security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 4 Wiki Activity

Compare commits

base: security:cb513bb1cd7b098bbe8a60cd105cc764648db410
Branches Tags
security:master
security:staging
security:develop
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0
...
compare: security:f13dca184cf45565b14f4403187627a9031dd28e
Branches Tags
security:staging
security:develop
security:master
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0

15 Commits
cb513bb1cd ... f13dca184c

Author SHA1 Message Date
Ophestra
f13dca184c
release: 0.1.3
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Release / Create release (push) Successful in 41s
Details
Test / Sandbox (push) Successful in 41s
Details
Test / Hakurei (push) Successful in 44s
Details
Test / Hakurei (race detector) (push) Successful in 44s
Details
Test / Sandbox (race detector) (push) Successful in 42s
Details
Test / Hpkg (push) Successful in 42s
Details
Test / Flake checks (push) Successful in 1m17s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-02 00:02:54 +09:00
Ophestra
3b8a3d3b00
app: remount root readonly
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Sandbox (push) Successful in 41s
Details
Test / Sandbox (race detector) (push) Successful in 42s
Details
Test / Hakurei (race detector) (push) Successful in 45s
Details
Test / Hpkg (push) Successful in 44s
Details
Test / Hakurei (push) Successful in 2m13s
Details
Test / Flake checks (push) Successful in 1m25s
Details 
This does nothing for security, but should help avoid hiding bugs of programs developed in a hakurei container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 23:56:28 +09:00
Ophestra
c5d24979f5
container/ops: expose remount as Op
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m2s
Details
Test / Hakurei (push) Successful in 2m56s
Details
Test / Hpkg (push) Successful in 3m53s
Details
Test / Sandbox (race detector) (push) Successful in 3m56s
Details
Test / Hakurei (race detector) (push) Successful in 4m34s
Details
Test / Flake checks (push) Successful in 1m22s
Details 
This is useful for building a filesystem hierarchy then remounting it readonly.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 23:48:02 +09:00
Ophestra
1dc780bca7
container/mount: separate remount from bind
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 2m5s
Details
Test / Hakurei (push) Successful in 2m52s
Details
Test / Sandbox (race detector) (push) Successful in 3m54s
Details
Test / Hpkg (push) Successful in 3m59s
Details
Test / Hakurei (race detector) (push) Successful in 4m34s
Details
Test / Flake checks (push) Successful in 1m18s
Details 
Remount turns out to be useful in other places.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 23:32:38 +09:00
Ophestra
ec33061c92
nix: remove nscd cover
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Hpkg (push) Successful in 40s
Details
Test / Sandbox (push) Successful in 1m30s
Details
Test / Hakurei (push) Successful in 2m18s
Details
Test / Sandbox (race detector) (push) Successful in 2m21s
Details
Test / Hakurei (race detector) (push) Successful in 2m50s
Details
Test / Flake checks (push) Successful in 1m15s
Details 
This is a pd workaround that does nothing in the nixos module.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 22:04:58 +09:00
Ophestra
af0899de96
hst/container: mount tmpfs via magic src string
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m10s
Details
Test / Hakurei (push) Successful in 2m50s
Details
Test / Sandbox (race detector) (push) Successful in 3m53s
Details
Test / Hpkg (push) Successful in 3m54s
Details
Test / Hakurei (race detector) (push) Successful in 4m30s
Details
Test / Flake checks (push) Successful in 1m24s
Details 
There's often good reason to mount tmpfs in the container.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 21:23:52 +09:00
Ophestra
547a2adaa4
container/mount: pass tmpfs flags
All checks were successful
Test / Create distribution (push) Successful in 32s
Details
Test / Sandbox (push) Successful in 2m1s
Details
Test / Sandbox (race detector) (push) Successful in 3m57s
Details
Test / Hpkg (push) Successful in 3m55s
Details
Test / Hakurei (race detector) (push) Successful in 4m30s
Details
Test / Hakurei (push) Successful in 2m18s
Details
Test / Flake checks (push) Successful in 1m14s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 18:59:06 +09:00
Ophestra
c02948e155
cmd/hakurei: print autoroot configuration
All checks were successful
Test / Create distribution (push) Successful in 36s
Details
Test / Sandbox (push) Successful in 2m3s
Details
Test / Hakurei (push) Successful in 3m3s
Details
Test / Sandbox (race detector) (push) Successful in 4m8s
Details
Test / Hpkg (push) Successful in 4m18s
Details
Test / Hakurei (race detector) (push) Successful in 4m43s
Details
Test / Flake checks (push) Successful in 1m22s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 04:29:01 +09:00
Ophestra
387b86bcdd
app: integrate container autoroot
All checks were successful
Test / Create distribution (push) Successful in 36s
Details
Test / Sandbox (push) Successful in 2m25s
Details
Test / Sandbox (race detector) (push) Successful in 4m13s
Details
Test / Hpkg (push) Successful in 4m36s
Details
Test / Hakurei (race detector) (push) Successful in 5m2s
Details
Test / Hakurei (push) Successful in 2m40s
Details
Test / Flake checks (push) Successful in 1m36s
Details 
Doing this instead of mounting directly on / because it's impossible to ensure a parent is available for every path hakurei wants to mount to. This situation is similar to autoetc hence the similar name, however a symlink mirror will not work in this case.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 04:21:54 +09:00
Ophestra
4e85643865
container: implement autoroot as setup op
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m10s
Details
Test / Hakurei (push) Successful in 3m7s
Details
Test / Sandbox (race detector) (push) Successful in 4m1s
Details
Test / Hpkg (push) Successful in 4m5s
Details
Test / Hakurei (race detector) (push) Successful in 4m43s
Details
Test / Flake checks (push) Successful in 1m22s
Details 
This code is useful beyond just pd behaviour, and implementing it this way also reduces IPC overhead.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 04:04:36 +09:00
Ophestra
987981df73
test/sandbox: check pd behaviour
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (race detector) (push) Successful in 42s
Details
Test / Hakurei (push) Successful in 44s
Details
Test / Sandbox (push) Successful in 42s
Details
Test / Hakurei (race detector) (push) Successful in 45s
Details
Test / Hpkg (push) Successful in 43s
Details
Test / Flake checks (push) Successful in 1m23s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 03:27:02 +09:00
Ophestra
f14e7255be
container/ops: use correct flags value in bind string
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 1m57s
Details
Test / Sandbox (race detector) (push) Successful in 3m47s
Details
Test / Hpkg (push) Successful in 3m54s
Details
Test / Hakurei (race detector) (push) Successful in 4m31s
Details
Test / Hakurei (push) Successful in 2m10s
Details
Test / Flake checks (push) Successful in 1m22s
Details 
Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-08-01 00:54:08 +09:00
Ophestra
a8a79a8664
cmd/hpkg: rename from planterette
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 1m58s
Details
Test / Sandbox (race detector) (push) Successful in 3m47s
Details
Test / Hpkg (push) Successful in 3m54s
Details
Test / Hakurei (race detector) (push) Successful in 4m32s
Details
Test / Hakurei (push) Successful in 2m10s
Details
Test / Flake checks (push) Successful in 1m19s
Details 
Planterette is now developed in another repository, so rename this proof of concept to avoid confusion.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-31 23:57:11 +09:00
Ophestra
3ae0cec000
test: increase vm memory
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 39s
Details
Test / Sandbox (race detector) (push) Successful in 39s
Details
Test / Planterette (push) Successful in 40s
Details
Test / Hakurei (push) Successful in 2m11s
Details
Test / Hakurei (race detector) (push) Successful in 2m42s
Details
Test / Flake checks (push) Successful in 1m10s
Details 
This hopefully fixes the intermittent failures.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-31 22:08:01 +09:00
Ophestra
4e518f11d8
container/ops: autoetc implementation to separate file
All checks were successful
Test / Create distribution (push) Successful in 1m3s
Details
Test / Sandbox (push) Successful in 2m9s
Details
Test / Hakurei (push) Successful in 3m11s
Details
Test / Sandbox (race detector) (push) Successful in 3m52s
Details
Test / Planterette (push) Successful in 4m5s
Details
Test / Hakurei (race detector) (push) Successful in 4m41s
Details
Test / Flake checks (push) Successful in 1m14s
Details 
This is not a general purpose setup Op. Separate it so it is easier to find.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-07-31 19:54:03 +09:00
41 changed files with 663 additions and 231 deletions
Show Stats Expand all files Collapse all files

10
.gitea/workflows/test.yml
View File

@ -73,20 +73,20 @@ jobs:
path: result/*
retention-days: 1
planterette:
name: Planterette
hpkg:
name: Hpkg
runs-on: nix
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run NixOS test
run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.planterette
run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.hpkg
- name: Upload test output
uses: actions/upload-artifact@v3
with:
name: "planterette-vm-output"
name: "hpkg-vm-output"
path: result/*
retention-days: 1
@ -97,7 +97,7 @@ jobs:
- race
- sandbox
- sandbox-race
- planterette
- hpkg
runs-on: nix
steps:
- name: Checkout

3
README.md
View File

@ -16,7 +16,8 @@
</p>
Hakurei is a tool for running sandboxed graphical applications as dedicated subordinate users on the Linux kernel.
It also implements [planterette (WIP)](cmd/planterette), a self-contained Android-like package manager with modern security features.
It implements the application container of [planterette (WIP)](https://git.gensokyo.uk/security/planterette),
a self-contained Android-like package manager with modern security features.
## NixOS Module usage

4
cmd/hakurei/print.go
View File

@ -104,6 +104,10 @@ func printShowInstance(
}
t.Printf(" Flags:\t%s\n", strings.Join(flags, " "))
if container.AutoRoot != "" {
t.Printf(" Root:\t%s (%d)\n", container.AutoRoot, container.RootFlags)
}
etc := container.Etc
if etc == "" {
etc = "/etc"

8
cmd/hakurei/print_test.go
View File

@ -42,6 +42,7 @@ func Test_printShowInstance(t *testing.T) {
Data: /var/lib/hakurei/u0/org.chromium.Chromium
Hostname: localhost
Flags: userns devel net device tty mapuid autoetc
Root: /var/lib/hakurei/base/org.debian (2)
Etc: /etc
Cover: /var/run/nscd
Path: /run/current-system/sw/bin/chromium
@ -121,6 +122,7 @@ App
Data: /var/lib/hakurei/u0/org.chromium.Chromium
Hostname: localhost
Flags: userns devel net device tty mapuid autoetc
Root: /var/lib/hakurei/base/org.debian (2)
Etc: /etc
Cover: /var/run/nscd
Path: /run/current-system/sw/bin/chromium
@ -302,6 +304,8 @@ App
"/run/user/150"
]
],
"auto_root": "/var/lib/hakurei/base/org.debian",
"root_flags": 2,
"etc": "/etc",
"auto_etc": true,
"cover": [
@ -430,6 +434,8 @@ App
"/run/user/150"
]
],
"auto_root": "/var/lib/hakurei/base/org.debian",
"root_flags": 2,
"etc": "/etc",
"auto_etc": true,
"cover": [
@ -612,6 +618,8 @@ func Test_printPs(t *testing.T) {
"/run/user/150"
]
],
"auto_root": "/var/lib/hakurei/base/org.debian",
"root_flags": 2,
"etc": "/etc",
"auto_etc": true,
"cover": [

0
cmd/planterette/app.go → cmd/hpkg/app.go
View File

0
cmd/planterette/build.nix → cmd/hpkg/build.nix
View File

8
cmd/planterette/main.go → cmd/hpkg/main.go
View File

@ -23,7 +23,7 @@ var (
)
func init() {
hlog.Prepare("planterette")
hlog.Prepare("hpkg")
if err := os.Setenv("SHELL", shellPath); err != nil {
log.Fatalf("cannot set $SHELL: %v", err)
}
@ -42,7 +42,7 @@ func main() {
flagVerbose bool
flagDropShell bool
)
c := command.New(os.Stderr, log.Printf, "planterette", func([]string) error { internal.InstallOutput(flagVerbose); return nil }).
c := command.New(os.Stderr, log.Printf, "hpkg", func([]string) error { internal.InstallOutput(flagVerbose); return nil }).
Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console").
Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next hakurei action")
@ -66,7 +66,7 @@ func main() {
}
/*
Look up paths to programs started by planterette.
Look up paths to programs started by hpkg.
This is done here to ease error handling as cleanup is not yet required.
*/
@ -82,7 +82,7 @@ func main() {
*/
var workDir string
if p, err := os.MkdirTemp("", "planterette.*"); err != nil {
if p, err := os.MkdirTemp("", "hpkg.*"); err != nil {
log.Printf("cannot create temporary directory: %v", err)
return err
} else {

0
cmd/planterette/paths.go → cmd/hpkg/paths.go
View File

0
cmd/planterette/proc.go → cmd/hpkg/proc.go
View File

0
cmd/planterette/test/configuration.nix → cmd/hpkg/test/configuration.nix
View File

2
cmd/planterette/test/default.nix → cmd/hpkg/test/default.nix
View File

@ -9,7 +9,7 @@ let
buildPackage = self.buildPackage.${system};
in
nixosTest {
name = "planterette";
name = "hpkg";
nodes.machine = {
environment.etc = {
"foot.pkg".source = callPackage ./foot.nix { inherit buildPackage; };

0
cmd/planterette/test/foot.nix → cmd/hpkg/test/foot.nix
View File

10
cmd/planterette/test/test.py → cmd/hpkg/test/test.py
View File

@ -79,15 +79,15 @@ print(machine.succeed("sudo -u alice -i hakurei version"))
machine.wait_for_file("/run/user/1000/wayland-1")
machine.wait_for_file("/tmp/sway-ipc.sock")
# Prepare planterette directory:
# Prepare hpkg directory:
machine.succeed("install -dm 0700 -o alice -g users /var/lib/hakurei/1000")
# Install planterette app:
swaymsg("exec planterette -v install /etc/foot.pkg && touch /tmp/planterette-install-ok")
machine.wait_for_file("/tmp/planterette-install-ok")
# Install hpkg app:
swaymsg("exec hpkg -v install /etc/foot.pkg && touch /tmp/hpkg-install-ok")
machine.wait_for_file("/tmp/hpkg-install-ok")
# Start app (foot) with Wayland enablement:
swaymsg("exec planterette -v start org.codeberg.dnkl.foot")
swaymsg("exec hpkg -v start org.codeberg.dnkl.foot")
wait_for_window("hakurei@machine-foot")
machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
machine.wait_for_file("/tmp/hakurei.1000/tmpdir/2/success-client")

0
cmd/planterette/with.go → cmd/hpkg/with.go
View File

65
container/autoetc.go Normal file
View File

@ -0,0 +1,65 @@
package container
import (
"encoding/gob"
"fmt"
"os"
)
func init() { gob.Register(new(AutoEtcOp)) }
// Etc appends an [Op] that expands host /etc into a toplevel symlink mirror with /etc semantics.
// This is not a generic setup op. It is implemented here to reduce ipc overhead.
func (f *Ops) Etc(host, prefix string) *Ops {
e := &AutoEtcOp{prefix}
f.Mkdir("/etc", 0755)
f.Bind(host, e.hostPath(), 0)
*f = append(*f, e)
return f
}
type AutoEtcOp struct{ Prefix string }
func (e *AutoEtcOp) early(*Params) error { return nil }
func (e *AutoEtcOp) apply(*Params) error {
const target = sysrootPath + "/etc/"
rel := e.hostRel() + "/"
if err := os.MkdirAll(target, 0755); err != nil {
return wrapErrSelf(err)
}
if d, err := os.ReadDir(toSysroot(e.hostPath())); err != nil {
return wrapErrSelf(err)
} else {
for _, ent := range d {
n := ent.Name()
switch n {
case ".host":
case "passwd":
case "group":
case "mtab":
if err = os.Symlink("/proc/mounts", target+n); err != nil {
return wrapErrSelf(err)
}
default:
if err = os.Symlink(rel+n, target+n); err != nil {
return wrapErrSelf(err)
}
}
}
}
return nil
}
func (e *AutoEtcOp) hostPath() string { return "/etc/" + e.hostRel() }
func (e *AutoEtcOp) hostRel() string { return ".host/" + e.Prefix }
func (e *AutoEtcOp) Is(op Op) bool {
ve, ok := op.(*AutoEtcOp)
return ok && ((e == nil && ve == nil) || (e != nil && ve != nil && *e == *ve))
}
func (*AutoEtcOp) prefix() string { return "setting up" }
func (e *AutoEtcOp) String() string { return fmt.Sprintf("auto etc %s", e.Prefix) }

91
container/autoroot.go Normal file
View File

@ -0,0 +1,91 @@
package container
import (
"encoding/gob"
"fmt"
"os"
"path"
. "syscall"
)
func init() { gob.Register(new(AutoRootOp)) }
// Root appends an [Op] that expands a directory into a toplevel bind mount mirror on container root.
// This is not a generic setup op. It is implemented here to reduce ipc overhead.
func (f *Ops) Root(host, prefix string, flags int) *Ops {
*f = append(*f, &AutoRootOp{host, prefix, flags, nil})
return f
}
type AutoRootOp struct {
Host, Prefix string
// passed through to bindMount
Flags int
// obtained during early;
// these wrap the underlying Op because BindMountOp is relatively complex,
// so duplicating that code would be unwise
resolved []Op
}
func (r *AutoRootOp) early(params *Params) error {
if !path.IsAbs(r.Host) {
return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", r.Host))
}
if d, err := os.ReadDir(r.Host); err != nil {
return wrapErrSelf(err)
} else {
r.resolved = make([]Op, 0, len(d))
for _, ent := range d {
name := ent.Name()
if IsAutoRootBindable(name) {
op := &BindMountOp{
Source: path.Join(r.Host, name),
Target: "/" + name,
Flags: r.Flags,
}
if err = op.early(params); err != nil {
return err
}
r.resolved = append(r.resolved, op)
}
}
return nil
}
}
func (r *AutoRootOp) apply(params *Params) error {
for _, op := range r.resolved {
msg.Verbosef("%s %s", op.prefix(), op)
if err := op.apply(params); err != nil {
return err
}
}
return nil
}
func (r *AutoRootOp) Is(op Op) bool {
vr, ok := op.(*AutoRootOp)
return ok && ((r == nil && vr == nil) || (r != nil && vr != nil &&
r.Host == vr.Host && r.Prefix == vr.Prefix && r.Flags == vr.Flags))
}
func (*AutoRootOp) prefix() string { return "setting up" }
func (r *AutoRootOp) String() string {
return fmt.Sprintf("auto root %q prefix %s flags %#x", r.Host, r.Prefix, r.Flags)
}
// IsAutoRootBindable returns whether a dir entry name is selected for AutoRoot.
func IsAutoRootBindable(name string) bool {
switch name {
case "proc":
case "dev":
case "tmp":
case "mnt":
case "etc":
default:
return true
}
return false
}

37
container/container_test.go
View File

@ -28,7 +28,9 @@ const (
ignore = "\x00"
ignoreV = -1
pathWantMnt = "/etc/hakurei/want-mnt"
pathPrefix = "/etc/hakurei/"
pathWantMnt = pathPrefix + "want-mnt"
pathReadonly = pathPrefix + "readonly"
)
var containerTestCases = []struct {
@ -36,6 +38,7 @@ var containerTestCases = []struct {
filter bool
session bool
net bool
ro bool
ops *container.Ops
mnt []*vfs.MountInfoEntry
@ -46,26 +49,26 @@ var containerTestCases = []struct {
flags seccomp.ExportFlag
presets seccomp.FilterPreset
}{
{"minimal", true, false, false,
{"minimal", true, false, false, true,
new(container.Ops), nil,
1000, 100, nil, 0, seccomp.PresetStrict},
{"allow", true, true, true,
{"allow", true, true, true, false,
new(container.Ops), nil,
1000, 100, nil, 0, seccomp.PresetExt | seccomp.PresetDenyDevel},
{"no filter", false, true, true,
{"no filter", false, true, true, true,
new(container.Ops), nil,
1000, 100, nil, 0, seccomp.PresetExt},
{"custom rules", true, true, true,
{"custom rules", true, true, true, false,
new(container.Ops), nil,
1, 31, []seccomp.NativeRule{{seccomp.ScmpSyscall(syscall.SYS_SETUID), seccomp.ScmpErrno(syscall.EPERM), nil}}, 0, seccomp.PresetExt},
{"tmpfs", true, false, false,
{"tmpfs", true, false, false, true,
new(container.Ops).
Tmpfs(hst.Tmp, 0, 0755),
[]*vfs.MountInfoEntry{
ent("/", hst.Tmp, "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
ent("/", hst.Tmp, "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
},
9, 9, nil, 0, seccomp.PresetStrict},
{"dev", true, true /* go test output is not a tty */, false,
{"dev", true, true /* go test output is not a tty */, false, false,
new(container.Ops).
Dev("/dev").
Mqueue("/dev/mqueue"),
@ -140,6 +143,7 @@ func TestContainer(t *testing.T) {
c.HostNet = tc.net
c.
Readonly(pathReadonly, 0755).
Tmpfs("/tmp", 0, 0755).
Place("/etc/hostname", []byte(c.Hostname))
// needs /proc to check mountinfo
@ -158,8 +162,10 @@ func TestContainer(t *testing.T) {
}
mnt = append(mnt, tc.mnt...)
mnt = append(mnt,
// Readonly(pathReadonly, 0755)
ent("/", pathReadonly, "ro,nosuid,nodev", "tmpfs", "readonly", ignore),
// Tmpfs("/tmp", 0, 0755)
ent("/", "/tmp", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
ent("/", "/tmp", "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
// Place("/etc/hostname", []byte(hostname))
ent(ignore, "/etc/hostname", "ro,nosuid,nodev,relatime", "tmpfs", "rootfs", ignore),
// Proc("/proc")
@ -173,6 +179,10 @@ func TestContainer(t *testing.T) {
}
c.Place(pathWantMnt, want.Bytes())
if tc.ro {
c.Remount("/", syscall.MS_RDONLY)
}
if err := c.Start(); err != nil {
hlog.PrintBaseError(err, "start:")
t.Fatalf("cannot start container: %v", err)
@ -309,6 +319,10 @@ func init() {
return fmt.Errorf("/etc/hostname: %q, want %q", string(p), wantHost)
}
if _, err := os.Create(pathReadonly + "/nonexistent"); !errors.Is(err, syscall.EROFS) {
return err
}
{
var fail bool
@ -321,6 +335,11 @@ func init() {
return fmt.Errorf("cannot close expected mount points: %v", err)
}
if tc.ro && len(mnt) > 0 {
// Remount("/", syscall.MS_RDONLY)
mnt[0].VfsOptstr = "ro,nosuid,nodev"
}
var d *vfs.MountInfoDecoder
if f, err := os.Open("/proc/self/mountinfo"); err != nil {
return fmt.Errorf("cannot open mountinfo: %v", err)

8
container/init.go
View File

@ -121,6 +121,10 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
log.Fatalf("cannot make / rslave: %v", err)
}
/* early is called right before pivot_root into intermediate root;
this step is mostly for gathering information that would otherwise be difficult to obtain
via library functions after pivot_root, and implementations are expected to avoid changing
the state of the mount namespace */
for i, op := range *params.Ops {
if op == nil {
log.Fatalf("invalid op %d", i)
@ -159,6 +163,10 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
log.Fatalf("%v", err)
}
/* apply is called right after pivot_root and entering the new root;
this step sets up the container filesystem, and implementations are expected to keep the host root
and sysroot mount points intact but otherwise can do whatever they need to;
chdir is allowed but discouraged */
for i, op := range *params.Ops {
// ops already checked during early setup
msg.Verbosef("%s %s", op.prefix(), op)

11
container/mount.go
View File

@ -10,6 +10,7 @@ import (
"hakurei.app/container/vfs"
)
// bindMount mounts source on target and recursively applies flags if MS_REC is set.
func (p *procPaths) bindMount(source, target string, flags uintptr, eq bool) error {
if eq {
msg.Verbosef("resolved %q flags %#x", target, flags)
@ -22,6 +23,11 @@ func (p *procPaths) bindMount(source, target string, flags uintptr, eq bool) err
fmt.Sprintf("cannot mount %q on %q:", source, target))
}
return p.remount(target, flags)
}
// remount applies flags on target, recursively if MS_REC is set.
func (p *procPaths) remount(target string, flags uintptr) error {
var targetFinal string
if v, err := filepath.EvalSymlinks(target); err != nil {
return wrapErrSelf(err)
@ -83,6 +89,7 @@ func (p *procPaths) bindMount(source, target string, flags uintptr, eq bool) err
})
}
// remountWithFlags remounts mount point described by [vfs.MountInfoNode].
func remountWithFlags(n *vfs.MountInfoNode, mf uintptr) error {
kf, unmatched := n.Flags()
if len(unmatched) != 0 {
@ -97,7 +104,7 @@ func remountWithFlags(n *vfs.MountInfoNode, mf uintptr) error {
return nil
}
func mountTmpfs(fsname, name string, size int, perm os.FileMode) error {
func mountTmpfs(fsname, name string, flags uintptr, size int, perm os.FileMode) error {
target := toSysroot(name)
if err := os.MkdirAll(target, parentPerm(perm)); err != nil {
return wrapErrSelf(err)
@ -107,7 +114,7 @@ func mountTmpfs(fsname, name string, size int, perm os.FileMode) error {
opt += fmt.Sprintf(",size=%d", size)
}
return wrapErrSuffix(
Mount(fsname, target, "tmpfs", MS_NOSUID|MS_NODEV, opt),
Mount(fsname, target, "tmpfs", flags, opt),
fmt.Sprintf("cannot mount tmpfs on %q:", name))
}

100
container/ops.go
View File

@ -33,6 +33,32 @@ type (
// Grow grows the slice Ops points to using [slices.Grow].
func (f *Ops) Grow(n int) { *f = slices.Grow(*f, n) }
func init() { gob.Register(new(RemountOp)) }
// Remount appends an [Op] that applies [RemountOp.Flags] on container path [RemountOp.Target].
func (f *Ops) Remount(target string, flags uintptr) *Ops {
*f = append(*f, &RemountOp{target, flags})
return f
}
type RemountOp struct {
Target string
Flags uintptr
}
func (*RemountOp) early(*Params) error { return nil }
func (r *RemountOp) apply(*Params) error {
if !path.IsAbs(r.Target) {
return msg.WrapErr(EBADE, fmt.Sprintf("path %q is not absolute", r.Target))
}
return wrapErrSuffix(hostProc.remount(toSysroot(r.Target), r.Flags),
fmt.Sprintf("cannot remount %q:", r.Target))
}
func (r *RemountOp) Is(op Op) bool { vr, ok := op.(*RemountOp); return ok && *r == *vr }
func (*RemountOp) prefix() string { return "remounting" }
func (r *RemountOp) String() string { return fmt.Sprintf("%q flags %#x", r.Target, r.Flags) }
func init() { gob.Register(new(BindMountOp)) }
// Bind appends an [Op] that bind mounts host path [BindMountOp.Source] on container path [BindMountOp.Target].
@ -118,7 +144,7 @@ func (b *BindMountOp) String() string {
if b.Source == b.Target {
return fmt.Sprintf("%q flags %#x", b.Source, b.Flags)
}
return fmt.Sprintf("%q on %q flags %#x", b.Source, b.Target, b.Flags&BindWritable)
return fmt.Sprintf("%q on %q flags %#x", b.Source, b.Target, b.Flags)
}
func init() { gob.Register(new(MountProcOp)) }
@ -170,7 +196,7 @@ func (d MountDevOp) apply(params *Params) error {
}
target := toSysroot(v)
if err := mountTmpfs("devtmpfs", v, 0, params.ParentPerm); err != nil {
if err := mountTmpfs("devtmpfs", v, MS_NOSUID|MS_NODEV, 0, params.ParentPerm); err != nil {
return err
}
@ -280,12 +306,20 @@ func init() { gob.Register(new(MountTmpfsOp)) }
// Tmpfs appends an [Op] that mounts tmpfs on container path [MountTmpfsOp.Path].
func (f *Ops) Tmpfs(dest string, size int, perm os.FileMode) *Ops {
*f = append(*f, &MountTmpfsOp{dest, size, perm})
*f = append(*f, &MountTmpfsOp{"ephemeral", dest, MS_NOSUID | MS_NODEV, size, perm})
return f
}
// Readonly appends an [Op] that mounts read-only tmpfs on container path [MountTmpfsOp.Path].
func (f *Ops) Readonly(dest string, perm os.FileMode) *Ops {
*f = append(*f, &MountTmpfsOp{"readonly", dest, MS_RDONLY | MS_NOSUID | MS_NODEV, 0, perm})
return f
}
type MountTmpfsOp struct {
FSName string
Path string
Flags uintptr
Size int
Perm os.FileMode
}
@ -298,7 +332,7 @@ func (t *MountTmpfsOp) apply(*Params) error {
if t.Size < 0 || t.Size > math.MaxUint>>1 {
return msg.WrapErr(EBADE, fmt.Sprintf("size %d out of bounds", t.Size))
}
return mountTmpfs("tmpfs", t.Path, t.Size, t.Perm)
return mountTmpfs(t.FSName, t.Path, t.Flags, t.Size, t.Perm)
}
func (t *MountTmpfsOp) Is(op Op) bool { vt, ok := op.(*MountTmpfsOp); return ok && *t == *vt }
@ -440,61 +474,3 @@ func (*TmpfileOp) prefix() string { return "placing" }
func (t *TmpfileOp) String() string {
return fmt.Sprintf("tmpfile %q (%d bytes)", t.Path, len(t.Data))
}
func init() { gob.Register(new(AutoEtcOp)) }
// Etc appends an [Op] that expands host /etc into a toplevel symlink mirror with /etc semantics.
// This is not a generic setup op. It is implemented here to reduce ipc overhead.
func (f *Ops) Etc(host, prefix string) *Ops {
e := &AutoEtcOp{prefix}
f.Mkdir("/etc", 0755)
f.Bind(host, e.hostPath(), 0)
*f = append(*f, e)
return f
}
type AutoEtcOp struct{ Prefix string }
func (e *AutoEtcOp) early(*Params) error { return nil }
func (e *AutoEtcOp) apply(*Params) error {
const target = sysrootPath + "/etc/"
rel := e.hostRel() + "/"
if err := os.MkdirAll(target, 0755); err != nil {
return wrapErrSelf(err)
}
if d, err := os.ReadDir(toSysroot(e.hostPath())); err != nil {
return wrapErrSelf(err)
} else {
for _, ent := range d {
n := ent.Name()
switch n {
case ".host":
case "passwd":
case "group":
case "mtab":
if err = os.Symlink("/proc/mounts", target+n); err != nil {
return wrapErrSelf(err)
}
default:
if err = os.Symlink(rel+n, target+n); err != nil {
return wrapErrSelf(err)
}
}
}
}
return nil
}
func (e *AutoEtcOp) hostPath() string { return "/etc/" + e.hostRel() }
func (e *AutoEtcOp) hostRel() string { return ".host/" + e.Prefix }
func (e *AutoEtcOp) Is(op Op) bool {
ve, ok := op.(*AutoEtcOp)
return ok && ((e == nil && ve == nil) || (e != nil && ve != nil && *e == *ve))
}
func (*AutoEtcOp) prefix() string { return "setting up" }
func (e *AutoEtcOp) String() string { return fmt.Sprintf("auto etc %s", e.Prefix) }

2
dist/install.sh vendored
View File

@ -2,7 +2,7 @@
cd "$(dirname -- "$0")" || exit 1
install -vDm0755 "bin/hakurei" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hakurei"
install -vDm0755 "bin/planterette" "${HAKUREI_INSTALL_PREFIX}/usr/bin/planterette"
install -vDm0755 "bin/hpkg" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hpkg"
install -vDm6511 "bin/hsu" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hsu"
if [ ! -f "${HAKUREI_INSTALL_PREFIX}/etc/hsurc" ]; then

6
flake.nix
View File

@ -32,7 +32,7 @@
buildPackage = forAllSystems (
system:
nixpkgsFor.${system}.callPackage (
import ./cmd/planterette/build.nix {
import ./cmd/hpkg/build.nix {
inherit
nixpkgsFor
system
@ -69,7 +69,7 @@
withRace = true;
};
planterette = callPackage ./cmd/planterette/test { inherit system self; };
hpkg = callPackage ./cmd/hpkg/test { inherit system self; };
formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } ''
cd ${./.}
@ -125,7 +125,7 @@
glibc
xdg-dbus-proxy
# planterette
# hpkg
zstd
gnutar
coreutils

21
hst/container.go
View File

@ -6,6 +6,20 @@ import (
"hakurei.app/container/seccomp"
)
const (
// SourceTmpfs causes tmpfs to be mounted on [FilesystemConfig.Dst]
// when assigned to [FilesystemConfig.Src].
SourceTmpfs = "tmpfs"
// TmpfsPerm is the permission bits for tmpfs mount points
// configured through [FilesystemConfig].
TmpfsPerm = 0755
// TmpfsSize is the size for tmpfs mount points
// configured through [FilesystemConfig].
TmpfsSize = 0
)
type (
// ContainerConfig describes the container configuration baseline to which the app implementation adds upon.
ContainerConfig struct {
@ -45,10 +59,17 @@ type (
// create symlinks inside container filesystem
Link [][2]string `json:"symlink"`
// automatically bind mount top-level directories to container root;
// the zero value disables this behaviour
AutoRoot string `json:"auto_root,omitempty"`
// extra flags for AutoRoot
RootFlags int `json:"root_flags,omitempty"`
// read-only /etc directory
Etc string `json:"etc,omitempty"`
// automatically set up /etc symlinks
AutoEtc bool `json:"auto_etc"`
// cover these paths or create them if they do not already exist
Cover []string `json:"cover"`
}

3
hst/template.go
View File

@ -1,6 +1,7 @@
package hst
import (
"hakurei.app/container"
"hakurei.app/container/seccomp"
"hakurei.app/system"
"hakurei.app/system/dbus"
@ -86,6 +87,8 @@ func Template() *Config {
{Src: "/dev/dri", Device: true},
},
Link: [][2]string{{"/run/user/65534", "/run/user/150"}},
AutoRoot: "/var/lib/hakurei/base/org.debian",
RootFlags: container.BindWritable,
Etc: "/etc",
AutoEtc: true,
Cover: []string{"/var/run/nscd"},

2
hst/template_test.go
View File

@ -126,6 +126,8 @@ func TestTemplate(t *testing.T) {
"/run/user/150"
]
],
"auto_root": "/var/lib/hakurei/base/org.debian",
"root_flags": 2,
"etc": "/etc",
"auto_etc": true,
"cover": [

5
internal/app/app_nixos_linux_test.go
View File

@ -1,6 +1,8 @@
package app_test
import (
"syscall"
"hakurei.app/container"
"hakurei.app/container/seccomp"
"hakurei.app/hst"
@ -141,7 +143,8 @@ var testCasesNixos = []sealTestCase{
Place(hst.Tmp+"/pulse-cookie", nil).
Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus", 0).
Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket", 0).
Tmpfs("/var/run/nscd", 8192, 0755),
Tmpfs("/var/run/nscd", 8192, 0755).
Remount("/", syscall.MS_RDONLY),
SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyTTY | seccomp.PresetDenyDevel,
HostNet: true,
ForwardCancel: true,

33
internal/app/app_pd_linux_test.go
View File

@ -2,6 +2,7 @@ package app_test
import (
"os"
"syscall"
"hakurei.app/container"
"hakurei.app/container/seccomp"
@ -42,22 +43,12 @@ var testCasesPd = []sealTestCase{
"XDG_SESSION_TYPE=tty",
},
Ops: new(container.Ops).
Root("/", "4a450b6596d7bc15bd01780eb9a607ac", container.BindWritable).
Proc("/proc").
Tmpfs(hst.Tmp, 4096, 0755).
Dev("/dev").Mqueue("/dev/mqueue").
Bind("/bin", "/bin", container.BindWritable).
Bind("/boot", "/boot", container.BindWritable).
Bind("/home", "/home", container.BindWritable).
Bind("/lib", "/lib", container.BindWritable).
Bind("/lib64", "/lib64", container.BindWritable).
Bind("/nix", "/nix", container.BindWritable).
Bind("/root", "/root", container.BindWritable).
Bind("/run", "/run", container.BindWritable).
Bind("/srv", "/srv", container.BindWritable).
Bind("/sys", "/sys", container.BindWritable).
Bind("/usr", "/usr", container.BindWritable).
Bind("/var", "/var", container.BindWritable).
Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional).
Readonly("/var/run/nscd", 0755).
Tmpfs("/run/user/1971", 8192, 0755).
Tmpfs("/run/dbus", 8192, 0755).
Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac").
@ -67,7 +58,7 @@ var testCasesPd = []sealTestCase{
Bind("/home/chronos", "/home/chronos", container.BindWritable).
Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
Place("/etc/group", []byte("hakurei:x:65534:\n")).
Tmpfs("/var/run/nscd", 8192, 0755),
Remount("/", syscall.MS_RDONLY),
SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
HostNet: true,
RetainSession: true,
@ -186,23 +177,13 @@ var testCasesPd = []sealTestCase{
"XDG_SESSION_TYPE=tty",
},
Ops: new(container.Ops).
Root("/", "ebf083d1b175911782d413369b64ce7c", container.BindWritable).
Proc("/proc").
Tmpfs(hst.Tmp, 4096, 0755).
Dev("/dev").Mqueue("/dev/mqueue").
Bind("/bin", "/bin", container.BindWritable).
Bind("/boot", "/boot", container.BindWritable).
Bind("/home", "/home", container.BindWritable).
Bind("/lib", "/lib", container.BindWritable).
Bind("/lib64", "/lib64", container.BindWritable).
Bind("/nix", "/nix", container.BindWritable).
Bind("/root", "/root", container.BindWritable).
Bind("/run", "/run", container.BindWritable).
Bind("/srv", "/srv", container.BindWritable).
Bind("/sys", "/sys", container.BindWritable).
Bind("/usr", "/usr", container.BindWritable).
Bind("/var", "/var", container.BindWritable).
Bind("/dev/dri", "/dev/dri", container.BindWritable|container.BindDevice|container.BindOptional).
Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional).
Readonly("/var/run/nscd", 0755).
Tmpfs("/run/user/1971", 8192, 0755).
Tmpfs("/run/dbus", 8192, 0755).
Etc("/etc", "ebf083d1b175911782d413369b64ce7c").
@ -217,7 +198,7 @@ var testCasesPd = []sealTestCase{
Place(hst.Tmp+"/pulse-cookie", nil).
Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus", 0).
Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket", 0).
Tmpfs("/var/run/nscd", 8192, 0755),
Remount("/", syscall.MS_RDONLY),
SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
HostNet: true,
RetainSession: true,

93
internal/app/container_linux.go
View File

@ -6,6 +6,7 @@ import (
"io/fs"
"maps"
"path"
"slices"
"syscall"
"hakurei.app/container"
@ -21,7 +22,7 @@ const preallocateOpsCount = 1 << 5
// newContainer initialises [container.Params] via [hst.ContainerConfig].
// Note that remaining container setup must be queued by the caller.
func newContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*container.Params, map[string]string, error) {
func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid *int) (*container.Params, map[string]string, error) {
if s == nil {
return nil, nil, syscall.EBADE
}
@ -72,6 +73,13 @@ func newContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*contain
*gid = container.OverflowGid()
}
if s.AutoRoot != "" {
if !path.IsAbs(s.AutoRoot) {
return nil, nil, fmt.Errorf("auto root target %q not absolute", s.AutoRoot)
}
params.Root(s.AutoRoot, prefix, s.RootFlags)
}
params.
Proc("/proc").
Tmpfs(hst.Tmp, 1<<12, 0755)
@ -120,12 +128,48 @@ func newContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*contain
return nil, nil, err
}
}
// evaluated path, input path
hidePathSource := make([][2]string, 0, len(s.Filesystem))
// AutoRoot is a collection of many BindMountOp internally
if s.AutoRoot != "" {
if d, err := os.ReadDir(s.AutoRoot); err != nil {
return nil, nil, err
} else {
hidePathSource = slices.Grow(hidePathSource, len(d))
for _, ent := range d {
name := ent.Name()
if container.IsAutoRootBindable(name) {
name = path.Join(s.AutoRoot, name)
srcP := [2]string{name, name}
if err = evalSymlinks(os, &srcP[0]); err != nil {
return nil, nil, err
}
hidePathSource = append(hidePathSource, srcP)
}
}
}
}
for _, c := range s.Filesystem {
if c == nil {
continue
}
// special filesystems
switch c.Src {
case hst.SourceTmpfs:
if !path.IsAbs(c.Dst) {
return nil, nil, fmt.Errorf("tmpfs dst %q is not absolute", c.Dst)
}
if c.Write {
params.Tmpfs(c.Dst, hst.TmpfsSize, hst.TmpfsPerm)
} else {
params.Readonly(c.Dst, hst.TmpfsPerm)
}
continue
}
if !path.IsAbs(c.Src) {
return nil, nil, fmt.Errorf("src path %q is not absolute", c.Src)
}
@ -137,24 +181,11 @@ func newContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*contain
return nil, nil, fmt.Errorf("dst path %q is not absolute", dest)
}
srcH := c.Src
if err := evalSymlinks(os, &srcH); err != nil {
p := [2]string{c.Src, c.Src}
if err := evalSymlinks(os, &p[0]); err != nil {
return nil, nil, err
}
for i := range hidePaths {
// skip matched entries
if hidePathMatch[i] {
continue
}
if ok, err := deepContainsH(srcH, hidePaths[i]); err != nil {
return nil, nil, err
} else if ok {
hidePathMatch[i] = true
os.Printf("hiding paths from %q", c.Src)
}
}
hidePathSource = append(hidePathSource, p)
var flags int
if c.Write {
@ -169,6 +200,22 @@ func newContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*contain
params.Bind(c.Src, dest, flags)
}
for _, p := range hidePathSource {
for i := range hidePaths {
// skip matched entries
if hidePathMatch[i] {
continue
}
if ok, err := deepContainsH(p[0], hidePaths[i]); err != nil {
return nil, nil, err
} else if ok {
hidePathMatch[i] = true
os.Printf("hiding path %q from %q", hidePaths[i], p[1])
}
}
}
// cover matched paths
for i, ok := range hidePathMatch {
if ok {
@ -180,6 +227,18 @@ func newContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*contain
params.Link(l[0], l[1])
}
if !s.AutoEtc {
if s.Etc != "" {
params.Bind(s.Etc, "/etc", 0)
}
} else {
etcPath := s.Etc
if etcPath == "" {
etcPath = "/etc"
}
params.Etc(etcPath, prefix)
}
return params, maps.Clone(s.Env), nil
}

49
internal/app/seal_linux.go
View File

@ -241,33 +241,11 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
Net: true,
Tty: true,
AutoEtc: true,
}
// bind entries in /
if d, err := sys.ReadDir("/"); err != nil {
return err
} else {
b := make([]*hst.FilesystemConfig, 0, len(d))
for _, ent := range d {
p := "/" + ent.Name()
switch p {
case "/proc":
case "/dev":
case "/tmp":
case "/mnt":
case "/etc":
default:
b = append(b, &hst.FilesystemConfig{Src: p, Write: true, Must: true})
}
}
conf.Filesystem = append(conf.Filesystem, b...)
AutoRoot: "/",
RootFlags: container.BindWritable,
}
// hide nscd from sandbox if present
nscd := "/var/run/nscd"
if _, err := sys.Stat(nscd); !errors.Is(err, fs.ErrNotExist) {
conf.Cover = append(conf.Cover, nscd)
}
// bind GPU stuff
if config.Enablements&(system.EX11|system.EWayland) != 0 {
conf.Filesystem = append(conf.Filesystem, &hst.FilesystemConfig{Src: "/dev/dri", Device: true})
@ -275,6 +253,12 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
// opportunistically bind kvm
conf.Filesystem = append(conf.Filesystem, &hst.FilesystemConfig{Src: "/dev/kvm", Device: true})
// hide nscd from container if present
const nscd = "/var/run/nscd"
if _, err := sys.Stat(nscd); !errors.Is(err, fs.ErrNotExist) {
conf.Filesystem = append(conf.Filesystem, &hst.FilesystemConfig{Dst: nscd, Src: hst.SourceTmpfs})
}
config.Container = conf
}
@ -282,7 +266,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
{
var uid, gid int
var err error
seal.container, seal.env, err = newContainer(config.Container, sys, &uid, &gid)
seal.container, seal.env, err = newContainer(config.Container, sys, seal.id.String(), &uid, &gid)
seal.waitDelay = config.Container.WaitDelay
if err != nil {
return hlog.WrapErrSuffix(err,
@ -305,18 +289,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
}
}
if !config.Container.AutoEtc {
if config.Container.Etc != "" {
seal.container.Bind(config.Container.Etc, "/etc", 0)
}
} else {
etcPath := config.Container.Etc
if etcPath == "" {
etcPath = "/etc"
}
seal.container.Etc(etcPath, seal.id.String())
}
// inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as mapped uid
innerRuntimeDir := path.Join("/run/user", mapuid.String())
seal.env[xdgRuntimeDir] = innerRuntimeDir
@ -506,6 +478,9 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
seal.container.Tmpfs(dest, 1<<13, 0755)
}
// mount root read-only as the final setup Op
seal.container.Remount("/", syscall.MS_RDONLY)
// append ExtraPerms last
for _, p := range config.ExtraPerms {
if p == nil {

1
nixos.nix
View File

@ -175,7 +175,6 @@ in
++ optionals app.useCommonPaths cfg.commonPaths
++ app.extraPaths;
auto_etc = true;
cover = [ "/var/run/nscd" ];
symlink = [
[

6
package.nix
View File

@ -13,7 +13,7 @@
wayland-scanner,
xorg,
# for planterette
# for hpkg
zstd,
gnutar,
coreutils,
@ -31,7 +31,7 @@
buildGoModule rec {
pname = "hakurei";
version = "0.1.2";
version = "0.1.3";
srcFiltered = builtins.path {
name = "${pname}-src";
@ -116,7 +116,7 @@ buildGoModule rec {
makeBinaryWrapper "$out/libexec/hakurei" "$out/bin/hakurei" \
--inherit-argv0 --prefix PATH : ${lib.makeBinPath appPackages}
makeBinaryWrapper "$out/libexec/planterette" "$out/bin/planterette" \
makeBinaryWrapper "$out/libexec/hpkg" "$out/bin/hpkg" \
--inherit-argv0 --prefix PATH : ${
lib.makeBinPath (
appPackages

7
test/configuration.nix
View File

@ -82,13 +82,18 @@
jack.enable = true;
};
virtualisation.qemu.options = [
virtualisation = {
# Hopefully reduces spurious test failures:
memorySize = 4096;
qemu.options = [
# Need to switch to a different GPU driver than the default one (-vga std) so that Sway can launch:
"-vga none -device virtio-gpu-pci"
# Increase Go test compiler performance:
"-smp 8"
];
};
environment.hakurei = {
enable = true;

16
test/sandbox/case/default.nix
View File

@ -23,10 +23,9 @@ let
;
};
callTestCase =
path: identity:
let
tc = import path {
importTestCase =
path:
import path {
inherit
fs
ent
@ -34,6 +33,11 @@ let
system
;
};
callTestCase =
path: identity:
let
tc = importTestCase path;
in
{
name = "check-sandbox-${tc.name}";
@ -61,9 +65,13 @@ let
testCaseName = name: "cat.gensokyo.hakurei.test." + name;
in
{
apps = {
${testCaseName "preset"} = callTestCase ./preset.nix 1;
${testCaseName "tty"} = callTestCase ./tty.nix 2;
${testCaseName "mapuid"} = callTestCase ./mapuid.nix 3;
${testCaseName "device"} = callTestCase ./device.nix 4;
${testCaseName "pdlike"} = callTestCase ./pdlike.nix 5;
};
pd = importTestCase ./pd.nix;
}

8
test/sandbox/case/device.nix
View File

@ -195,15 +195,14 @@ in
} null;
} null;
} null;
run = fs "800001ed" { nscd = fs "800001ed" { } null; } null;
cache = fs "800001ed" { private = fs "800001c0" null null; } null;
} null;
} null;
mount = [
(ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
(ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004")
(ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
(ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000004,gid=1000004")
(ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000004,gid=1000004")
(ent "/" "/dev" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/" "/dev/pts" "rw,nosuid,noexec,relatime" "devpts" "devpts" "rw,gid=3,mode=620,ptmxmode=666")
(ent "/" "/dev/shm" "rw,nosuid,nodev" "tmpfs" "tmpfs" ignore)
@ -220,7 +219,7 @@ in
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000004,gid=1000004")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000004,gid=1000004")
(ent "/tmp/hakurei.1000/runtime/4" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/tmp/hakurei.1000/tmpdir/4" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/var/lib/hakurei/u0/a4" "/var/lib/hakurei/u0/a4" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
@ -229,7 +228,6 @@ in
(ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
(ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/var/run/nscd" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8k,mode=755,uid=1000004,gid=1000004")
];
seccomp = true;

8
test/sandbox/case/mapuid.nix
View File

@ -221,15 +221,14 @@ in
} null;
} null;
} null;
run = fs "800001ed" { nscd = fs "800001ed" { } null; } null;
cache = fs "800001ed" { private = fs "800001c0" null null; } null;
} null;
} null;
mount = [
(ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000003,gid=1000003")
(ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000003,gid=1000003")
(ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
(ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
(ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
(ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000003,gid=1000003")
(ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
@ -250,7 +249,7 @@ in
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
(ent "/tmp/hakurei.1000/runtime/3" "/run/user/1000" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/tmp/hakurei.1000/tmpdir/3" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/var/lib/hakurei/u0/a3" "/var/lib/hakurei/u0/a3" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
@ -259,7 +258,6 @@ in
(ent ignore "/run/user/1000/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent ignore "/run/user/1000/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
(ent ignore "/run/user/1000/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/var/run/nscd" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8k,mode=755,uid=1000003,gid=1000003")
];
seccomp = true;

198
test/sandbox/case/pd.nix Normal file
View File

@ -0,0 +1,198 @@
{
fs,
ent,
ignore,
...
}:
{
# 0, PresetExt | PresetDenyDevel
expectedFilter = {
x86_64-linux = "c698b081ff957afe17a6d94374537d37f2a63f6f9dd75da7546542407a9e32476ebda3312ba7785d7f618542bcfaf27ca27dcc2dddba852069d28bcfe8cad39a";
aarch64-linux = "433ce9b911282d6dcc8029319fb79b816b60d5a795ec8fc94344dd027614d68f023166a91bb881faaeeedd26e3d89474e141e5a69a97e93b8984ca8f14999980";
};
want = {
env = [
"HOME=/var/lib/hakurei/u0/a0"
"SHELL=/run/current-system/sw/bin/bash"
"TERM=linux"
"USER=u0_a0"
"XDG_RUNTIME_DIR=/run/user/65534"
"XDG_SESSION_CLASS=user"
"XDG_SESSION_TYPE=tty"
];
fs = fs "dead" {
".hakurei" = fs "800001ed" { } null;
bin = fs "800001ed" { sh = fs "80001ff" null null; } null;
dev = fs "800001ed" {
console = fs "4200190" null null;
core = fs "80001ff" null null;
fd = fs "80001ff" null null;
full = fs "42001b6" null null;
kvm = fs "42001b6" null null;
mqueue = fs "801001ff" { } null;
null = fs "42001b6" null "";
ptmx = fs "80001ff" null null;
pts = fs "800001ed" { ptmx = fs "42001b6" null null; } null;
random = fs "42001b6" null null;
shm = fs "800001ed" { } null;
stderr = fs "80001ff" null null;
stdin = fs "80001ff" null null;
stdout = fs "80001ff" null null;
tty = fs "42001b6" null null;
urandom = fs "42001b6" null null;
zero = fs "42001b6" null null;
} null;
etc = fs "800001ed" {
".clean" = fs "80001ff" null null;
".host" = fs "800001c0" null null;
".updated" = fs "80001ff" null null;
"NIXOS" = fs "80001ff" null null;
"X11" = fs "80001ff" null null;
"alsa" = fs "80001ff" null null;
"bash_logout" = fs "80001ff" null null;
"bashrc" = fs "80001ff" null null;
"binfmt.d" = fs "80001ff" null null;
"dbus-1" = fs "80001ff" null null;
"default" = fs "80001ff" null null;
"dhcpcd.exit-hook" = fs "80001ff" null null;
"fonts" = fs "80001ff" null null;
"fstab" = fs "80001ff" null null;
"hsurc" = fs "80001ff" null null;
"fuse.conf" = fs "80001ff" null null;
"group" = fs "180" null "hakurei:x:65534:\n";
"host.conf" = fs "80001ff" null null;
"hostname" = fs "80001ff" null null;
"hosts" = fs "80001ff" null null;
"inputrc" = fs "80001ff" null null;
"issue" = fs "80001ff" null null;
"kbd" = fs "80001ff" null null;
"locale.conf" = fs "80001ff" null null;
"login.defs" = fs "80001ff" null null;
"lsb-release" = fs "80001ff" null null;
"lvm" = fs "80001ff" null null;
"machine-id" = fs "80001ff" null null;
"man_db.conf" = fs "80001ff" null null;
"modprobe.d" = fs "80001ff" null null;
"modules-load.d" = fs "80001ff" null null;
"mtab" = fs "80001ff" null null;
"nanorc" = fs "80001ff" null null;
"netgroup" = fs "80001ff" null null;
"nix" = fs "80001ff" null null;
"nixos" = fs "80001ff" null null;
"nscd.conf" = fs "80001ff" null null;
"nsswitch.conf" = fs "80001ff" null null;
"os-release" = fs "80001ff" null null;
"pam" = fs "80001ff" null null;
"pam.d" = fs "80001ff" null null;
"passwd" = fs "180" null "u0_a0:x:65534:65534:Hakurei:/var/lib/hakurei/u0/a0:/run/current-system/sw/bin/bash\n";
"pipewire" = fs "80001ff" null null;
"pki" = fs "80001ff" null null;
"polkit-1" = fs "80001ff" null null;
"profile" = fs "80001ff" null null;
"protocols" = fs "80001ff" null null;
"resolv.conf" = fs "80001ff" null null;
"resolvconf.conf" = fs "80001ff" null null;
"rpc" = fs "80001ff" null null;
"services" = fs "80001ff" null null;
"set-environment" = fs "80001ff" null null;
"shadow" = fs "80001ff" null null;
"shells" = fs "80001ff" null null;
"ssh" = fs "80001ff" null null;
"ssl" = fs "80001ff" null null;
"static" = fs "80001ff" null null;
"subgid" = fs "80001ff" null null;
"subuid" = fs "80001ff" null null;
"sudoers" = fs "80001ff" null null;
"sway" = fs "80001ff" null null;
"sysctl.d" = fs "80001ff" null null;
"systemd" = fs "80001ff" null null;
"terminfo" = fs "80001ff" null null;
"tmpfiles.d" = fs "80001ff" null null;
"udev" = fs "80001ff" null null;
"vconsole.conf" = fs "80001ff" null null;
"xdg" = fs "80001ff" null null;
"zoneinfo" = fs "80001ff" null null;
} null;
home = fs "800001ed" { alice = fs "800001c0" null null; } null;
lib64 = fs "800001ed" { "ld-linux-x86-64.so.2" = fs "80001ff" null null; } null;
"lost+found" = fs "800001c0" null null;
nix = fs "800001ed" {
".ro-store" = fs "801001fd" null null;
".rw-store" = fs "800001ed" null null;
store = fs "801001fd" null null;
var = fs "800001ed" {
log = fs "800001ed" null null;
nix = fs "800001ed" null null;
} null;
} null;
proc = fs "8000016d" null null;
root = fs "800001c0" null null;
run = fs "800001ed" null null;
srv = fs "800001ed" { } null;
sys = fs "8000016d" null null;
tmp = fs "800001f8" { } null;
usr = fs "800001ed" { bin = fs "800001ed" { env = fs "80001ff" null null; } null; } null;
var = fs "800001ed" null null;
} null;
mount = [
(ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000000,gid=1000000")
(ent "/bin" "/bin" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/home" "/home" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/lib64" "/lib64" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/lost+found" "/lost+found" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/nix" "/nix" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/nix/.ro-store" "rw,nosuid,nodev,relatime" "9p" "nix-store" ignore)
(ent "/" "/nix/.rw-store" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,mode=755")
(ent "/" "/nix/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
(ent "/" "/nix/store" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
(ent "/root" "/root" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run" "rw,nosuid,nodev" "tmpfs" "tmpfs" ignore)
(ent "/" "/run/keys" "rw,nosuid,nodev,relatime" "ramfs" "ramfs" "rw,mode=750")
(ent "/" "/run/credentials/systemd-journald.service" "ro,nosuid,nodev,noexec,relatime,nosymfollow" "tmpfs" "tmpfs" "rw,size=1024k,nr_inodes=1024,mode=700,noswap")
(ent "/" "/run/wrappers" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
(ent "/" "/run/credentials/getty@tty1.service" "ro,nosuid,nodev,noexec,relatime,nosymfollow" "tmpfs" "tmpfs" "rw,size=1024k,nr_inodes=1024,mode=700,noswap")
(ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
(ent "/srv" "/srv" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/sys" "rw,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/" "/sys/kernel/security" "rw,nosuid,nodev,noexec,relatime" "securityfs" "securityfs" "rw")
(ent "/../../.." "/sys/fs/cgroup" "rw,nosuid,nodev,noexec,relatime" "cgroup2" "cgroup2" "rw,nsdelegate,memory_recursiveprot")
(ent "/" "/sys/fs/pstore" "rw,nosuid,nodev,noexec,relatime" "pstore" "pstore" "rw")
(ent "/" "/sys/fs/bpf" "rw,nosuid,nodev,noexec,relatime" "bpf" "bpf" "rw,mode=700")
# systemd race: tracefs debugfs configfs fusectl
(ent "/" ignore "rw,nosuid,nodev,noexec,relatime" ignore ignore "rw")
(ent "/" ignore "rw,nosuid,nodev,noexec,relatime" ignore ignore "rw")
(ent "/" ignore "rw,nosuid,nodev,noexec,relatime" ignore ignore "rw")
(ent "/" ignore "rw,nosuid,nodev,noexec,relatime" ignore ignore "rw")
(ent "/usr" "/usr" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/var" "/var" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
(ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000000,gid=1000000")
(ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000000,gid=1000000")
(ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/full" "/dev/full" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/random" "/dev/random" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/urandom" "/dev/urandom" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/tty" "/dev/tty" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/" "/dev/pts" "rw,nosuid,noexec,relatime" "devpts" "devpts" "rw,mode=620,ptmxmode=666")
(ent ignore "/dev/console" "rw,nosuid,noexec,relatime" "devpts" "devpts" "rw,gid=3,mode=620,ptmxmode=666")
(ent "/" "/dev/mqueue" "rw,nosuid,nodev,noexec,relatime" "mqueue" "mqueue" "rw")
(ent "/kvm" "/dev/kvm" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/" "/run/nscd" "ro,nosuid,nodev,relatime" "tmpfs" "readonly" "ro,mode=755,uid=1000000,gid=1000000")
(ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=8k,mode=755,uid=1000000,gid=1000000")
(ent "/" "/run/dbus" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=8k,mode=755,uid=1000000,gid=1000000")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000000,gid=1000000")
(ent "/tmp/hakurei.1000/runtime/0" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/tmp/hakurei.1000/tmpdir/0" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/var/lib/hakurei/u0/a0" "/var/lib/hakurei/u0/a0" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000000,gid=1000000")
(ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000000,gid=1000000")
];
seccomp = true;
};
}

8
test/sandbox/case/pdlike.nix
View File

@ -222,14 +222,13 @@ in
} null;
} null;
} null;
run = fs "800001ed" { nscd = fs "800001ed" { } null; } null;
} null;
} null;
mount = [
(ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000005,gid=1000005")
(ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000005,gid=1000005")
(ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
(ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000005,gid=1000005")
(ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000005,gid=1000005")
(ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000005,gid=1000005")
(ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
@ -250,7 +249,7 @@ in
(ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000005,gid=1000005")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000005,gid=1000005")
(ent "/tmp/hakurei.1000/runtime/5" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/tmp/hakurei.1000/tmpdir/5" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/var/lib/hakurei/u0/a5" "/var/lib/hakurei/u0/a5" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
@ -259,7 +258,6 @@ in
(ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
(ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/var/run/nscd" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8k,mode=755,uid=1000005,gid=1000005")
];
seccomp = true;

8
test/sandbox/case/preset.nix
View File

@ -221,14 +221,13 @@ in
} null;
} null;
} null;
run = fs "800001ed" { nscd = fs "800001ed" { } null; } null;
} null;
} null;
mount = [
(ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000001,gid=1000001")
(ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000001,gid=1000001")
(ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
(ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000001,gid=1000001")
(ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000001,gid=1000001")
(ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000001,gid=1000001")
(ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
@ -248,7 +247,7 @@ in
(ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000001,gid=1000001")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000001,gid=1000001")
(ent "/tmp/hakurei.1000/runtime/1" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/tmp/hakurei.1000/tmpdir/1" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/var/lib/hakurei/u0/a1" "/var/lib/hakurei/u0/a1" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
@ -257,7 +256,6 @@ in
(ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
(ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/var/run/nscd" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8k,mode=755,uid=1000001,gid=1000001")
];
seccomp = true;

8
test/sandbox/case/tty.nix
View File

@ -222,15 +222,14 @@ in
} null;
} null;
} null;
run = fs "800001ed" { nscd = fs "800001ed" { } null; } null;
cache = fs "800001ed" { private = fs "800001c0" null null; } null;
} null;
} null;
mount = [
(ent "/sysroot" "/" "rw,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")
(ent "/sysroot" "/" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")
(ent "/" "/proc" "rw,nosuid,nodev,noexec,relatime" "proc" "proc" "rw")
(ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
(ent "/" "/.hakurei" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
(ent "/" "/dev" "rw,nosuid,nodev,relatime" "tmpfs" "devtmpfs" "rw,mode=755,uid=1000002,gid=1000002")
(ent "/null" "/dev/null" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/zero" "/dev/zero" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
@ -252,7 +251,7 @@ in
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
(ent "/tmp/hakurei.1000/runtime/2" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/tmp/hakurei.1000/tmpdir/2" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/var/lib/hakurei/u0/a2" "/var/lib/hakurei/u0/a2" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
@ -261,7 +260,6 @@ in
(ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
(ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/var/run/nscd" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8k,mode=755,uid=1000002,gid=1000002")
];
seccomp = true;

10
test/sandbox/configuration.nix
View File

@ -6,6 +6,7 @@
}:
let
testProgram = pkgs.callPackage ./tool/package.nix { inherit (config.environment.hakurei.package) version; };
testCases = import ./case pkgs.system lib testProgram;
in
{
users.users = {
@ -26,6 +27,13 @@ in
systemPackages = [
# For checking seccomp outcome:
testProgram
# For checking pd outcome:
(pkgs.writeShellScriptBin "check-sandbox-pd" ''
hakurei -v run hakurei-test \
-t ${toString (builtins.toFile "hakurei-pd-want.json" (builtins.toJSON testCases.pd.want))} \
-s ${testCases.pd.expectedFilter.${pkgs.system}} "$@"
'')
];
variables = {
@ -75,6 +83,6 @@ in
}
];
apps = import ./case pkgs.system lib testProgram;
inherit (testCases) apps;
};
}

3
test/sandbox/test.py
View File

@ -58,12 +58,13 @@ print(machine.fail("sudo -u alice -i hakurei run umount -R /dev"))
check_offset = 0
def check_sandbox(name):
global check_offset
check_offset += 1
swaymsg(f"exec script /dev/null -E always -qec check-sandbox-{name}")
machine.wait_for_file(f"/tmp/hakurei.1000/tmpdir/{check_offset}/sandbox-ok", timeout=15)
check_filter(check_offset, name, "hakurei-test")
check_offset += 1
check_sandbox("pd")
check_sandbox("preset")
check_sandbox("tty")
check_sandbox("mapuid")