security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 7 Wiki Activity

Compare commits

base: security:a6b2b9df225a7db7509427a49ae09139be0f94b0
Branches Tags
security:master
security:develop
security:staging
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0
..
compare: security:2cf3077c0715741dffecd27916776d38e844b2b2
Branches Tags
security:develop
security:master
security:staging
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0

2 Commits
a6b2b9df22 ... 2cf3077c07

Author SHA1 Message Date
Clayton Gilmer
2cf3077c07
container: optionally isolate host abstract UNIX domain sockets via landlock
Some checks failed
Test / Create distribution (push) Failing after 32s
Details
Test / Create distribution (pull_request) Failing after 35s
Details
Test / Hakurei (push) Failing after 50s
Details
Test / Hakurei (pull_request) Failing after 50s
Details
Test / Hakurei (race detector) (push) Failing after 54s
Details
Test / Sandbox (pull_request) Failing after 54s
Details
Test / Hakurei (race detector) (pull_request) Failing after 57s
Details
Test / Sandbox (push) Failing after 1m8s
Details
Test / Sandbox (race detector) (pull_request) Failing after 1m6s
Details
Test / Hpkg (pull_request) Failing after 1m8s
Details
Test / Flake checks (pull_request) Has been skipped
Details
Test / Sandbox (race detector) (push) Failing after 1m22s
Details
Test / Hpkg (push) Failing after 1m24s
Details
Test / Flake checks (push) Has been skipped
Details
2025-08-18 11:57:21 +09:00
Ophestra
e4801d0e23
app: set up acl on X11 socket 
The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging #1.

Signed-off-by: Ophestra <cat@gensokyo.uk>

# Conflicts:
#	test/sandbox/case/device.nix
#	test/sandbox/case/tty.nix
 2025-08-18 11:56:18 +09:00
3 changed files with 41 additions and 5 deletions
Show Stats Expand all files Collapse all files

16
internal/app/seal_linux.go
View File

@ -416,6 +416,22 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
seal.sys.ChangeHosts("#" + seal.user.uid.String()) seal.sys.ChangeHosts("#" + seal.user.uid.String())
seal.env[display] = d seal.env[display] = d
seal.container.Bind(socketDir, socketDir, 0) seal.container.Bind(socketDir, socketDir, 0)
// the socket file at `/tmp/.X11-unix/X%d` is typically owned by the priv user
// and not accessible by the target user
var socketPath *container.Absolute
if len(d) > 1 && d[0] == ':' { // `:%d`
if n, err := strconv.Atoi(d[1:]); err == nil && n >= 0 {
socketPath = socketDir.Append("X" + strconv.Itoa(n))
}
} else if len(d) > 5 && strings.HasPrefix(d, "unix:") { // `unix:%s`
if a, err := container.NewAbs(d[5:]); err == nil {
socketPath = a
}
}
if socketPath != nil {
seal.sys.UpdatePermTypeOptional(system.EX11, socketPath.String(), acl.Read, acl.Write, acl.Execute)
}
} }
} }

24
system/acl.go
View File

@ -21,7 +21,17 @@ func (sys *I) UpdatePermType(et Enablement, path string, perms ...acl.Perm) *I {
sys.lock.Lock() sys.lock.Lock()
defer sys.lock.Unlock() defer sys.lock.Unlock()
sys.ops = append(sys.ops, &ACL{et, path, perms}) sys.ops = append(sys.ops, &ACL{et, path, perms, false})
return sys
}
// UpdatePermTypeOptional appends an acl update Op that silently continues if the target does not exist.
func (sys *I) UpdatePermTypeOptional(et Enablement, path string, perms ...acl.Perm) *I {
sys.lock.Lock()
defer sys.lock.Unlock()
sys.ops = append(sys.ops, &ACL{et, path, perms, true})
return sys return sys
} }
@ -30,15 +40,25 @@ type ACL struct {
et Enablement et Enablement
path string path string
perms acl.Perms perms acl.Perms
// since revert operations are cross-process, the success of apply must not affect the outcome of revert
skipNotExist bool
} }
func (a *ACL) Type() Enablement { return a.et } func (a *ACL) Type() Enablement { return a.et }
func (a *ACL) apply(sys *I) error { func (a *ACL) apply(sys *I) error {
msg.Verbose("applying ACL", a) msg.Verbose("applying ACL", a)
return wrapErrSuffix(acl.Update(a.path, sys.uid, a.perms...), if err := acl.Update(a.path, sys.uid, a.perms...); err != nil {
if !a.skipNotExist || !os.IsNotExist(err) {
return wrapErrSuffix(err,
fmt.Sprintf("cannot apply ACL entry to %q:", a.path)) fmt.Sprintf("cannot apply ACL entry to %q:", a.path))
} }
msg.Verbosef("path %q does not exist", a.path)
return nil
}
return nil
}
func (a *ACL) revert(sys *I, ec *Criteria) error { func (a *ACL) revert(sys *I, ec *Criteria) error {
if ec.hasType(a) { if ec.hasType(a) {

4
system/acl_test.go
View File

@ -20,7 +20,7 @@ func TestUpdatePerm(t *testing.T) {
t.Run(tc.path+permSubTestSuffix(tc.perms), func(t *testing.T) { t.Run(tc.path+permSubTestSuffix(tc.perms), func(t *testing.T) {
sys := New(150) sys := New(150)
sys.UpdatePerm(tc.path, tc.perms...) sys.UpdatePerm(tc.path, tc.perms...)
(&tcOp{Process, tc.path}).test(t, sys.ops, []Op{&ACL{Process, tc.path, tc.perms}}, "UpdatePerm") (&tcOp{Process, tc.path}).test(t, sys.ops, []Op{&ACL{Process, tc.path, tc.perms, false}}, "UpdatePerm")
}) })
} }
} }
@ -42,7 +42,7 @@ func TestUpdatePermType(t *testing.T) {
t.Run(tc.path+"_"+TypeString(tc.et)+permSubTestSuffix(tc.perms), func(t *testing.T) { t.Run(tc.path+"_"+TypeString(tc.et)+permSubTestSuffix(tc.perms), func(t *testing.T) {
sys := New(150) sys := New(150)
sys.UpdatePermType(tc.et, tc.path, tc.perms...) sys.UpdatePermType(tc.et, tc.path, tc.perms...)
tc.test(t, sys.ops, []Op{&ACL{tc.et, tc.path, tc.perms}}, "UpdatePermType") tc.test(t, sys.ops, []Op{&ACL{tc.et, tc.path, tc.perms, false}}, "UpdatePermType")
}) })
} }
} }