security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 7 Wiki Activity

Compare commits

base: security:75c260cd8dc004d86763c131fe1190210074e609
Branches Tags
security:master
security:develop
security:staging
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0
..
compare: security:5db07140726e6e1bf615ed075e9a8b653508c2a7
Branches Tags
security:develop
security:master
security:staging
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0

1 Commits
75c260cd8d ... 5db0714072

Author SHA1 Message Date
Clayton Gilmer
5db0714072
container: optionally isolate host abstract UNIX domain sockets via landlock
All checks were successful
Test / Create distribution (pull_request) Successful in 33s
Details
Test / Sandbox (pull_request) Successful in 2m10s
Details
Test / Hpkg (pull_request) Successful in 4m1s
Details
Test / Sandbox (race detector) (pull_request) Successful in 4m19s
Details
Test / Hakurei (pull_request) Successful in 4m55s
Details
Test / Hakurei (race detector) (pull_request) Successful in 5m0s
Details
Test / Create distribution (push) Successful in 27s
Details
Test / Sandbox (race detector) (push) Successful in 44s
Details
Test / Sandbox (push) Successful in 44s
Details
Test / Hakurei (push) Successful in 47s
Details
Test / Hakurei (race detector) (push) Successful in 47s
Details
Test / Hpkg (push) Successful in 45s
Details
Test / Flake checks (pull_request) Successful in 1m47s
Details
Test / Flake checks (push) Successful in 1m36s
Details
2025-08-18 16:28:14 +09:00
6 changed files with 13 additions and 30 deletions
Show Stats Expand all files Collapse all files

2
internal/app/app_pd_linux_test.go
View File

@ -62,6 +62,7 @@ var testCasesPd = []sealTestCase{
Remount(m("/"), syscall.MS_RDONLY), Remount(m("/"), syscall.MS_RDONLY),
SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel, SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
HostNet: true, HostNet: true,
HostAbstract: true,
RetainSession: true, RetainSession: true,
ForwardCancel: true, ForwardCancel: true,
}, },
@ -203,6 +204,7 @@ var testCasesPd = []sealTestCase{
Remount(m("/"), syscall.MS_RDONLY), Remount(m("/"), syscall.MS_RDONLY),
SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel, SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
HostNet: true, HostNet: true,
HostAbstract: true,
RetainSession: true, RetainSession: true,
ForwardCancel: true, ForwardCancel: true,
}, },

1
internal/app/seal_linux.go
View File

@ -240,6 +240,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
conf := &hst.ContainerConfig{ conf := &hst.ContainerConfig{
Userns: true, Userns: true,
Net: true, Net: true,
Abstract: true,
Tty: true, Tty: true,
AutoEtc: true, AutoEtc: true,

2
nixos.nix
View File

@ -132,12 +132,12 @@ in
devel devel
userns userns
net net
abstract
device device
tty tty
multiarch multiarch
env env
; ;
scope_abstract = app.scopeAbstract;
map_real_uid = app.mapRealUid; map_real_uid = app.mapRealUid;
filesystem = filesystem =

22
options.md
View File

@ -572,28 +572,6 @@ boolean
*Example:*
` true `
## environment\.hakurei\.apps\.\<name>\.scopeAbstract
Whether to restrict abstract UNIX domain socket access\.
*Type:*
boolean
*Default:*
` true `
*Example:* *Example:*
` true ` ` true `

4
options.nix
View File

@ -182,9 +182,7 @@ in
net = mkEnableOption "network access" // { net = mkEnableOption "network access" // {
default = true; default = true;
}; };
scopeAbstract = mkEnableOption "abstract unix domain socket access" // { abstract = mkEnableOption "abstract unix domain socket access";
default = true;
};
nix = mkEnableOption "nix daemon access"; nix = mkEnableOption "nix daemon access";
mapRealUid = mkEnableOption "mapping to priv-user uid"; mapRealUid = mkEnableOption "mapping to priv-user uid";

4
test/sandbox/case/pd.nix
View File

@ -194,5 +194,9 @@
]; ];
seccomp = true; seccomp = true;
try_socket = "/tmp/.X11-unix/X0";
socket_abstract = true;
socket_pathname = false;
}; };
} }