security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 7 Wiki Activity

Compare commits

base: security:5db07140726e6e1bf615ed075e9a8b653508c2a7
Branches Tags
security:master
security:develop
security:staging
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0
..
compare: security:75c260cd8dc004d86763c131fe1190210074e609
Branches Tags
security:develop
security:master
security:staging
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0

1 Commits
5db0714072 ... 75c260cd8d

Author SHA1 Message Date
Clayton Gilmer
75c260cd8d
container: optionally isolate host abstract UNIX domain sockets via landlock
All checks were successful
Test / Create distribution (push) Successful in 37s
Details
Test / Create distribution (pull_request) Successful in 26s
Details
Test / Sandbox (push) Successful in 2m17s
Details
Test / Sandbox (pull_request) Successful in 2m15s
Details
Test / Hakurei (push) Successful in 3m10s
Details
Test / Hakurei (pull_request) Successful in 3m7s
Details
Test / Hpkg (pull_request) Successful in 3m41s
Details
Test / Hpkg (push) Successful in 4m19s
Details
Test / Sandbox (race detector) (push) Successful in 4m29s
Details
Test / Sandbox (race detector) (pull_request) Successful in 4m23s
Details
Test / Hakurei (race detector) (push) Successful in 4m57s
Details
Test / Hakurei (race detector) (pull_request) Successful in 4m54s
Details
Test / Flake checks (push) Successful in 1m27s
Details
Test / Flake checks (pull_request) Successful in 1m27s
Details
2025-08-18 16:18:36 +09:00
6 changed files with 30 additions and 13 deletions
Show Stats Expand all files Collapse all files

2
internal/app/app_pd_linux_test.go
View File

@ -62,7 +62,6 @@ var testCasesPd = []sealTestCase{
Remount(m("/"), syscall.MS_RDONLY), Remount(m("/"), syscall.MS_RDONLY),
SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel, SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
HostNet: true, HostNet: true,
HostAbstract: true,
RetainSession: true, RetainSession: true,
ForwardCancel: true, ForwardCancel: true,
}, },
@ -204,7 +203,6 @@ var testCasesPd = []sealTestCase{
Remount(m("/"), syscall.MS_RDONLY), Remount(m("/"), syscall.MS_RDONLY),
SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel, SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
HostNet: true, HostNet: true,
HostAbstract: true,
RetainSession: true, RetainSession: true,
ForwardCancel: true, ForwardCancel: true,
}, },

1
internal/app/seal_linux.go
View File

@ -240,7 +240,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
conf := &hst.ContainerConfig{ conf := &hst.ContainerConfig{
Userns: true, Userns: true,
Net: true, Net: true,
Abstract: true,
Tty: true, Tty: true,
AutoEtc: true, AutoEtc: true,

2
nixos.nix
View File

@ -132,12 +132,12 @@ in
devel devel
userns userns
net net
abstract
device device
tty tty
multiarch multiarch
env env
; ;
scope_abstract = app.scopeAbstract;
map_real_uid = app.mapRealUid; map_real_uid = app.mapRealUid;
filesystem = filesystem =

22
options.md
View File

@ -572,6 +572,28 @@ boolean
*Example:*
` true `
## environment\.hakurei\.apps\.\<name>\.scopeAbstract
Whether to restrict abstract UNIX domain socket access\.
*Type:*
boolean
*Default:*
` true `
*Example:* *Example:*
` true ` ` true `

4
options.nix
View File

@ -182,7 +182,9 @@ in
net = mkEnableOption "network access" // { net = mkEnableOption "network access" // {
default = true; default = true;
}; };
abstract = mkEnableOption "abstract unix domain socket access"; scopeAbstract = mkEnableOption "abstract unix domain socket access" // {
default = true;
};
nix = mkEnableOption "nix daemon access"; nix = mkEnableOption "nix daemon access";
mapRealUid = mkEnableOption "mapping to priv-user uid"; mapRealUid = mkEnableOption "mapping to priv-user uid";

4
test/sandbox/case/pd.nix
View File

@ -194,9 +194,5 @@
]; ];
seccomp = true; seccomp = true;
try_socket = "/tmp/.X11-unix/X0";
socket_abstract = true;
socket_pathname = false;
}; };
} }