Ophestra
ae66b3d2fb
All checks were successful
Test / Create distribution (push) Successful in 34s
Test / Sandbox (push) Successful in 2m13s
Test / Hakurei (push) Successful in 3m15s
Test / Hpkg (push) Successful in 4m7s
Test / Sandbox (race detector) (push) Successful in 4m14s
Test / Hakurei (race detector) (push) Successful in 5m7s
Test / Flake checks (push) Successful in 1m37s
Should have done this when relocating this from container. Now is a good time to rename it before v0.3.x. Signed-off-by: Ophestra <cat@gensokyo.uk>
60 lines
1.3 KiB
Go
60 lines
1.3 KiB
Go
package main
|
|
|
|
// this works around go:embed '..' limitation
|
|
//go:generate cp ../../LICENSE .
|
|
|
|
import (
|
|
"context"
|
|
_ "embed"
|
|
"errors"
|
|
"log"
|
|
"os"
|
|
"os/signal"
|
|
"syscall"
|
|
|
|
"hakurei.app/container"
|
|
"hakurei.app/message"
|
|
)
|
|
|
|
var (
|
|
errSuccess = errors.New("success")
|
|
|
|
//go:embed LICENSE
|
|
license string
|
|
)
|
|
|
|
// earlyHardeningErrs are errors collected while setting up early hardening feature.
|
|
type earlyHardeningErrs struct{ yamaLSM, dumpable error }
|
|
|
|
func main() {
|
|
// early init path, skips root check and duplicate PR_SET_DUMPABLE
|
|
container.TryArgv0(nil)
|
|
|
|
log.SetPrefix("hakurei: ")
|
|
log.SetFlags(0)
|
|
msg := message.New(log.Default())
|
|
|
|
early := earlyHardeningErrs{
|
|
yamaLSM: container.SetPtracer(0),
|
|
dumpable: container.SetDumpable(container.SUID_DUMP_DISABLE),
|
|
}
|
|
|
|
if os.Geteuid() == 0 {
|
|
log.Fatal("this program must not run as root")
|
|
}
|
|
|
|
ctx, stop := signal.NotifyContext(context.Background(),
|
|
syscall.SIGINT, syscall.SIGTERM)
|
|
defer stop() // unreachable
|
|
|
|
buildCommand(ctx, msg, &early, os.Stderr).MustParse(os.Args[1:], func(err error) {
|
|
msg.Verbosef("command returned %v", err)
|
|
if errors.Is(err, errSuccess) {
|
|
msg.BeforeExit()
|
|
os.Exit(0)
|
|
}
|
|
// this catches faulty command handlers that fail to return before this point
|
|
})
|
|
log.Fatal("unreachable")
|
|
}
|