security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 4 Wiki Activity

Compare commits

base: security:2cf3077c0715741dffecd27916776d38e844b2b2
Branches Tags
security:master
security:staging
security:develop
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0
..
compare: security:c9eeafbbf0cf51c46794912f7f5351e37c752a5e
Branches Tags
security:staging
security:develop
security:master
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0

2 Commits
2cf3077c07 ... c9eeafbbf0

Author SHA1 Message Date
Clayton Gilmer
c9eeafbbf0
container: optionally isolate host abstract UNIX domain sockets via landlock
Some checks failed
Test / Create distribution (pull_request) Failing after 32s
Details
Test / Sandbox (pull_request) Failing after 51s
Details
Test / Sandbox (race detector) (pull_request) Failing after 54s
Details
Test / Hpkg (pull_request) Failing after 56s
Details
Test / Hakurei (pull_request) Failing after 1m9s
Details
Test / Hakurei (race detector) (push) Failing after 1m0s
Details
Test / Hakurei (push) Failing after 1m11s
Details
Test / Hakurei (race detector) (pull_request) Failing after 1m18s
Details
Test / Flake checks (pull_request) Has been skipped
Details
Test / Create distribution (push) Failing after 30s
Details
Test / Sandbox (push) Failing after 49s
Details
Test / Hpkg (push) Failing after 48s
Details
Test / Sandbox (race detector) (push) Failing after 51s
Details
Test / Flake checks (push) Has been skipped
Details
2025-08-18 11:50:05 +09:00
Ophestra
2f1d42c8dd
app: set up acl on X11 socket 
The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging #1.

Signed-off-by: Ophestra <cat@gensokyo.uk>

# Conflicts:
#	test/sandbox/case/device.nix
#	test/sandbox/case/tty.nix
 2025-08-18 11:49:49 +09:00
1 changed files with 0 additions and 10 deletions
Show Stats Expand all files Collapse all files

10
container/container.go
View File

@ -7,7 +7,6 @@ import (
"errors" "errors"
"fmt" "fmt"
"io" "io"
"log"
"os" "os"
"os/exec" "os/exec"
"runtime" "runtime"
@ -15,7 +14,6 @@ import (
. "syscall" . "syscall"
"time" "time"
"hakurei.app/container/landlock"
"hakurei.app/container/seccomp" "hakurei.app/container/seccomp"
) )
@ -94,8 +92,6 @@ type (
RetainSession bool RetainSession bool
// Do not [syscall.CLONE_NEWNET]. // Do not [syscall.CLONE_NEWNET].
HostNet bool HostNet bool
// Scope abstract UNIX domain sockets using LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET.
ScopeAbstract bool
// Retain CAP_SYS_ADMIN. // Retain CAP_SYS_ADMIN.
Privileged bool Privileged bool
} }
@ -189,12 +185,6 @@ func (p *Container) Start() error {
"prctl(PR_SET_NO_NEW_PRIVS):") "prctl(PR_SET_NO_NEW_PRIVS):")
} }
if p.ScopeAbstract {
if err := landlock.ScopeAbstract(); err != nil {
log.Fatalf("could not scope abstract unix sockets: %v", err)
}
}
msg.Verbose("starting container init") msg.Verbose("starting container init")
if err := p.cmd.Start(); err != nil { if err := p.cmd.Start(); err != nil {
return msg.WrapErr(err, err.Error()) return msg.WrapErr(err, err.Error())