security/hakurei
security/hakurei
6
3
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases 8 Wiki Activity

container/std: relocate rule types
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m10s
Details
Test / Hakurei (push) Successful in 3m13s
Details
Test / Hpkg (push) Successful in 3m56s
Details
Test / Sandbox (race detector) (push) Successful in 4m14s
Details
Test / Hakurei (race detector) (push) Successful in 5m3s
Details
Test / Flake checks (push) Successful in 1m28s
Details

Browse Source 
This enables its use in hst for #15.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-11-05 06:00:39 +09:00
parent 7f27a6dc51
commit fba201c995
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
10 changed files with 121 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
container/container.go
View File

@ -85,7 +85,7 @@ type (
*Ops
// Seccomp system call filter rules.
SeccompRules []seccomp.NativeRule
SeccompRules []std.NativeRule
// Extra seccomp flags.
SeccompFlags seccomp.ExportFlag
// Seccomp presets. Has no effect unless SeccompRules is zero-length.
@ -327,7 +327,7 @@ func (p *Container) Serve() error {
p.Dir = fhs.AbsRoot
}
if p.SeccompRules == nil {
p.SeccompRules = make([]seccomp.NativeRule, 0)
p.SeccompRules = make([]std.NativeRule, 0)
}
err := gob.NewEncoder(setup).Encode(&initParams{

4
container/container_test.go
View File

@ -204,7 +204,7 @@ var containerTestCases = []struct {
uid int
gid int
rules []seccomp.NativeRule
rules []std.NativeRule
flags seccomp.ExportFlag
presets std.FilterPreset
}{
@ -219,7 +219,7 @@ var containerTestCases = []struct {
1000, 100, nil, 0, std.PresetExt},
{"custom rules", true, true, true, false,
emptyOps, emptyMnt,
1, 31, []seccomp.NativeRule{{Syscall: seccomp.ScmpSyscall(syscall.SYS_SETUID), Errno: seccomp.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},
1, 31, []std.NativeRule{{Syscall: std.ScmpSyscall(syscall.SYS_SETUID), Errno: std.ScmpErrno(syscall.EPERM)}}, 0, std.PresetExt},
{"tmpfs", true, false, false, true,
earlyOps(new(container.Ops).

5
container/dispatcher.go
View File

@ -11,6 +11,7 @@ import (
"syscall"
"hakurei.app/container/seccomp"
"hakurei.app/container/std"
"hakurei.app/message"
)
@ -62,7 +63,7 @@ type syscallDispatcher interface {
ensureFile(name string, perm, pperm os.FileMode) error
// seccompLoad provides [seccomp.Load].
seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error
seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error
// notify provides [signal.Notify].
notify(c chan<- os.Signal, sig ...os.Signal)
// start starts [os/exec.Cmd].
@ -164,7 +165,7 @@ func (direct) ensureFile(name string, perm, pperm os.FileMode) error {
return ensureFile(name, perm, pperm)
}
func (direct) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error {
func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
return seccomp.Load(rules, flags)
}
func (direct) notify(c chan<- os.Signal, sig ...os.Signal) { signal.Notify(c, sig...) }

3
container/dispatcher_test.go
View File

@ -17,6 +17,7 @@ import (
"time"
"hakurei.app/container/seccomp"
"hakurei.app/container/std"
"hakurei.app/container/stub"
"hakurei.app/message"
)
@ -456,7 +457,7 @@ func (k *kstub) ensureFile(name string, perm, pperm os.FileMode) error {
stub.CheckArg(k.Stub, "pperm", pperm, 2))
}
func (k *kstub) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error {
func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
k.Helper()
return k.Expects("seccompLoad").Error(
stub.CheckArgReflect(k.Stub, "rules", rules, 0),

86
container/init_test.go
View File

@ -69,7 +69,7 @@ func TestInitEntrypoint(t *testing.T) {
Uid: 1 << 32,
Gid: 1 << 31,
Hostname: "hakurei-check",
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -94,7 +94,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -122,7 +122,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -151,7 +151,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -181,7 +181,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -212,7 +212,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -244,7 +244,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -278,7 +278,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -314,7 +314,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: (*Ops)(sliceAddr(make(Ops, 1))),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -352,7 +352,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(nil, nil, std.BindDevice),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -390,7 +390,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -429,7 +429,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -468,7 +468,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -508,7 +508,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -549,7 +549,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -591,7 +591,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -634,7 +634,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -678,7 +678,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -723,7 +723,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -769,7 +769,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -824,7 +824,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -879,7 +879,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -935,7 +935,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -992,7 +992,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -1051,7 +1051,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -1111,7 +1111,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -1172,7 +1172,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -1234,7 +1234,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -1297,7 +1297,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -1361,7 +1361,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -1426,7 +1426,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -1492,7 +1492,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -1566,7 +1566,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -1673,7 +1673,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -1781,7 +1781,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,
@ -1891,7 +1891,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 47,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompDisable: true,
ParentPerm: 0750,
}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(13), nil),
@ -2005,7 +2005,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 47,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompDisable: true,
ParentPerm: 0750,
}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(10), nil),
@ -2103,7 +2103,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 47,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompDisable: true,
ParentPerm: 0750,
}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(7), nil),
@ -2201,7 +2201,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 47,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompDisable: true,
ParentPerm: 0750,
}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(7), nil),
@ -2292,7 +2292,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 47,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompDisable: true,
ParentPerm: 0750,
}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(5), nil),
@ -2385,7 +2385,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 47,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompDisable: true,
ParentPerm: 0750,
}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(3), nil),
@ -2485,7 +2485,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 47,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompDisable: true,
ParentPerm: 0750,
}, 1971, 127, 2, false}, uintptr(0x39)}, stub.UniqueError(1), nil),
@ -2621,7 +2621,7 @@ func TestInitEntrypoint(t *testing.T) {
Gid: 1 << 31,
Hostname: "hakurei-check",
Ops: new(Ops).Bind(check.MustAbs("/"), check.MustAbs("/"), std.BindDevice).Proc(check.MustAbs("/proc/")),
SeccompRules: make([]seccomp.NativeRule, 0),
SeccompRules: make([]std.NativeRule, 0),
SeccompPresets: std.PresetStrict,
RetainSession: true,
Privileged: true,

70
container/seccomp/libseccomp.go
View File

@ -14,6 +14,8 @@ import (
"runtime/cgo"
"syscall"
"unsafe"
"hakurei.app/container/std"
)
// ErrInvalidRules is returned for a zero-length rules slice.
@ -54,31 +56,12 @@ func (e *LibraryError) Is(err error) bool {
}
type (
// scmpUint is equivalent to [ScmpUint].
// scmpUint is equivalent to [std.ScmpUint].
scmpUint = C.uint
// ScmpUint is equivalent to C.uint.
ScmpUint uint32
// scmpInt is equivalent to [ScmpInt].
// scmpInt is equivalent to [std.ScmpInt].
scmpInt = C.int
// ScmpInt is equivalent to C.int.
ScmpInt int32
// ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall].
ScmpSyscall ScmpInt
// ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno].
ScmpErrno ScmpInt
// A NativeRule specifies an arch-specific action taken by seccomp under certain conditions.
NativeRule struct {
// Syscall is the arch-dependent syscall number to act against.
Syscall ScmpSyscall
// Errno is the errno value to return when the condition is satisfied.
Errno ScmpErrno
// Arg is the optional struct scmp_arg_cmp passed to libseccomp.
Arg *ScmpArgCmp
}
// syscallRule is equivalent to [NativeRule].
// syscallRule is equivalent to [std.NativeRule].
syscallRule = C.struct_hakurei_syscall_rule
)
@ -115,9 +98,9 @@ func hakurei_scmp_allocate(f C.uintptr_t, len C.size_t) (buf unsafe.Pointer) {
return cgo.Handle(f).Value().(cbAllocateBuffer)(len)
}
// makeFilter generates a bpf program from a slice of [NativeRule] and writes the resulting byte slice to p.
// makeFilter generates a bpf program from a slice of [std.NativeRule] and writes the resulting byte slice to p.
// The filter is installed to the current process if p is nil.
func makeFilter(rules []NativeRule, flags ExportFlag, p *[]byte) error {
func makeFilter(rules []std.NativeRule, flags ExportFlag, p *[]byte) error {
if len(rules) == 0 {
return ErrInvalidRules
}
@ -180,22 +163,26 @@ func makeFilter(rules []NativeRule, flags ExportFlag, p *[]byte) error {
return err
}
// Export generates a bpf program from a slice of [NativeRule].
// Export generates a bpf program from a slice of [std.NativeRule].
// Errors returned by libseccomp is wrapped in [LibraryError].
func Export(rules []NativeRule, flags ExportFlag) (data []byte, err error) {
func Export(rules []std.NativeRule, flags ExportFlag) (data []byte, err error) {
err = makeFilter(rules, flags, &data)
return
}
// Load generates a bpf program from a slice of [NativeRule] and enforces it on the current process.
// Load generates a bpf program from a slice of [std.NativeRule] and enforces it on the current process.
// Errors returned by libseccomp is wrapped in [LibraryError].
func Load(rules []NativeRule, flags ExportFlag) error { return makeFilter(rules, flags, nil) }
func Load(rules []std.NativeRule, flags ExportFlag) error { return makeFilter(rules, flags, nil) }
type (
// Comparison operators.
scmpCompare = C.enum_scmp_compare
// ScmpCompare is equivalent to enum scmp_compare;
ScmpCompare ScmpUint
// Argument datum.
scmpDatum = C.scmp_datum_t
// Argument / Value comparison definition.
scmpArgCmp = C.struct_scmp_arg_cmp
)
const (
@ -219,29 +206,10 @@ const (
_SCMP_CMP_MAX = C._SCMP_CMP_MAX
)
type (
// Argument datum.
scmpDatum = C.scmp_datum_t
// ScmpDatum is equivalent to scmp_datum_t.
ScmpDatum uint64
// Argument / Value comparison definition.
scmpArgCmp = C.struct_scmp_arg_cmp
// ScmpArgCmp is equivalent to struct scmp_arg_cmp.
ScmpArgCmp struct {
// argument number, starting at 0
Arg ScmpUint
// the comparison op, e.g. SCMP_CMP_*
Op ScmpCompare
DatumA, DatumB ScmpDatum
}
)
const (
// PersonaLinux is passed in a [ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY.
// PersonaLinux is passed in a [std.ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY.
PersonaLinux = C.PER_LINUX
// PersonaLinux32 is passed in a [ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY.
// PersonaLinux32 is passed in a [std.ScmpDatum] for filtering calls to syscall.SYS_PERSONALITY.
PersonaLinux32 = C.PER_LINUX32
)

12
container/seccomp/syscall_test.go → container/seccomp/std_test.go
View File

@ -24,13 +24,13 @@ func TestSyscallResolveName(t *testing.T) {
}
func TestRuleType(t *testing.T) {
assertKind[ScmpUint, scmpUint](t)
assertKind[ScmpInt, scmpInt](t)
assertKind[std.ScmpUint, scmpUint](t)
assertKind[std.ScmpInt, scmpInt](t)
assertSize[NativeRule, syscallRule](t)
assertKind[ScmpDatum, scmpDatum](t)
assertKind[ScmpCompare, scmpCompare](t)
assertSize[ScmpArgCmp, scmpArgCmp](t)
assertSize[std.NativeRule, syscallRule](t)
assertKind[std.ScmpDatum, scmpDatum](t)
assertKind[std.ScmpCompare, scmpCompare](t)
assertSize[std.ScmpArgCmp, scmpArgCmp](t)
}
// assertSize asserts that native and equivalent are of the same size.

38
container/std/seccomp.go Normal file
View File

@ -0,0 +1,38 @@
package std
type (
// ScmpUint is equivalent to C.uint.
ScmpUint uint32
// ScmpInt is equivalent to C.int.
ScmpInt int32
// ScmpSyscall represents a syscall number passed to libseccomp via [NativeRule.Syscall].
ScmpSyscall ScmpInt
// ScmpErrno represents an errno value passed to libseccomp via [NativeRule.Errno].
ScmpErrno ScmpInt
// ScmpCompare is equivalent to enum scmp_compare;
ScmpCompare ScmpUint
// ScmpDatum is equivalent to scmp_datum_t.
ScmpDatum uint64
// ScmpArgCmp is equivalent to struct scmp_arg_cmp.
ScmpArgCmp struct {
// argument number, starting at 0
Arg ScmpUint
// the comparison op, e.g. SCMP_CMP_*
Op ScmpCompare
DatumA, DatumB ScmpDatum
}
// A NativeRule specifies an arch-specific action taken by seccomp under certain conditions.
NativeRule struct {
// Syscall is the arch-dependent syscall number to act against.
Syscall ScmpSyscall
// Errno is the errno value to return when the condition is satisfied.
Errno ScmpErrno
// Arg is the optional struct scmp_arg_cmp passed to libseccomp.
Arg *ScmpArgCmp
}
)

5
internal/outcome/dispatcher.go
View File

@ -13,6 +13,7 @@ import (
"hakurei.app/container"
"hakurei.app/container/check"
"hakurei.app/container/seccomp"
"hakurei.app/container/std"
"hakurei.app/internal"
"hakurei.app/message"
"hakurei.app/system/dbus"
@ -86,7 +87,7 @@ type syscallDispatcher interface {
containerWait(z *container.Container) error
// seccompLoad provides [seccomp.Load].
seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error
seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error
// mustHsuPath provides [internal.MustHsuPath].
mustHsuPath() *check.Absolute
@ -151,7 +152,7 @@ func (direct) containerStart(z *container.Container) error { return z.Start() }
func (direct) containerServe(z *container.Container) error { return z.Serve() }
func (direct) containerWait(z *container.Container) error { return z.Wait() }
func (direct) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error {
func (direct) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
return seccomp.Load(rules, flags)
}

5
internal/outcome/dispatcher_test.go
View File

@ -21,6 +21,7 @@ import (
"hakurei.app/container"
"hakurei.app/container/check"
"hakurei.app/container/seccomp"
"hakurei.app/container/std"
"hakurei.app/container/stub"
"hakurei.app/hst"
"hakurei.app/message"
@ -435,7 +436,7 @@ func (k *kstub) containerWait(z *container.Container) error {
return k.expectCheckContainer(k.Expects("containerWait"), z)
}
func (k *kstub) seccompLoad(rules []seccomp.NativeRule, flags seccomp.ExportFlag) error {
func (k *kstub) seccompLoad(rules []std.NativeRule, flags seccomp.ExportFlag) error {
k.Helper()
return k.Expects("seccompLoad").Error(
stub.CheckArgReflect(k.Stub, "rules", rules, 0),
@ -722,6 +723,6 @@ func (panicDispatcher) fatalf(string, ...any) { pa
func (panicDispatcher) notifyContext(context.Context, ...os.Signal) (context.Context, context.CancelFunc) {
panic("unreachable")
}
func (panicDispatcher) seccompLoad([]seccomp.NativeRule, seccomp.ExportFlag) error {
func (panicDispatcher) seccompLoad([]std.NativeRule, seccomp.ExportFlag) error {
panic("unreachable")
}