forked from security/hakurei
internal/app: modularise outcome finalise
This is the initial effort of splitting up host and container side of finalisation for params to shim. The new layout also enables much finer grained unit testing of each step, as well as partition access to per-app state for each step. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
60
internal/app/spwayland.go
Normal file
60
internal/app/spwayland.go
Normal file
@@ -0,0 +1,60 @@
|
||||
package app
|
||||
|
||||
import (
|
||||
"os"
|
||||
|
||||
"hakurei.app/container"
|
||||
"hakurei.app/hst"
|
||||
"hakurei.app/system/acl"
|
||||
"hakurei.app/system/wayland"
|
||||
)
|
||||
|
||||
// spWaylandOp exports the Wayland display server to the container.
|
||||
type spWaylandOp struct {
|
||||
// Path to host wayland socket. Populated during toSystem if DirectWayland is true.
|
||||
SocketPath *container.Absolute
|
||||
|
||||
// Address to write the security-context-v1 synchronisation fd [os.File] address to.
|
||||
// Only populated for toSystem.
|
||||
sync **os.File
|
||||
}
|
||||
|
||||
func (s *spWaylandOp) toSystem(state *outcomeStateSys, config *hst.Config) error {
|
||||
// outer wayland socket (usually `/run/user/%d/wayland-%d`)
|
||||
var socketPath *container.Absolute
|
||||
if name, ok := state.k.lookupEnv(wayland.WaylandDisplay); !ok {
|
||||
state.msg.Verbose(wayland.WaylandDisplay + " is not set, assuming " + wayland.FallbackName)
|
||||
socketPath = state.sc.RuntimePath.Append(wayland.FallbackName)
|
||||
} else if a, err := container.NewAbs(name); err != nil {
|
||||
socketPath = state.sc.RuntimePath.Append(name)
|
||||
} else {
|
||||
socketPath = a
|
||||
}
|
||||
|
||||
if !config.DirectWayland { // set up security-context-v1
|
||||
appID := config.ID
|
||||
if appID == "" {
|
||||
// use instance ID in case app id is not set
|
||||
appID = "app.hakurei." + state.id.String()
|
||||
}
|
||||
// downstream socket paths
|
||||
state.sys.Wayland(s.sync, state.instance().Append("wayland"), socketPath, appID, state.id.String())
|
||||
} else { // bind mount wayland socket (insecure)
|
||||
state.msg.Verbose("direct wayland access, PROCEED WITH CAUTION")
|
||||
state.ensureRuntimeDir()
|
||||
s.SocketPath = socketPath
|
||||
state.sys.UpdatePermType(hst.EWayland, socketPath, acl.Read, acl.Write, acl.Execute)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *spWaylandOp) toContainer(state *outcomeStateParams) error {
|
||||
innerPath := state.runtimeDir.Append(wayland.FallbackName)
|
||||
state.env[wayland.WaylandDisplay] = wayland.FallbackName
|
||||
if s.SocketPath == nil {
|
||||
state.params.Bind(state.instancePath().Append("wayland"), innerPath, 0)
|
||||
} else {
|
||||
state.params.Bind(s.SocketPath, innerPath, 0)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
Reference in New Issue
Block a user