Ophestra
1b5ecd9eaf
All checks were successful
Test / Create distribution (push) Successful in 32s
Test / Sandbox (push) Successful in 1m52s
Test / Sandbox (race detector) (push) Successful in 3m14s
Test / Planterette (push) Successful in 3m36s
Test / Hakurei (race detector) (push) Successful in 4m31s
Test / Hakurei (push) Successful in 2m3s
Test / Flake checks (push) Successful in 1m13s
This allows slightly easier use of the vanity url. This also provides some disambiguation between low level containers and hakurei app containers. Signed-off-by: Ophestra <cat@gensokyo.uk>
52 lines
1.2 KiB
Go
52 lines
1.2 KiB
Go
package main
|
|
|
|
// this works around go:embed '..' limitation
|
|
//go:generate cp ../../LICENSE .
|
|
|
|
import (
|
|
_ "embed"
|
|
"errors"
|
|
"log"
|
|
"os"
|
|
|
|
"git.gensokyo.uk/security/hakurei/container"
|
|
"git.gensokyo.uk/security/hakurei/internal"
|
|
"git.gensokyo.uk/security/hakurei/internal/hlog"
|
|
"git.gensokyo.uk/security/hakurei/internal/sys"
|
|
)
|
|
|
|
var (
|
|
errSuccess = errors.New("success")
|
|
|
|
//go:embed LICENSE
|
|
license string
|
|
)
|
|
|
|
func init() { hlog.Prepare("hakurei") }
|
|
|
|
var std sys.State = new(sys.Std)
|
|
|
|
func main() {
|
|
// early init path, skips root check and duplicate PR_SET_DUMPABLE
|
|
container.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput)
|
|
|
|
if err := container.SetDumpable(container.SUID_DUMP_DISABLE); err != nil {
|
|
log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
|
|
// not fatal: this program runs as the privileged user
|
|
}
|
|
|
|
if os.Geteuid() == 0 {
|
|
log.Fatal("this program must not run as root")
|
|
}
|
|
|
|
buildCommand(os.Stderr).MustParse(os.Args[1:], func(err error) {
|
|
hlog.Verbosef("command returned %v", err)
|
|
if errors.Is(err, errSuccess) {
|
|
hlog.BeforeExit()
|
|
os.Exit(0)
|
|
}
|
|
// this catches faulty command handlers that fail to return before this point
|
|
})
|
|
log.Fatal("unreachable")
|
|
}
|