security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

internal/app: check nscd socket for path hiding
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Hakurei (push) Successful in 45s
Details
Test / Hakurei (race detector) (push) Successful in 45s
Details
Test / Hpkg (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 1m32s
Details
Test / Sandbox (race detector) (push) Successful in 2m19s
Details
Test / Flake checks (push) Successful in 1m26s
Details

Browse Source 
This can seriously break things, and exposes extra host attack surface, so include it here.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-10-05 20:34:17 +09:00
parent ae7b343cde
commit f280994957
3 changed files with 15 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/app/app_test.go
View File

@@ -73,6 +73,7 @@ func TestApp(t *testing.T) {
Readonly(m("/var/run/nscd"), 0755).
Etc(m("/etc/"), "4a450b6596d7bc15bd01780eb9a607ac").
Tmpfs(m("/run/user/1971"), 8192, 0755).
Tmpfs(m("/run/nscd"), 8192, 0755).
Tmpfs(m("/run/dbus"), 8192, 0755).
Remount(m("/dev/"), syscall.MS_RDONLY).
Tmpfs(m("/run/user/"), 4096, 0755).
@@ -209,6 +210,7 @@ func TestApp(t *testing.T) {
Readonly(m("/var/run/nscd"), 0755).
Etc(m("/etc/"), "ebf083d1b175911782d413369b64ce7c").
Tmpfs(m("/run/user/1971"), 8192, 0755).
Tmpfs(m("/run/nscd"), 8192, 0755).
Tmpfs(m("/run/dbus"), 8192, 0755).
Remount(m("/dev/"), syscall.MS_RDONLY).
Tmpfs(m("/run/user/"), 4096, 0755).
@@ -552,6 +554,8 @@ func (k *stubNixOS) tempdir() string { return "/tmp/" }
func (k *stubNixOS) evalSymlinks(path string) (string, error) {
switch path {
case "/var/run/nscd":
return "/run/nscd", nil
case "/run/user/1971":
return "/run/user/1971", nil
case "/tmp/hakurei.0":