security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

internal/app: check nscd socket for path hiding
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Hakurei (push) Successful in 45s
Details
Test / Hakurei (race detector) (push) Successful in 45s
Details
Test / Hpkg (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 1m32s
Details
Test / Sandbox (race detector) (push) Successful in 2m19s
Details
Test / Flake checks (push) Successful in 1m26s
Details

Browse Source 
This can seriously break things, and exposes extra host attack surface, so include it here.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-10-05 20:34:17 +09:00
parent ae7b343cde
commit f280994957
3 changed files with 15 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
internal/app/spcontainer.go
View File

@@ -13,6 +13,8 @@ import (
"hakurei.app/system/dbus"
)
const varRunNscd = container.FHSVar + "run/nscd"
// spParamsOp initialises unordered fields of [container.Params] and the optional root filesystem.
// This outcomeOp is hardcoded to always run first.
type spParamsOp struct {
@@ -121,8 +123,14 @@ func (s spFilesystemOp) toSystem(state *outcomeStateSys, _ *hst.Config) error {
this feature tries to improve user experience of permissive defaults, and
to warn about issues in custom configuration; it is NOT a security feature
and should not be treated as such, ALWAYS be careful with what you bind */
var hidePaths []string
hidePaths = append(hidePaths, state.sc.RuntimePath.String(), state.sc.SharePath.String())
hidePaths := []string{
state.sc.RuntimePath.String(),
state.sc.SharePath.String(),
// this causes emulated passwd database to be bypassed on some /etc/ setups
varRunNscd,
}
_, systemBusAddr := dbus.Address()
if entries, err := dbus.Parse([]byte(systemBusAddr)); err != nil {
return &hst.AppError{Step: "parse dbus address", Err: err}