindMountOp{ Source: check.MustAbs("/dev/null"), Target: check.MustAbs("/dev/null"), - Flags: bits.BindWritable | bits.BindDevice, + Flags: comp.BindWritable | comp.BindDevice, }, []stub.Call{ call("evalSymlinks", stub.ExpectArgs{"/dev/null"}, "/dev/null", nil), }, nil, []stub.Call{ @@ -182,7 +182,7 @@ func TestBindMountOp(t *testing.T) { {"zero", new(BindMountOp), false}, {"nil source", &BindMountOp{Target: check.MustAbs("/")}, false}, {"nil target", &BindMountOp{Source: check.MustAbs("/")}, false}, - {"flag optional ensure", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/"), Flags: bits.BindOptional | bits.BindEnsure}, false}, + {"flag optional ensure", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/"), Flags: comp.BindOptional | comp.BindEnsure}, false}, {"valid", &BindMountOp{Source: check.MustAbs("/"), Target: check.MustAbs("/")}, true}, }) @@ -217,7 +217,7 @@ func TestBindMountOp(t *testing.T) { }, &BindMountOp{ Source: check.MustAbs("/etc/"), Target: check.MustAbs("/etc/.host/048090b6ed8f9ebb10e275ff5d8c0659"), - Flags: bits.BindOptional, + Flags: comp.BindOptional, }, false}, {"source differs", &BindMountOp{ @@ -256,7 +256,7 @@ func TestBindMountOp(t *testing.T) { {"hostdev", &BindMountOp{ Source: check.MustAbs("/dev/"), Target: check.MustAbs("/dev/"), - Flags: bits.BindWritable | bits.BindDevice, + Flags: comp.BindWritable | comp.BindDevice, }, "mounting", `"/dev/" flags 0x6`}, }) } diff --git a/container/seccomp/hash_amd64_test.go b/container/seccomp/hash_amd64_test.go index 5a5e543..eb3e609 100644 --- a/container/seccomp/hash_amd64_test.go +++ b/container/seccomp/hash_amd64_test.go @@ -1,7 +1,7 @@ package seccomp_test import ( - . "hakurei.app/container/bits" + . "hakurei.app/container/comp" . "hakurei.app/container/seccomp" ) diff --git a/container/seccomp/hash_arm64_test.go b/container/seccomp/hash_arm64_test.go index 2395bce..44c692d 100644 --- a/container/seccomp/hash_arm64_test.go +++ b/container/seccomp/hash_arm64_test.go @@ -1,7 +1,7 @@ package seccomp_test import ( - . "hakurei.app/container/bits" + . "hakurei.app/container/comp" . "hakurei.app/container/seccomp" ) diff --git a/container/seccomp/hash_test.go b/container/seccomp/hash_test.go index 5c99558..90bfe63 100644 --- a/container/seccomp/hash_test.go +++ b/container/seccomp/hash_test.go @@ -4,14 +4,14 @@ import ( "crypto/sha512" "encoding/hex" - "hakurei.app/container/bits" + "hakurei.app/container/comp" "hakurei.app/container/seccomp" ) type ( bpfPreset = struct { seccomp.ExportFlag - bits.FilterPreset + comp.FilterPreset } bpfLookup map[bpfPreset][sha512.Size]byte ) diff --git a/container/seccomp/libseccomp_test.go b/container/seccomp/libseccomp_test.go index 5d58ac7..cb5a29c 100644 --- a/container/seccomp/libseccomp_test.go +++ b/container/seccomp/libseccomp_test.go @@ -6,7 +6,7 @@ import ( "syscall" "testing" - . "hakurei.app/container/bits" + . "hakurei.app/container/comp" . "hakurei.app/container/seccomp" ) diff --git a/container/seccomp/presets.go b/container/seccomp/presets.go index f12d9f7..1f6f729 100644 --- a/container/seccomp/presets.go +++ b/container/seccomp/presets.go @@ -5,32 +5,32 @@ package seccomp import ( . "syscall" - "hakurei.app/container/bits" + "hakurei.app/container/comp" ) -func Preset(presets bits.FilterPreset, flags ExportFlag) (rules []NativeRule) { +func Preset(presets comp.FilterPreset, flags ExportFlag) (rules []NativeRule) { allowedPersonality := PersonaLinux - if presets&bits.PresetLinux32 != 0 { + if presets&comp.PresetLinux32 != 0 { allowedPersonality = PersonaLinux32 } presetDevelFinal := presetDevel(ScmpDatum(allowedPersonality)) l := len(presetCommon) - if presets&bits.PresetDenyNS != 0 { + if presets&comp.PresetDenyNS != 0 { l += len(presetNamespace) } - if presets&bits.PresetDenyTTY != 0 { + if presets&comp.PresetDenyTTY != 0 { l += len(presetTTY) } - if presets&bits.PresetDenyDevel != 0 { + if presets&comp.PresetDenyDevel != 0 { l += len(presetDevelFinal) } if flags&AllowMultiarch == 0 { l += len(presetEmu) } - if presets&bits.PresetExt != 0 { + if presets&comp.PresetExt != 0 { l += len(presetCommonExt) - if presets&bits.PresetDenyNS != 0 { + if presets&comp.PresetDenyNS != 0 { l += len(presetNamespaceExt) } if flags&AllowMultiarch == 0 { @@ -40,21 +40,21 @@ func Preset(presets bits.FilterPreset, flags ExportFlag) (rules []NativeRule) { rules = make([]NativeRule, 0, l) rules = append(rules, presetCommon...) - if presets&bits.PresetDenyNS != 0 { + if presets&comp.PresetDenyNS != 0 { rules = append(rules, presetNamespace...) } - if presets&bits.PresetDenyTTY != 0 { + if presets&comp.PresetDenyTTY != 0 { rules = append(rules, presetTTY...) } - if presets&bits.PresetDenyDevel != 0 { + if presets&comp.PresetDenyDevel != 0 { rules = append(rules, presetDevelFinal...) } if flags&AllowMultiarch == 0 { rules = append(rules, presetEmu...) } - if presets&bits.PresetExt != 0 { + if presets&comp.PresetExt != 0 { rules = append(rules, presetCommonExt...) - if presets&bits.PresetDenyNS != 0 { + if presets&comp.PresetDenyNS != 0 { rules = append(rules, presetNamespaceExt...) } if flags&AllowMultiarch == 0 { diff --git a/hst/fsbind.go b/hst/fsbind.go index bb1fc03..70e8bdc 100644 --- a/hst/fsbind.go +++ b/hst/fsbind.go @@ -4,8 +4,8 @@ import ( "encoding/gob" "strings" - "hakurei.app/container/bits" "hakurei.app/container/check" + "hakurei.app/container/comp" "hakurei.app/container/fhs" ) @@ -97,16 +97,16 @@ func (b *FSBind) Apply(z *ApplyState) { } var flags int if b.Write { - flags |= bits.BindWritable + flags |= comp.BindWritable } if b.Device { - flags |= bits.BindDevice | bits.BindWritable + flags |= comp.BindDevice | comp.BindWritable } if b.Ensure { - flags |= bits.BindEnsure + flags |= comp.BindEnsure } if b.Optional { - flags |= bits.BindOptional + flags |= comp.BindOptional } switch { diff --git a/hst/fsbind_test.go b/hst/fsbind_test.go index d5cf102..037d07b 100644 --- a/hst/fsbind_test.go +++ b/hst/fsbind_test.go @@ -4,7 +4,7 @@ import ( "testing" "hakurei.app/container" - "hakurei.app/container/bits" + "hakurei.app/container/comp" "hakurei.app/hst" ) @@ -24,7 +24,7 @@ func TestFSBind(t *testing.T) { }, true, container.Ops{&container.BindMountOp{ Source: m("/mnt/dev"), Target: m("/dev"), - Flags: bits.BindWritable | bits.BindDevice | bits.BindOptional, + Flags: comp.BindWritable | comp.BindDevice | comp.BindOptional, }}, m("/dev"), ms("/mnt/dev"), "d+/mnt/dev:/dev"}, @@ -36,7 +36,7 @@ func TestFSBind(t *testing.T) { }, true, container.Ops{&container.BindMountOp{ Source: m("/mnt/dev"), Target: m("/dev"), - Flags: bits.BindWritable | bits.BindDevice | bits.BindEnsure, + Flags: comp.BindWritable | comp.BindDevice | comp.BindEnsure, }}, m("/dev"), ms("/mnt/dev"), "d-/mnt/dev:/dev"}, @@ -48,7 +48,7 @@ func TestFSBind(t *testing.T) { }, true, container.Ops{&container.BindMountOp{ Source: m("/mnt/dev"), Target: m("/dev"), - Flags: bits.BindWritable | bits.BindDevice, + Flags: comp.BindWritable | comp.BindDevice, }}, m("/dev"), ms("/mnt/dev"), "d*/mnt/dev:/dev"}, @@ -59,7 +59,7 @@ func TestFSBind(t *testing.T) { }, true, container.Ops{&container.BindMountOp{ Source: m("/mnt/tmp"), Target: m("/tmp"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, }}, m("/tmp"), ms("/mnt/tmp"), "w*/mnt/tmp:/tmp"}, @@ -98,7 +98,7 @@ func TestFSBind(t *testing.T) { Special: true, }, true, container.Ops{&container.AutoRootOp{ Host: m("/"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, }}, m("/"), ms("/"), "autoroot:w"}, {"autoroot silly", &hst.FSBind{ @@ -108,7 +108,7 @@ func TestFSBind(t *testing.T) { Special: true, }, true, container.Ops{&container.AutoRootOp{ Host: m("/etc"), - Flags: bits.BindWritable, + Flags: comp.BindWritable, }}, m("/"), ms("/etc"), "autoroot:w:/etc"}, {"autoetc", &hst.FSBind{ diff --git a/internal/app/app_test.go b/internal/app/app_test.go index 6501091..3f3d298 100644 --- a/internal/app/app_test.go +++ b/internal/app/app_test.go @@ -17,8 +17,8 @@ import ( "time" "hakurei.app/container" - "hakurei.app/container/bits" "hakurei.app/container/check" + "hakurei.app/container/comp" "hakurei.app/container/fhs" "hakurei.app/hst" "hakurei.app/internal/app/state" @@ -98,24 +98,24 @@ func TestApp(t *testing.T) { "XDG_SESSION_TYPE=tty", }, Ops: new(container.Ops). - Root(m("/"), bits.BindWritable). + Root(m("/"), comp.BindWritable). Proc(m("/proc/")). Tmpfs(hst.AbsPrivateTmp, 4096, 0755). DevWritable(m("/dev/"), true). Tmpfs(m("/dev/shm"), 0, 01777). Tmpfs(m("/run/user/"), 4096, 0755). - Bind(m("/tmp/hakurei.0/runtime/0"), m("/run/user/65534"), bits.BindWritable). - Bind(m("/tmp/hakurei.0/tmpdir/0"), m("/tmp/"), bits.BindWritable). + Bind(m("/tmp/hakurei.0/runtime/0"), m("/run/user/65534"), comp.BindWritable). + Bind(m("/tmp/hakurei.0/tmpdir/0"), m("/tmp/"), comp.BindWritable). Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")). Place(m("/etc/group"), []byte("hakurei:x:65534:\n")). - Bind(m("/dev/kvm"), m("/dev/kvm"), bits.BindWritable|bits.BindDevice|bits.BindOptional). + Bind(m("/dev/kvm"), m("/dev/kvm"), comp.BindWritable|comp.BindDevice|comp.BindOptional). Etc(m("/etc/"), "4a450b6596d7bc15bd01780eb9a607ac"). Tmpfs(m("/run/user/1971"), 8192, 0755). Tmpfs(m("/run/nscd"), 8192, 0755). Tmpfs(m("/run/dbus"), 8192, 0755). Remount(m("/dev/"), syscall.MS_RDONLY). Remount(m("/"), syscall.MS_RDONLY), - SeccompPresets: bits.PresetExt | bits.PresetDenyDevel, + SeccompPresets: comp.PresetExt | comp.PresetDenyDevel, HostNet: true, HostAbstract: true, RetainSession: true, @@ -271,14 +271,14 @@ func TestApp(t *testing.T) { "XDG_SESSION_TYPE=wayland", }, Ops: new(container.Ops). - Root(m("/"), bits.BindWritable). + Root(m("/"), comp.BindWritable). Proc(m("/proc/")). Tmpfs(hst.AbsPrivateTmp, 4096, 0755). DevWritable(m("/dev/"), true). Tmpfs(m("/dev/shm"), 0, 01777). Tmpfs(m("/run/user/"), 4096, 0755). - Bind(m("/tmp/hakurei.0/runtime/9"), m("/run/user/65534"), bits.BindWritable). - Bind(m("/tmp/hakurei.0/tmpdir/9"), m("/tmp/"), bits.BindWritable). + Bind(m("/tmp/hakurei.0/runtime/9"), m("/run/user/65534"), comp.BindWritable). + Bind(m("/tmp/hakurei.0/tmpdir/9"), m("/tmp/"), comp.BindWritable). Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")). Place(m("/etc/group"), []byte("hakurei:x:65534:\n")). Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/65534/wayland-0"), 0). @@ -286,15 +286,15 @@ func TestApp(t *testing.T) { Place(m(hst.PrivateTmp+"/pulse-cookie"), bytes.Repeat([]byte{0}, pulseCookieSizeMax)). Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/bus"), m("/run/user/65534/bus"), 0). Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/system_bus_socket"), m("/var/run/dbus/system_bus_socket"), 0). - Bind(m("/dev/dri"), m("/dev/dri"), bits.BindWritable|bits.BindDevice|bits.BindOptional). - Bind(m("/dev/kvm"), m("/dev/kvm"), bits.BindWritable|bits.BindDevice|bits.BindOptional). + Bind(m("/dev/dri"), m("/dev/dri"), comp.BindWritable|comp.BindDevice|comp.BindOptional). + Bind(m("/dev/kvm"), m("/dev/kvm"), comp.BindWritable|comp.BindDevice|comp.BindOptional). Etc(m("/etc/"), "ebf083d1b175911782d413369b64ce7c"). Tmpfs(m("/run/user/1971"), 8192, 0755). Tmpfs(m("/run/nscd"), 8192, 0755). Tmpfs(m("/run/dbus"), 8192, 0755). Remount(m("/dev/"), syscall.MS_RDONLY). Remount(m("/"), syscall.MS_RDONLY), - SeccompPresets: bits.PresetExt | bits.PresetDenyDevel, + SeccompPresets: comp.PresetExt | comp.PresetDenyDevel, HostNet: true, HostAbstract: true, RetainSession: true, @@ -428,8 +428,8 @@ func TestApp(t *testing.T) { DevWritable(m("/dev/"), true). Tmpfs(m("/dev/shm"), 0, 01777). Tmpfs(m("/run/user/"), 4096, 0755). - Bind(m("/tmp/hakurei.0/runtime/1"), m("/run/user/1971"), bits.BindWritable). - Bind(m("/tmp/hakurei.0/tmpdir/1"), m("/tmp/"), bits.BindWritable). + Bind(m("/tmp/hakurei.0/runtime/1"), m("/run/user/1971"), comp.BindWritable). + Bind(m("/tmp/hakurei.0/tmpdir/1"), m("/tmp/"), comp.BindWritable). Place(m("/etc/passwd"), []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")). Place(m("/etc/group"), []byte("hakurei:x:100:\n")). Bind(m("/run/user/1971/wayland-0"), m("/run/user/1971/wayland-0"), 0). @@ -441,18 +441,18 @@ func TestApp(t *testing.T) { Bind(m("/usr/bin/"), m("/usr/bin/"), 0). Bind(m("/nix/store"), m("/nix/store"), 0). Bind(m("/run/current-system"), m("/run/current-system"), 0). - Bind(m("/sys/block"), m("/sys/block"), bits.BindOptional). - Bind(m("/sys/bus"), m("/sys/bus"), bits.BindOptional). - Bind(m("/sys/class"), m("/sys/class"), bits.BindOptional). - Bind(m("/sys/dev"), m("/sys/dev"), bits.BindOptional). - Bind(m("/sys/devices"), m("/sys/devices"), bits.BindOptional). + Bind(m("/sys/block"), m("/sys/block"), comp.BindOptional). + Bind(m("/sys/bus"), m("/sys/bus"), comp.BindOptional). + Bind(m("/sys/class"), m("/sys/class"), comp.BindOptional). + Bind(m("/sys/dev"), m("/sys/dev"), comp.BindOptional). + Bind(m("/sys/devices"), m("/sys/devices"), comp.BindOptional). Bind(m("/run/opengl-driver"), m("/run/opengl-driver"), 0). - Bind(m("/dev/dri"), m("/dev/dri"), bits.BindDevice|bits.BindWritable|bits.BindOptional). + Bind(m("/dev/dri"), m("/dev/dri"), comp.BindDevice|comp.BindWritable|comp.BindOptional). Etc(m("/etc/"), "8e2c76b066dabe574cf073bdb46eb5c1"). - Bind(m("/var/lib/persist/module/hakurei/0/1"), m("/var/lib/persist/module/hakurei/0/1"), bits.BindWritable|bits.BindEnsure). + Bind(m("/var/lib/persist/module/hakurei/0/1"), m("/var/lib/persist/module/hakurei/0/1"), comp.BindWritable|comp.BindEnsure). Remount(m("/dev/"), syscall.MS_RDONLY). Remount(m("/"), syscall.MS_RDONLY), - SeccompPresets: bits.PresetExt | bits.PresetDenyTTY | bits.PresetDenyDevel, + SeccompPresets: comp.PresetExt | comp.PresetDenyTTY | comp.PresetDenyDevel, HostNet: true, ForwardCancel: true, }, diff --git a/internal/app/shim.go b/internal/app/shim.go index 6be4574..9f85a20 100644 --- a/internal/app/shim.go +++ b/internal/app/shim.go @@ -14,7 +14,7 @@ import ( "time" "hakurei.app/container" - "hakurei.app/container/bits" + "hakurei.app/container/comp" "hakurei.app/container/seccomp" "hakurei.app/hst" "hakurei.app/message" @@ -176,7 +176,7 @@ func ShimMain() { } if err := seccomp.Load( - seccomp.Preset(bits.PresetStrict, seccomp.AllowMultiarch), + seccomp.Preset(comp.PresetStrict, seccomp.AllowMultiarch), seccomp.AllowMultiarch, ); err != nil { log.Fatalf("cannot load syscall filter: %v", err) diff --git a/internal/app/spcontainer.go b/internal/app/spcontainer.go index c6fcada..65071f7 100644 --- a/internal/app/spcontainer.go +++ b/internal/app/spcontainer.go @@ -11,8 +11,8 @@ import ( "syscall" "hakurei.app/container" - "hakurei.app/container/bits" "hakurei.app/container/check" + "hakurei.app/container/comp" "hakurei.app/container/fhs" "hakurei.app/container/seccomp" "hakurei.app/hst" @@ -75,16 +75,16 @@ func (s *spParamsOp) toContainer(state *outcomeStateParams) error { } if state.Container.Flags&hst.FSeccompCompat == 0 { - state.params.SeccompPresets |= bits.PresetExt + state.params.SeccompPresets |= comp.PresetExt } if state.Container.Flags&hst.FDevel == 0 { - state.params.SeccompPresets |= bits.PresetDenyDevel + state.params.SeccompPresets |= comp.PresetDenyDevel } if state.Container.Flags&hst.FUserns == 0 { - state.params.SeccompPresets |= bits.PresetDenyNS + state.params.SeccompPresets |= comp.PresetDenyNS } if state.Container.Flags&hst.FTty == 0 { - state.params.SeccompPresets |= bits.PresetDenyTTY + state.params.SeccompPresets |= comp.PresetDenyTTY } if state.Container.Flags&hst.FMapRealUID != 0 { @@ -112,7 +112,7 @@ func (s *spParamsOp) toContainer(state *outcomeStateParams) error { if state.Container.Flags&hst.FDevice == 0 { state.params.DevWritable(fhs.AbsDev, true) } else { - state.params.Bind(fhs.AbsDev, fhs.AbsDev, bits.BindWritable|bits.BindDevice) + state.params.Bind(fhs.AbsDev, fhs.AbsDev, comp.BindWritable|comp.BindDevice) } // /dev is mounted readonly later on, this prevents /dev/shm from going readonly with it state.params.Tmpfs(fhs.AbsDev.Append("shm"), 0, 01777) diff --git a/internal/app/spcontainer_test.go b/internal/app/spcontainer_test.go index 060e8e6..154b929 100644 --- a/internal/app/spcontainer_test.go +++ b/internal/app/spcontainer_test.go @@ -8,8 +8,8 @@ import ( "testing" "hakurei.app/container" - "hakurei.app/container/bits" "hakurei.app/container/check" + "hakurei.app/container/comp" "hakurei.app/container/fhs" "hakurei.app/container/seccomp" "hakurei.app/container/stub" @@ -65,11 +65,11 @@ func TestSpParamsOp(t *testing.T) { HostAbstract: true, Path: config.Container.Path, Args: []string{config.Container.Path.String()}, - SeccompPresets: bits.PresetExt | bits.PresetDenyDevel | bits.PresetDenyNS | bits.PresetDenyTTY, + SeccompPresets: comp.PresetExt | comp.PresetDenyDevel | comp.PresetDenyNS | comp.PresetDenyTTY, Uid: 1000, Gid: 100, Ops: new(container.Ops). - Root(m("/var/lib/hakurei/base/org.debian"), bits.BindWritable). + Root(m("/var/lib/hakurei/base/org.debian"), comp.BindWritable). Proc(fhs.AbsProc).Tmpfs(hst.AbsPrivateTmp, 1<<12, 0755). DevWritable(fhs.AbsDev, true). Tmpfs(fhs.AbsDev.Append("shm"), 0, 01777), @@ -107,9 +107,9 @@ func TestSpParamsOp(t *testing.T) { Uid: 1000, Gid: 100, Ops: new(container.Ops). - Root(m("/var/lib/hakurei/base/org.debian"), bits.BindWritable). + Root(m("/var/lib/hakurei/base/org.debian"), comp.BindWritable). Proc(fhs.AbsProc).Tmpfs(hst.AbsPrivateTmp, 1<<12, 0755). - Bind(fhs.AbsDev, fhs.AbsDev, bits.BindWritable|bits.BindDevice). + Bind(fhs.AbsDev, fhs.AbsDev, comp.BindWritable|comp.BindDevice). Tmpfs(fhs.AbsDev.Append("shm"), 0, 01777), }, paramsWantEnv(config, map[string]string{ "TERM": "xterm", @@ -425,8 +425,8 @@ func TestSpFilesystemOp(t *testing.T) { Bind( fhs.AbsVarLib.Append("hakurei/u0/org.chromium.Chromium"), check.MustAbs("/data/data/org.chromium.Chromium"), - bits.BindWritable|bits.BindEnsure). - Bind(fhs.AbsDev.Append("dri"), fhs.AbsDev.Append("dri"), bits.BindDevice|bits.BindWritable|bits.BindOptional). + comp.BindWritable|comp.BindEnsure). + Bind(fhs.AbsDev.Append("dri"), fhs.AbsDev.Append("dri"), comp.BindDevice|comp.BindWritable|comp.BindOptional). Remount(fhs.AbsRoot, syscall.MS_RDONLY), }, nil, nil}, }) diff --git a/internal/app/spruntime.go b/internal/app/spruntime.go index d8c5af9..25c04b8 100644 --- a/internal/app/spruntime.go +++ b/internal/app/spruntime.go @@ -3,8 +3,8 @@ package app import ( "encoding/gob" - "hakurei.app/container/bits" "hakurei.app/container/check" + "hakurei.app/container/comp" "hakurei.app/container/fhs" "hakurei.app/hst" "hakurei.app/system" @@ -111,7 +111,7 @@ func (s *spRuntimeOp) toContainer(state *outcomeStateParams) error { state.params.Tmpfs(fhs.AbsRunUser, 1<<12, 0755) if state.Container.Flags&hst.FShareRuntime != 0 { _, runtimeDirInst := s.commonPaths(state.outcomeState) - state.params.Bind(runtimeDirInst, state.runtimeDir, bits.BindWritable) + state.params.Bind(runtimeDirInst, state.runtimeDir, comp.BindWritable) } else { state.params.Mkdir(state.runtimeDir, 0700) } diff --git a/internal/app/spruntime_test.go b/internal/app/spruntime_test.go index 493e66a..1675a7e 100644 --- a/internal/app/spruntime_test.go +++ b/internal/app/spruntime_test.go @@ -4,7 +4,7 @@ import ( "testing" "hakurei.app/container" - "hakurei.app/container/bits" + "hakurei.app/container/comp" "hakurei.app/container/fhs" "hakurei.app/container/stub" "hakurei.app/hst" @@ -41,7 +41,7 @@ func TestSpRuntimeOp(t *testing.T) { }, &container.Params{ Ops: new(container.Ops). Tmpfs(fhs.AbsRunUser, 1<<12, 0755). - Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), bits.BindWritable), + Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), comp.BindWritable), }, paramsWantEnv(config, map[string]string{ "XDG_RUNTIME_DIR": "/run/user/1000", "XDG_SESSION_CLASS": "user", @@ -68,7 +68,7 @@ func TestSpRuntimeOp(t *testing.T) { }, &container.Params{ Ops: new(container.Ops). Tmpfs(fhs.AbsRunUser, 1<<12, 0755). - Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), bits.BindWritable), + Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), comp.BindWritable), }, paramsWantEnv(config, map[string]string{ "XDG_RUNTIME_DIR": "/run/user/1000", "XDG_SESSION_CLASS": "user", @@ -95,7 +95,7 @@ func TestSpRuntimeOp(t *testing.T) { }, &container.Params{ Ops: new(container.Ops). Tmpfs(fhs.AbsRunUser, 1<<12, 0755). - Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), bits.BindWritable), + Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), comp.BindWritable), }, paramsWantEnv(config, map[string]string{ "XDG_RUNTIME_DIR": "/run/user/1000", "XDG_SESSION_CLASS": "user", @@ -118,7 +118,7 @@ func TestSpRuntimeOp(t *testing.T) { }, &container.Params{ Ops: new(container.Ops). Tmpfs(fhs.AbsRunUser, 1<<12, 0755). - Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), bits.BindWritable), + Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), comp.BindWritable), }, paramsWantEnv(config, map[string]string{ "XDG_RUNTIME_DIR": "/run/user/1000", "XDG_SESSION_CLASS": "user", diff --git a/internal/app/sptmpdir.go b/internal/app/sptmpdir.go index b926f46..5b7b54b 100644 --- a/internal/app/sptmpdir.go +++ b/internal/app/sptmpdir.go @@ -3,8 +3,8 @@ package app import ( "encoding/gob" - "hakurei.app/container/bits" "hakurei.app/container/check" + "hakurei.app/container/comp" "hakurei.app/container/fhs" "hakurei.app/hst" "hakurei.app/system" @@ -30,7 +30,7 @@ func (s spTmpdirOp) toSystem(state *outcomeStateSys) error { func (s spTmpdirOp) toContainer(state *outcomeStateParams) error { if state.Container.Flags&hst.FShareTmpdir != 0 { _, tmpdirInst := s.commonPaths(state.outcomeState) - state.params.Bind(tmpdirInst, fhs.AbsTmp, bits.BindWritable) + state.params.Bind(tmpdirInst, fhs.AbsTmp, comp.BindWritable) } else { state.params.Tmpfs(fhs.AbsTmp, 0, 01777) } diff --git a/internal/app/sptmpdir_test.go b/internal/app/sptmpdir_test.go index 4763ea8..53b44fb 100644 --- a/internal/app/sptmpdir_test.go +++ b/internal/app/sptmpdir_test.go @@ -4,7 +4,7 @@ import ( "testing" "hakurei.app/container" - "hakurei.app/container/bits" + "hakurei.app/container/comp" "hakurei.app/container/fhs" "hakurei.app/container/stub" "hakurei.app/hst" @@ -28,7 +28,7 @@ func TestSpTmpdirOp(t *testing.T) { // this op configures the container state and does not make calls during toContainer }, &container.Params{ Ops: new(container.Ops). - Bind(m("/proc/nonexistent/tmp/hakurei.0/tmpdir/9"), fhs.AbsTmp, bits.BindWritable), + Bind(m("/proc/nonexistent/tmp/hakurei.0/tmpdir/9"), fhs.AbsTmp, comp.BindWritable), }, nil, nil}, }) } diff --git a/ldd/exec.go b/ldd/exec.go index fc7bc50..2c8f0dc 100644 --- a/ldd/exec.go +++ b/ldd/exec.go @@ -9,8 +9,8 @@ import ( "time" "hakurei.app/container" - "hakurei.app/container/bits" "hakurei.app/container/check" + "hakurei.app/container/comp" "hakurei.app/container/fhs" "hakurei.app/container/seccomp" "hakurei.app/message" @@ -40,7 +40,7 @@ func Exec(ctx context.Context, msg message.Msg, p string) ([]*Entry, error) { z := container.NewCommand(c, msg, toolPath, lddName, p) z.Hostname = "hakurei-" + lddName z.SeccompFlags |= seccomp.AllowMultiarch - z.SeccompPresets |= bits.PresetStrict + z.SeccompPresets |= comp.PresetStrict stdout, stderr := new(bytes.Buffer), new(bytes.Buffer) z.Stdout = stdout z.Stderr = stderr diff --git a/system/dbus/proc.go b/system/dbus/proc.go index b386eec..d96dd0e 100644 --- a/system/dbus/proc.go +++ b/system/dbus/proc.go @@ -9,8 +9,8 @@ import ( "syscall" "hakurei.app/container" - "hakurei.app/container/bits" "hakurei.app/container/check" + "hakurei.app/container/comp" "hakurei.app/container/seccomp" "hakurei.app/helper" "hakurei.app/ldd" @@ -65,7 +65,7 @@ func (p *Proxy) Start() error { p.final, true, argF, func(z *container.Container) { z.SeccompFlags |= seccomp.AllowMultiarch - z.SeccompPresets |= bits.PresetStrict + z.SeccompPresets |= comp.PresetStrict z.Hostname = "hakurei-dbus" if p.output != nil { z.Stdout, z.Stderr = p.output, p.output @@ -114,7 +114,7 @@ func (p *Proxy) Start() error { check.SortAbs(sockDirPaths) sockDirPaths = check.CompactAbs(sockDirPaths) for _, name := range sockDirPaths { - z.Bind(name, name, bits.BindWritable) + z.Bind(name, name, comp.BindWritable) } // xdg-dbus-proxy bin path