security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 4 Wiki Activity

Compare commits

base: security:c9eeafbbf0cf51c46794912f7f5351e37c752a5e
Branches Tags
security:master
security:staging
security:develop
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0
..
compare: security:2cf3077c0715741dffecd27916776d38e844b2b2
Branches Tags
security:staging
security:develop
security:master
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0

2 Commits
c9eeafbbf0 ... 2cf3077c07

Author SHA1 Message Date
Clayton Gilmer
2cf3077c07
container: optionally isolate host abstract UNIX domain sockets via landlock
Some checks failed
Test / Create distribution (push) Failing after 32s
Details
Test / Create distribution (pull_request) Failing after 35s
Details
Test / Hakurei (push) Failing after 50s
Details
Test / Hakurei (pull_request) Failing after 50s
Details
Test / Hakurei (race detector) (push) Failing after 54s
Details
Test / Sandbox (pull_request) Failing after 54s
Details
Test / Hakurei (race detector) (pull_request) Failing after 57s
Details
Test / Sandbox (push) Failing after 1m8s
Details
Test / Sandbox (race detector) (pull_request) Failing after 1m6s
Details
Test / Hpkg (pull_request) Failing after 1m8s
Details
Test / Flake checks (pull_request) Has been skipped
Details
Test / Sandbox (race detector) (push) Failing after 1m22s
Details
Test / Hpkg (push) Failing after 1m24s
Details
Test / Flake checks (push) Has been skipped
Details
2025-08-18 11:57:21 +09:00
Ophestra
e4801d0e23
app: set up acl on X11 socket 
The socket is typically owned by the priv-user, and inaccessible by the target user, so just allowing access to the directory is not enough. This change fixes this oversight and add checks that will also be useful for merging #1.

Signed-off-by: Ophestra <cat@gensokyo.uk>

# Conflicts:
#	test/sandbox/case/device.nix
#	test/sandbox/case/tty.nix
 2025-08-18 11:56:18 +09:00
1 changed files with 10 additions and 0 deletions
Show Stats Expand all files Collapse all files

10
container/container.go
View File

@ -7,6 +7,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"io" "io"
"log"
"os" "os"
"os/exec" "os/exec"
"runtime" "runtime"
@ -14,6 +15,7 @@ import (
. "syscall" . "syscall"
"time" "time"
"hakurei.app/container/landlock"
"hakurei.app/container/seccomp" "hakurei.app/container/seccomp"
) )
@ -92,6 +94,8 @@ type (
RetainSession bool RetainSession bool
// Do not [syscall.CLONE_NEWNET]. // Do not [syscall.CLONE_NEWNET].
HostNet bool HostNet bool
// Scope abstract UNIX domain sockets using LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET.
ScopeAbstract bool
// Retain CAP_SYS_ADMIN. // Retain CAP_SYS_ADMIN.
Privileged bool Privileged bool
} }
@ -185,6 +189,12 @@ func (p *Container) Start() error {
"prctl(PR_SET_NO_NEW_PRIVS):") "prctl(PR_SET_NO_NEW_PRIVS):")
} }
if p.ScopeAbstract {
if err := landlock.ScopeAbstract(); err != nil {
log.Fatalf("could not scope abstract unix sockets: %v", err)
}
}
msg.Verbose("starting container init") msg.Verbose("starting container init")
if err := p.cmd.Start(); err != nil { if err := p.cmd.Start(); err != nil {
return msg.WrapErr(err, err.Error()) return msg.WrapErr(err, err.Error())