security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 7 Wiki Activity

internal/app: hold path hiding in op
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Sandbox (push) Successful in 2m20s
Details
Test / Hakurei (push) Successful in 3m8s
Details
Test / Hpkg (push) Successful in 4m12s
Details
Test / Sandbox (race detector) (push) Successful in 4m37s
Details
Test / Hakurei (race detector) (push) Successful in 5m21s
Details
Test / Flake checks (push) Successful in 1m34s
Details

Browse Source 
This makes no sense to be part of the global state.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-10-10 19:48:37 +09:00
parent 776650af01
commit f6dd9dab6a
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
2 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
internal/app/outcome.go
View File

@ -57,9 +57,6 @@ type outcomeState struct {
sc hst.Paths
*EnvPaths
// Matched paths to cover. Populated by spFilesystemOp.
HidePaths []*check.Absolute
// Copied via populateLocal.
k syscallDispatcher
// Copied via populateLocal.
@ -154,7 +151,7 @@ type outcomeStateSys struct {
directWayland bool
// Copied header from [hst.Config]. Safe for read by spFinalOp.toSystem only.
extraPerms []*hst.ExtraPermConfig
// Copied address from [hst.Config. Safe for read by spDBusOp.toSystem only.
// Copied address from [hst.Config]. Safe for read by spDBusOp.toSystem only.
sessionBus, systemBus *hst.BusConfig
sys *system.I
@ -255,7 +252,7 @@ func (state *outcomeStateSys) toSystem() error {
&spParamsOp{},
// TODO(ophestra): move this late for #8 and #9
spFilesystemOp{},
&spFilesystemOp{},
spRuntimeOp{},
spTmpdirOp{},

15
internal/app/spcontainer.go
View File

@ -117,12 +117,15 @@ func (s *spParamsOp) toContainer(state *outcomeStateParams) error {
return nil
}
func init() { gob.Register(spFilesystemOp{}) }
func init() { gob.Register(new(spFilesystemOp)) }
// spFilesystemOp applies configured filesystems to [container.Params], excluding the optional root filesystem.
type spFilesystemOp struct{}
type spFilesystemOp struct {
// Matched paths to cover. Stored during toSystem.
HidePaths []*check.Absolute
}
func (s spFilesystemOp) toSystem(state *outcomeStateSys) error {
func (s *spFilesystemOp) toSystem(state *outcomeStateSys) error {
/* retrieve paths and hide them if they're made available in the sandbox;
this feature tries to improve user experience of permissive defaults, and
@ -253,7 +256,7 @@ func (s spFilesystemOp) toSystem(state *outcomeStateSys) error {
}
return newWithMessage("invalid path hiding candidate " + strconv.Quote(absoluteError.Pathname))
} else {
state.HidePaths = append(state.HidePaths, a)
s.HidePaths = append(s.HidePaths, a)
}
}
}
@ -261,7 +264,7 @@ func (s spFilesystemOp) toSystem(state *outcomeStateSys) error {
return nil
}
func (s spFilesystemOp) toContainer(state *outcomeStateParams) error {
func (s *spFilesystemOp) toContainer(state *outcomeStateParams) error {
for i, c := range state.filesystem {
if !c.Valid() {
return newWithMessage("invalid filesystem at index " + strconv.Itoa(i))
@ -269,7 +272,7 @@ func (s spFilesystemOp) toContainer(state *outcomeStateParams) error {
c.Apply(&state.as)
}
for _, a := range state.HidePaths {
for _, a := range s.HidePaths {
state.params.Tmpfs(a, 1<<13, 0755)
}