security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 7 Wiki Activity
1,127 Commits 3 Branches 7 Tags
Commit Graph

20 Commits

Author SHA1 Message Date
Ophestra
274686d10d
internal/validate: relocate from app
All checks were successful
Test / Create distribution (push) Successful in 37s
Details
Test / Sandbox (push) Successful in 2m23s
Details
Test / Hakurei (push) Successful in 3m9s
Details
Test / Hpkg (push) Successful in 4m7s
Details
Test / Sandbox (race detector) (push) Successful in 4m11s
Details
Test / Hakurei (race detector) (push) Successful in 5m1s
Details
Test / Flake checks (push) Successful in 1m30s
Details 
These are free of the dispatcher from internal/app. This change relocates them into their own package.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-29 03:40:09 +09:00
Ophestra
e94acc424c
container/comp: rename from bits
All checks were successful
Test / Create distribution (push) Successful in 32s
Details
Test / Sandbox (push) Successful in 2m19s
Details
Test / Hakurei (push) Successful in 3m9s
Details
Test / Hpkg (push) Successful in 3m53s
Details
Test / Sandbox (race detector) (push) Successful in 4m2s
Details
Test / Hakurei (race detector) (push) Successful in 4m43s
Details
Test / Flake checks (push) Successful in 1m23s
Details 
This package will also hold syscall lookup tables for seccomp.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-21 20:54:03 +09:00
Ophestra
c0e860000a
internal/app: remove spfinal
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Sandbox (push) Successful in 1m39s
Details
Test / Sandbox (race detector) (push) Successful in 4m3s
Details
Test / Hpkg (push) Successful in 4m12s
Details
Test / Hakurei (race detector) (push) Successful in 4m10s
Details
Test / Hakurei (push) Successful in 4m9s
Details
Test / Flake checks (push) Successful in 1m36s
Details 
This no longer needs to be an independent outcomeOp since spFilesystemOp is moved late.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-19 02:58:46 +09:00
Ophestra
4c647add0d
hst/container: pack boolean options
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m12s
Details
Test / Hakurei (push) Successful in 3m8s
Details
Test / Hpkg (push) Successful in 4m2s
Details
Test / Hakurei (race detector) (push) Successful in 4m46s
Details
Test / Sandbox (race detector) (push) Successful in 2m11s
Details
Test / Flake checks (push) Successful in 1m37s
Details 
The memory saving is relatively insignificant, however this increases serialisation efficiency.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-14 06:39:00 +09:00
Ophestra
db7051a368
internal/app/spcontainer: check fs init behaviour
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Hakurei (push) Successful in 3m8s
Details
Test / Hpkg (push) Successful in 3m53s
Details
Test / Sandbox (race detector) (push) Successful in 4m34s
Details
Test / Sandbox (push) Successful in 1m21s
Details
Test / Hakurei (race detector) (push) Successful in 5m22s
Details
Test / Flake checks (push) Successful in 1m34s
Details 
This covers every statement. Some of them are unreachable unless the kernel returns garbage.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-12 03:58:53 +09:00
Ophestra
36f312b3ba
internal/app/spcontainer: resolve path through dispatcher
All checks were successful
Test / Create distribution (push) Successful in 36s
Details
Test / Sandbox (push) Successful in 2m13s
Details
Test / Hpkg (push) Successful in 4m2s
Details
Test / Hakurei (race detector) (push) Successful in 5m23s
Details
Test / Hakurei (push) Successful in 2m14s
Details
Test / Sandbox (race detector) (push) Successful in 2m7s
Details
Test / Flake checks (push) Successful in 1m32s
Details 
This prevents state from os tainting the test data.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-11 20:20:41 +09:00
Ophestra
f5a597c406
hst: rename /.hakurei constant
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m13s
Details
Test / Hakurei (push) Successful in 3m3s
Details
Test / Hpkg (push) Successful in 3m57s
Details
Test / Sandbox (race detector) (push) Successful in 4m30s
Details
Test / Hakurei (race detector) (push) Successful in 5m16s
Details
Test / Flake checks (push) Successful in 1m20s
Details 
This provides disambiguation from fhs.AbsTmp.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-11 14:32:35 +09:00
Ophestra
f6dd9dab6a
internal/app: hold path hiding in op
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Sandbox (push) Successful in 2m20s
Details
Test / Hakurei (push) Successful in 3m8s
Details
Test / Hpkg (push) Successful in 4m12s
Details
Test / Sandbox (race detector) (push) Successful in 4m37s
Details
Test / Hakurei (race detector) (push) Successful in 5m21s
Details
Test / Flake checks (push) Successful in 1m34s
Details 
This makes no sense to be part of the global state.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-10 19:56:30 +09:00
Ophestra
776650af01
hst/config: negative WaitDelay bypasses default
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 2m19s
Details
Test / Hpkg (push) Successful in 4m4s
Details
Test / Sandbox (race detector) (push) Successful in 4m44s
Details
Test / Hakurei (race detector) (push) Successful in 5m25s
Details
Test / Hakurei (push) Successful in 2m16s
Details
Test / Flake checks (push) Successful in 1m30s
Details 
This behaviour might be useful, so do not lock it out. This change also fixes an oversight where the unchecked value is used to determine ForwardCancel.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-10 05:11:32 +09:00
Ophestra
4246256d78
internal/app: hold config address in state
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Sandbox (push) Successful in 2m13s
Details
Test / Hakurei (push) Successful in 3m6s
Details
Test / Hpkg (push) Successful in 4m9s
Details
Test / Sandbox (race detector) (push) Successful in 4m32s
Details
Test / Hakurei (race detector) (push) Successful in 5m22s
Details
Test / Flake checks (push) Successful in 1m34s
Details 
This can be removed eventually as it is barely used.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-10 01:21:01 +09:00
Ophestra
87b5c30ef6
message: relocate from container
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Sandbox (push) Successful in 2m22s
Details
Test / Hpkg (push) Successful in 4m2s
Details
Test / Sandbox (race detector) (push) Successful in 4m28s
Details
Test / Hakurei (race detector) (push) Successful in 5m21s
Details
Test / Hakurei (push) Successful in 2m9s
Details
Test / Flake checks (push) Successful in 1m29s
Details 
This package is quite useful. This change allows it to be imported without importing container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-09 05:18:19 +09:00
Ophestra
e5baaf416f
internal/app: check transmitted ops
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Hakurei (push) Successful in 3m13s
Details
Test / Hpkg (push) Successful in 4m5s
Details
Test / Sandbox (race detector) (push) Successful in 4m28s
Details
Test / Hakurei (race detector) (push) Successful in 5m23s
Details
Test / Sandbox (push) Successful in 1m25s
Details
Test / Flake checks (push) Successful in 1m33s
Details 
This simulates params to shim and this is the last step before params to shim is merged.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-08 20:02:09 +09:00
Ophestra
12ab7ea3b4
hst/fs: access ops through interface
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Hakurei (push) Successful in 3m14s
Details
Test / Hpkg (push) Successful in 4m1s
Details
Test / Sandbox (race detector) (push) Successful in 4m28s
Details
Test / Hakurei (race detector) (push) Successful in 5m22s
Details
Test / Sandbox (push) Successful in 1m28s
Details
Test / Flake checks (push) Successful in 1m29s
Details 
This removes the final hakurei.app/container import from hst.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 23:59:48 +09:00
Ophestra
584ce3da68
container/bits: move bind bits
All checks were successful
Test / Create distribution (push) Successful in 36s
Details
Test / Sandbox (push) Successful in 2m15s
Details
Test / Hakurei (push) Successful in 3m9s
Details
Test / Hpkg (push) Successful in 4m14s
Details
Test / Sandbox (race detector) (push) Successful in 4m29s
Details
Test / Hakurei (race detector) (push) Successful in 5m21s
Details
Test / Flake checks (push) Successful in 1m31s
Details 
This allows referring to the bits without importing container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 21:38:31 +09:00
Ophestra
5d18af0007
container/fhs: move pathname constants
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 2m6s
Details
Test / Hpkg (push) Successful in 4m1s
Details
Test / Sandbox (race detector) (push) Successful in 4m29s
Details
Test / Hakurei (race detector) (push) Successful in 3m5s
Details
Test / Hakurei (push) Successful in 2m10s
Details
Test / Flake checks (push) Successful in 1m21s
Details 
This allows referencing FHS pathnames without importing container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 21:29:16 +09:00
Ophestra
0e6c1a5026
container/check: move absolute pathname
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Hpkg (push) Successful in 4m3s
Details
Test / Sandbox (race detector) (push) Successful in 4m26s
Details
Test / Hakurei (race detector) (push) Successful in 5m19s
Details
Test / Sandbox (push) Successful in 1m28s
Details
Test / Hakurei (push) Successful in 2m16s
Details
Test / Flake checks (push) Successful in 1m37s
Details 
This allows use of absolute pathname values without importing container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 20:57:58 +09:00
Ophestra
3ce63e95d7
container: move seccomp preset bits
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 2m13s
Details
Test / Hpkg (push) Successful in 4m2s
Details
Test / Hakurei (race detector) (push) Successful in 5m16s
Details
Test / Sandbox (race detector) (push) Successful in 2m5s
Details
Test / Hakurei (push) Successful in 2m16s
Details
Test / Flake checks (push) Successful in 1m33s
Details 
This allows holding the bits without cgo.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 18:28:20 +09:00
Ophestra
9e48d7f562
hst/config: move container fields from toplevel
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m7s
Details
Test / Hpkg (push) Successful in 3m54s
Details
Test / Hakurei (race detector) (push) Successful in 5m18s
Details
Test / Sandbox (race detector) (push) Successful in 2m10s
Details
Test / Hakurei (push) Successful in 2m13s
Details
Test / Flake checks (push) Successful in 1m33s
Details 
This change also moves pd behaviour to cmd/hakurei, as this does not belong in the hst API.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-07 04:24:45 +09:00
Ophestra
f280994957
internal/app: check nscd socket for path hiding
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Hakurei (push) Successful in 45s
Details
Test / Hakurei (race detector) (push) Successful in 45s
Details
Test / Hpkg (push) Successful in 42s
Details
Test / Sandbox (push) Successful in 1m32s
Details
Test / Sandbox (race detector) (push) Successful in 2m19s
Details
Test / Flake checks (push) Successful in 1m26s
Details 
This can seriously break things, and exposes extra host attack surface, so include it here.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-05 20:47:30 +09:00
Ophestra
eb5ee4fece
internal/app: modularise outcome finalise
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Sandbox (push) Successful in 2m19s
Details
Test / Hakurei (push) Successful in 3m10s
Details
Test / Hpkg (push) Successful in 4m8s
Details
Test / Sandbox (race detector) (push) Successful in 4m35s
Details
Test / Hakurei (race detector) (push) Successful in 5m16s
Details
Test / Flake checks (push) Successful in 1m30s
Details 
This is the initial effort of splitting up host and container side of finalisation for params to shim. The new layout also enables much finer grained unit testing of each step, as well as partition access to per-app state for each step.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-10-05 02:52:50 +09:00