internal/rosa/package: replace assignment syntax

Signed-off-by: Ophestra <cat@gensokyo.uk>

.clang-format

@@ -0,0 +1,2 @@
+ColumnLimit: 0
+IndentWidth: 4

.gitea/workflows/test.yml

@@ -2,7 +2,6 @@ name: Test
 
 on:
   - push
-  - pull_request
 
 jobs:
   hakurei:
@@ -73,20 +72,20 @@ jobs:
           path: result/*
           retention-days: 1
 
-  planterette:
-    name: Planterette
+  sharefs:
+    name: ShareFS
     runs-on: nix
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
       - name: Run NixOS test
-        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.planterette
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.sharefs
 
       - name: Upload test output
         uses: actions/upload-artifact@v3
         with:
-          name: "planterette-vm-output"
+          name: "sharefs-vm-output"
           path: result/*
           retention-days: 1
 
@@ -97,7 +96,7 @@ jobs:
       - race
       - sandbox
       - sandbox-race
-      - planterette
+      - sharefs
     runs-on: nix
     steps:
       - name: Checkout

.github/workflows/README

@@ -1 +0,0 @@
-This port is solely for releasing to the github mirror and serves no purpose during development.

.github/workflows/release.yml

@@ -1,46 +0,0 @@
-name: Release
-
-on:
-  push:
-    tags:
-      - 'v*'
-
-jobs:
-  release:
-    name: Create release
-    runs-on: ubuntu-latest
-
-    permissions:
-      packages: write
-      contents: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Install Nix
-        uses: nixbuild/nix-quick-install-action@v32
-        with:
-          nix_conf: |
-            keep-env-derivations = true
-            keep-outputs = true
-
-      - name: Restore and cache Nix store
-        uses: nix-community/cache-nix-action@v6
-        with:
-          primary-key: build-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
-          restore-prefixes-first-match: build-${{ runner.os }}-
-          gc-max-store-size-linux: 1G
-          purge: true
-          purge-prefixes: build-${{ runner.os }}-
-          purge-created: 60
-          purge-primary-key: never
-
-      - name: Build for release
-        run: nix build --print-out-paths --print-build-logs .#dist
-
-      - name: Release
-        uses: softprops/action-gh-release@v2
-        with:
-          files: |-
-            result/hakurei-**

.github/workflows/test.yml

@@ -1,48 +0,0 @@
-name: Test
-
-on:
-  - push
-
-jobs:
-  dist:
-    name: Create distribution
-    runs-on: ubuntu-latest
-    permissions:
-      actions: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Install Nix
-        uses: nixbuild/nix-quick-install-action@v32
-        with:
-          nix_conf: |
-            keep-env-derivations = true
-            keep-outputs = true
-
-      - name: Restore and cache Nix store
-        uses: nix-community/cache-nix-action@v6
-        with:
-          primary-key: build-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
-          restore-prefixes-first-match: build-${{ runner.os }}-
-          gc-max-store-size-linux: 1G
-          purge: true
-          purge-prefixes: build-${{ runner.os }}-
-          purge-created: 60
-          purge-primary-key: never
-
-      - name: Build for test
-        id: build-test
-        run: >-
-          export HAKUREI_REV="$(git rev-parse --short HEAD)" &&
-          sed -i.old 's/version = /version = "0.0.0-'$HAKUREI_REV'"; # version = /' package.nix &&
-          nix build --print-out-paths --print-build-logs .#dist &&
-          mv package.nix.old package.nix &&
-          echo "rev=$HAKUREI_REV" >> $GITHUB_OUTPUT
-
-      - name: Upload test build
-        uses: actions/upload-artifact@v4
-        with:
-          name: "hakurei-${{ steps.build-test.outputs.rev }}"
-          path: result/*
-          retention-days: 1

.gitignore

@@ -1,32 +1,15 @@
-# Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-*.pkg
-/hakurei
-
-# Test binary, built with `go test -c`
+# produced by tools and text editors
+*.qcow2
 *.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
 *.out
-
-# Dependency directories (remove the comment below to include it)
-# vendor/
-
-# Go workspace file
-go.work
-go.work.sum
-
-# env file
-.env
 .idea
 .vscode
 
 # go generate
 /cmd/hakurei/LICENSE
+/cmd/mbf/internal/pkgserver/ui/static
+/internal/pkg/internal/testtool/testtool
+/internal/rosa/hakurei_current.tar.gz
 
-# release
-/dist/hakurei-*
+# cmd/dist default destination
+/dist

README.md

@@ -1,5 +1,5 @@
 <p align="center">
-  <a href="https://git.gensokyo.uk/security/hakurei">
+  <a href="https://git.gensokyo.uk/rosa/hakurei">
     <picture>
       <img src="https://basement.gensokyo.uk/images/yukari1.png" width="200px" alt="Yukari">
     </picture>
@@ -8,166 +8,58 @@
 
 <p align="center">
   <a href="https://pkg.go.dev/hakurei.app"><img src="https://pkg.go.dev/badge/hakurei.app.svg" alt="Go Reference" /></a>
+  <a href="https://git.gensokyo.uk/rosa/hakurei/actions"><img src="https://git.gensokyo.uk/rosa/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
+  <br/>
+  <a href="https://git.gensokyo.uk/rosa/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/rosa/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
   <a href="https://goreportcard.com/report/hakurei.app"><img src="https://goreportcard.com/badge/hakurei.app" alt="Go Report Card" /></a>
+  <a href="https://hakurei.app"><img src="https://img.shields.io/website?url=https%3A%2F%2Fhakurei.app" alt="Website" /></a>
 </p>
 
-Hakurei is a tool for running sandboxed graphical applications as dedicated subordinate users on the Linux kernel.
-It also implements [planterette (WIP)](cmd/planterette), a self-contained Android-like package manager with modern security features.
+Hakurei is a tool for running sandboxed desktop applications as dedicated
+subordinate users on the Linux kernel. It implements the application container
+of [planterette (WIP)](https://git.gensokyo.uk/rosa/planterette), a
+self-contained Android-like package manager with modern security features.
 
-## NixOS Module usage
+Interaction with hakurei happens entirely through structures described by
+package [hst](https://pkg.go.dev/hakurei.app/hst). No native API is available
+due to internal details of uid isolation.
 
-The NixOS module currently requires home-manager to configure subordinate users. Full module documentation can be found [here](options.md).
+## Notable Packages
 
-To use the module, import it into your configuration with
+Package [container](https://pkg.go.dev/hakurei.app/container) is general purpose
+container tooling. It is used by the hakurei shim process running as the target
+subordinate user to set up the application container. It has a single dependency,
+[libseccomp](https://github.com/seccomp/libseccomp), to create BPF programs
+for the [system call filter](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html).
 
-```nix
-{
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+Package [internal/pkg](https://pkg.go.dev/hakurei.app/internal/pkg) provides
+infrastructure for hermetic builds. This replaces the legacy nix-based testing
+framework and serves as the build system of Rosa OS, currently developed under
+package [internal/rosa](https://pkg.go.dev/hakurei.app/internal/rosa).
 
-    hakurei = {
-      url = "git+https://git.gensokyo.uk/security/hakurei";
+## Dependencies
 
-      # Optional but recommended to limit the size of your system closure.
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-  };
+`container` depends on:
 
-  outputs = { self, nixpkgs, hakurei, ... }:
-  {
-    nixosConfigurations.hakurei = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [
-        hakurei.nixosModules.hakurei
-      ];
-    };
-  };
-}
-```
+- [libseccomp](https://github.com/seccomp/libseccomp) to generate BPF programs.
 
-This adds the `environment.hakurei` option:
+`cmd/hakurei` depends on:
 
-```nix
-{ pkgs, ... }:
+- [acl](https://savannah.nongnu.org/projects/acl/) to export sockets to
+  subordinate users.
+- [wayland](https://gitlab.freedesktop.org/wayland/wayland) to set up
+  [security-context-v1](https://wayland.app/protocols/security-context-v1).
+- [xcb](https://xcb.freedesktop.org/) to grant and revoke subordinate users
+  access to the X server.
 
-{
-  environment.hakurei = {
-    enable = true;
-    stateDir = "/var/lib/hakurei";
-    users = {
-      alice = 0;
-      nixos = 10;
-    };
+`cmd/sharefs` depends on:
 
-    commonPaths = [
-      {
-        src = "/sdcard";
-        write = true;
-      }
-    ];
+- [fuse](https://github.com/libfuse/libfuse) to implement the filesystem.
 
-    extraHomeConfig = {
-      home.stateVersion = "23.05";
-    };
+New dependencies will generally not be added. Patches adding new dependencies
+are very likely to be rejected.
 
-    apps = {
-      "org.chromium.Chromium" = {
-        name = "chromium";
-        identity = 1;
-        packages = [ pkgs.chromium ];
-        userns = true;
-        mapRealUid = true;
-        dbus = {
-          system = {
-            filter = true;
-            talk = [
-              "org.bluez"
-              "org.freedesktop.Avahi"
-              "org.freedesktop.UPower"
-            ];
-          };
-          session =
-            f:
-            f {
-              talk = [
-                "org.freedesktop.FileManager1"
-                "org.freedesktop.Notifications"
-                "org.freedesktop.ScreenSaver"
-                "org.freedesktop.secrets"
-                "org.kde.kwalletd5"
-                "org.kde.kwalletd6"
-              ];
-              own = [
-                "org.chromium.Chromium.*"
-                "org.mpris.MediaPlayer2.org.chromium.Chromium.*"
-                "org.mpris.MediaPlayer2.chromium.*"
-              ];
-              call = { };
-              broadcast = { };
-            };
-        };
-      };
+## NixOS Module (deprecated)
 
-      "org.claws_mail.Claws-Mail" = {
-        name = "claws-mail";
-        identity = 2;
-        packages = [ pkgs.claws-mail ];
-        gpu = false;
-        capability.pulse = false;
-      };
-
-      "org.weechat" = {
-        name = "weechat";
-        identity = 3;
-        shareUid = true;
-        packages = [ pkgs.weechat ];
-        capability = {
-          wayland = false;
-          x11 = false;
-          dbus = true;
-          pulse = false;
-        };
-      };
-
-      "dev.vencord.Vesktop" = {
-        name = "discord";
-        identity = 3;
-        shareUid = true;
-        packages = [ pkgs.vesktop ];
-        share = pkgs.vesktop;
-        command = "vesktop --ozone-platform-hint=wayland";
-        userns = true;
-        mapRealUid = true;
-        capability.x11 = true;
-        dbus = {
-          session =
-            f:
-            f {
-              talk = [ "org.kde.StatusNotifierWatcher" ];
-              own = [ ];
-              call = { };
-              broadcast = { };
-            };
-          system.filter = true;
-        };
-      };
-
-      "io.looking-glass" = {
-        name = "looking-glass-client";
-        identity = 4;
-        useCommonPaths = false;
-        groups = [ "plugdev" ];
-        extraPaths = [
-          {
-            src = "/dev/shm/looking-glass";
-            write = true;
-          }
-        ];
-        extraConfig = {
-          programs.looking-glass-client.enable = true;
-        };
-      };
-    };
-  };
-}
-```
+The NixOS module is in maintenance mode and will be removed once planterette is
+feature-complete. Full module documentation can be found [here](options.md).

all.sh

@@ -0,0 +1,3 @@
+#!/bin/sh -e
+
+HAKUREI_DIST_MAKE='' exec "$(dirname -- "$0")/cmd/dist/dist.sh"

check/absolute.go

@@ -0,0 +1,131 @@
+// Package check provides types yielding values checked to meet a condition.
+package check
+
+import (
+	"encoding"
+	"errors"
+	"fmt"
+	"path/filepath"
+	"slices"
+	"strings"
+	"syscall"
+	"unique"
+)
+
+// AbsoluteError is returned by [NewAbs] and holds the invalid pathname.
+type AbsoluteError string
+
+func (e AbsoluteError) Error() string {
+	return fmt.Sprintf("path %q is not absolute", string(e))
+}
+
+func (e AbsoluteError) Is(target error) bool {
+	var ce AbsoluteError
+	if !errors.As(target, &ce) {
+		return errors.Is(target, syscall.EINVAL)
+	}
+	return e == ce
+}
+
+// Absolute holds a pathname checked to be absolute.
+type Absolute struct{ pathname unique.Handle[string] }
+
+var (
+	_ encoding.TextAppender    = new(Absolute)
+	_ encoding.TextMarshaler   = new(Absolute)
+	_ encoding.TextUnmarshaler = new(Absolute)
+
+	_ encoding.BinaryAppender    = new(Absolute)
+	_ encoding.BinaryMarshaler   = new(Absolute)
+	_ encoding.BinaryUnmarshaler = new(Absolute)
+)
+
+// ok returns whether [Absolute] is not the zero value.
+func (a *Absolute) ok() bool { return a != nil && *a != (Absolute{}) }
+
+// unsafeAbs returns [check.Absolute] on any string value.
+func unsafeAbs(pathname string) *Absolute {
+	return &Absolute{unique.Make(pathname)}
+}
+
+// String returns the checked pathname.
+func (a *Absolute) String() string {
+	if !a.ok() {
+		panic("attempted use of zero Absolute")
+	}
+	return a.pathname.Value()
+}
+
+// Handle returns the underlying [unique.Handle].
+func (a *Absolute) Handle() unique.Handle[string] {
+	return a.pathname
+}
+
+// Is efficiently compares the underlying pathname.
+func (a *Absolute) Is(v *Absolute) bool {
+	if a == nil && v == nil {
+		return true
+	}
+	return a.ok() && v.ok() && a.pathname == v.pathname
+}
+
+// NewAbs checks pathname and returns a new [Absolute] if pathname is absolute.
+func NewAbs(pathname string) (*Absolute, error) {
+	if !filepath.IsAbs(pathname) {
+		return nil, AbsoluteError(pathname)
+	}
+	return unsafeAbs(pathname), nil
+}
+
+// MustAbs calls [NewAbs] and panics on error.
+func MustAbs(pathname string) *Absolute {
+	if a, err := NewAbs(pathname); err != nil {
+		panic(err)
+	} else {
+		return a
+	}
+}
+
+// Append calls [filepath.Join] with [Absolute] as the first element.
+func (a *Absolute) Append(elem ...string) *Absolute {
+	return unsafeAbs(filepath.Join(append([]string{a.String()}, elem...)...))
+}
+
+// Dir calls [filepath.Dir] with [Absolute] as its argument.
+func (a *Absolute) Dir() *Absolute { return unsafeAbs(filepath.Dir(a.String())) }
+
+// AppendText appends the checked pathname.
+func (a *Absolute) AppendText(data []byte) ([]byte, error) {
+	return append(data, a.String()...), nil
+}
+
+// MarshalText returns the checked pathname.
+func (a *Absolute) MarshalText() ([]byte, error) { return a.AppendText(nil) }
+
+// UnmarshalText stores data if it represents an absolute pathname.
+func (a *Absolute) UnmarshalText(data []byte) error {
+	pathname := string(data)
+	if !filepath.IsAbs(pathname) {
+		return AbsoluteError(pathname)
+	}
+	a.pathname = unique.Make(pathname)
+	return nil
+}
+
+func (a *Absolute) AppendBinary(data []byte) ([]byte, error) { return a.AppendText(data) }
+func (a *Absolute) MarshalBinary() ([]byte, error)           { return a.MarshalText() }
+func (a *Absolute) UnmarshalBinary(data []byte) error        { return a.UnmarshalText(data) }
+
+// SortAbs calls [slices.SortFunc] for a slice of [Absolute].
+func SortAbs(x []*Absolute) {
+	slices.SortFunc(x, func(a, b *Absolute) int {
+		return strings.Compare(a.String(), b.String())
+	})
+}
+
+// CompactAbs calls [slices.CompactFunc] for a slice of [Absolute].
+func CompactAbs(s []*Absolute) []*Absolute {
+	return slices.CompactFunc(s, func(a *Absolute, b *Absolute) bool {
+		return a.Is(b)
+	})
+}

check/absolute_test.go

@@ -0,0 +1,392 @@
+package check_test
+
+import (
+	"bytes"
+	"encoding/gob"
+	"encoding/json"
+	"errors"
+	"reflect"
+	"strings"
+	"syscall"
+	"testing"
+	_ "unsafe" // for go:linkname
+
+	. "hakurei.app/check"
+)
+
+// unsafeAbs returns check.Absolute on any string value.
+//
+//go:linkname unsafeAbs hakurei.app/check.unsafeAbs
+func unsafeAbs(pathname string) *Absolute
+
+func TestAbsoluteError(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+
+		err error
+		cmp error
+		ok  bool
+	}{
+		{"EINVAL", new(AbsoluteError), syscall.EINVAL, true},
+		{"not EINVAL", new(AbsoluteError), syscall.EBADE, false},
+		{"ne val", new(AbsoluteError), AbsoluteError("etc"), false},
+		{"equals", AbsoluteError("etc"), AbsoluteError("etc"), true},
+	}
+
+	for _, tc := range testCases {
+		if got := errors.Is(tc.err, tc.cmp); got != tc.ok {
+			t.Errorf("Is: %v, want %v", got, tc.ok)
+		}
+	}
+
+	t.Run("string", func(t *testing.T) {
+		t.Parallel()
+
+		want := `path "etc" is not absolute`
+		if got := (AbsoluteError("etc")).Error(); got != want {
+			t.Errorf("Error: %q, want %q", got, want)
+		}
+	})
+}
+
+func TestNewAbs(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+
+		pathname string
+		want     *Absolute
+		wantErr  error
+	}{
+		{"good", "/etc", MustAbs("/etc"), nil},
+		{"not absolute", "etc", nil, AbsoluteError("etc")},
+		{"zero", "", nil, AbsoluteError("")},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got, err := NewAbs(tc.pathname)
+			if !reflect.DeepEqual(got, tc.want) {
+				t.Errorf("NewAbs: %#v, want %#v", got, tc.want)
+			}
+			if !errors.Is(err, tc.wantErr) {
+				t.Errorf("NewAbs: error = %v, want %v", err, tc.wantErr)
+			}
+		})
+	}
+
+	t.Run("must", func(t *testing.T) {
+		t.Parallel()
+
+		defer func() {
+			wantPanic := AbsoluteError("etc")
+
+			if r := recover(); !reflect.DeepEqual(r, wantPanic) {
+				t.Errorf("MustAbs: panic = %v; want %v", r, wantPanic)
+			}
+		}()
+
+		MustAbs("etc")
+	})
+}
+
+func TestAbsoluteString(t *testing.T) {
+	t.Run("passthrough", func(t *testing.T) {
+		t.Parallel()
+
+		pathname := "/etc"
+		if got := unsafeAbs(pathname).String(); got != pathname {
+			t.Errorf("String: %q, want %q", got, pathname)
+		}
+	})
+
+	t.Run("zero", func(t *testing.T) {
+		t.Parallel()
+
+		defer func() {
+			wantPanic := "attempted use of zero Absolute"
+
+			if r := recover(); r != wantPanic {
+				t.Errorf("String: panic = %v, want %v", r, wantPanic)
+			}
+		}()
+
+		panic(new(Absolute).String())
+	})
+}
+
+func TestAbsoluteIs(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		a, v *Absolute
+		want bool
+	}{
+		{"nil", (*Absolute)(nil), (*Absolute)(nil), true},
+		{"nil a", (*Absolute)(nil), MustAbs("/"), false},
+		{"nil v", MustAbs("/"), (*Absolute)(nil), false},
+		{"zero", new(Absolute), new(Absolute), false},
+		{"zero a", new(Absolute), MustAbs("/"), false},
+		{"zero v", MustAbs("/"), new(Absolute), false},
+		{"equals", MustAbs("/"), MustAbs("/"), true},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := tc.a.Is(tc.v); got != tc.want {
+				t.Errorf("Is: %v, want %v", got, tc.want)
+			}
+		})
+	}
+}
+
+type sCheck struct {
+	Pathname *Absolute `json:"val"`
+	Magic    uint64    `json:"magic"`
+}
+
+func TestCodecAbsolute(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		a    *Absolute
+
+		wantErr error
+
+		gob, sGob   string
+		json, sJson string
+	}{
+		{"nil", nil, nil,
+			"\x00", "\x00",
+			`null`, `{"val":null,"magic":3236757504}`},
+
+		{"good", MustAbs("/etc"),
+			nil,
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\b\xff\x80\x00\x04/etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x04/etc\x01\xfc\xc0\xed\x00\x00\x00",
+
+			`"/etc"`, `{"val":"/etc","magic":3236757504}`},
+		{"not absolute", nil,
+			AbsoluteError("etc"),
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\a\xff\x80\x00\x03etc",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x0f\xff\x84\x01\x03etc\x01\xfb\x01\x81\xda\x00\x00\x00",
+
+			`"etc"`, `{"val":"etc","magic":3236757504}`},
+		{"zero", nil,
+			new(AbsoluteError),
+			"\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\x04\xff\x80\x00\x00",
+			",\xff\x83\x03\x01\x01\x06sCheck\x01\xff\x84\x00\x01\x02\x01\bPathname\x01\xff\x80\x00\x01\x05Magic\x01\x06\x00\x00\x00\t\x7f\x06\x01\x02\xff\x82\x00\x00\x00\f\xff\x84\x01\x00\x01\xfb\x01\x81\xda\x00\x00\x00",
+			`""`, `{"val":"","magic":3236757504}`},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			t.Run("gob", func(t *testing.T) {
+				if tc.gob == "\x00" && tc.sGob == "\x00" {
+					// these values mark the current test to skip gob
+					return
+				}
+				t.Parallel()
+
+				t.Run("encode", func(t *testing.T) {
+					t.Parallel()
+
+					// encode is unchecked
+					if errors.Is(tc.wantErr, syscall.EINVAL) {
+						return
+					}
+
+					{
+						buf := new(bytes.Buffer)
+						err := gob.NewEncoder(buf).Encode(tc.a)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Encode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSEncode
+						}
+						if buf.String() != tc.gob {
+							t.Errorf("Encode:\n%q\nwant:\n%q", buf.String(), tc.gob)
+						}
+					}
+
+				checkSEncode:
+					{
+						buf := new(bytes.Buffer)
+						err := gob.NewEncoder(buf).Encode(&sCheck{tc.a, syscall.MS_MGC_VAL})
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Encode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						if buf.String() != tc.sGob {
+							t.Errorf("Encode:\n%q\nwant:\n%q", buf.String(), tc.sGob)
+						}
+					}
+				})
+
+				t.Run("decode", func(t *testing.T) {
+					t.Parallel()
+
+					{
+						var gotA *Absolute
+						err := gob.NewDecoder(strings.NewReader(tc.gob)).Decode(&gotA)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Decode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSDecode
+						}
+						if !reflect.DeepEqual(tc.a, gotA) {
+							t.Errorf("Decode: %#v, want %#v", tc.a, gotA)
+						}
+					}
+
+				checkSDecode:
+					{
+						var gotSCheck sCheck
+						err := gob.NewDecoder(strings.NewReader(tc.sGob)).Decode(&gotSCheck)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Decode: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						want := sCheck{tc.a, syscall.MS_MGC_VAL}
+						if !reflect.DeepEqual(gotSCheck, want) {
+							t.Errorf("Decode: %#v, want %#v", gotSCheck, want)
+						}
+					}
+				})
+
+			})
+
+			t.Run("json", func(t *testing.T) {
+				t.Parallel()
+
+				t.Run("marshal", func(t *testing.T) {
+					t.Parallel()
+
+					// marshal is unchecked
+					if errors.Is(tc.wantErr, syscall.EINVAL) {
+						return
+					}
+
+					{
+						d, err := json.Marshal(tc.a)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSMarshal
+						}
+						if string(d) != tc.json {
+							t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.json)
+						}
+					}
+
+				checkSMarshal:
+					{
+						d, err := json.Marshal(&sCheck{tc.a, syscall.MS_MGC_VAL})
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						if string(d) != tc.sJson {
+							t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.sJson)
+						}
+					}
+				})
+
+				t.Run("unmarshal", func(t *testing.T) {
+					t.Parallel()
+
+					{
+						var gotA *Absolute
+						err := json.Unmarshal([]byte(tc.json), &gotA)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							goto checkSUnmarshal
+						}
+						if !reflect.DeepEqual(tc.a, gotA) {
+							t.Errorf("Unmarshal: %#v, want %#v", tc.a, gotA)
+						}
+					}
+
+				checkSUnmarshal:
+					{
+						var gotSCheck sCheck
+						err := json.Unmarshal([]byte(tc.sJson), &gotSCheck)
+						if !errors.Is(err, tc.wantErr) {
+							t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
+						}
+						if tc.wantErr != nil {
+							return
+						}
+						want := sCheck{tc.a, syscall.MS_MGC_VAL}
+						if !reflect.DeepEqual(gotSCheck, want) {
+							t.Errorf("Unmarshal: %#v, want %#v", gotSCheck, want)
+						}
+					}
+				})
+			})
+		})
+	}
+}
+
+func TestAbsoluteWrap(t *testing.T) {
+	t.Parallel()
+
+	t.Run("join", func(t *testing.T) {
+		t.Parallel()
+
+		want := "/etc/nix/nix.conf"
+		if got := MustAbs("/etc").Append("nix", "nix.conf"); got.String() != want {
+			t.Errorf("Append: %q, want %q", got, want)
+		}
+	})
+
+	t.Run("dir", func(t *testing.T) {
+		t.Parallel()
+
+		want := "/"
+		if got := MustAbs("/etc").Dir(); got.String() != want {
+			t.Errorf("Dir: %q, want %q", got, want)
+		}
+	})
+
+	t.Run("sort", func(t *testing.T) {
+		t.Parallel()
+
+		want := []*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/sys")}
+		got := []*Absolute{MustAbs("/proc"), MustAbs("/sys"), MustAbs("/etc")}
+		SortAbs(got)
+		if !reflect.DeepEqual(got, want) {
+			t.Errorf("SortAbs: %#v, want %#v", got, want)
+		}
+	})
+
+	t.Run("compact", func(t *testing.T) {
+		t.Parallel()
+
+		want := []*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/sys")}
+		if got := CompactAbs([]*Absolute{MustAbs("/etc"), MustAbs("/proc"), MustAbs("/proc"), MustAbs("/sys")}); !reflect.DeepEqual(got, want) {
+			t.Errorf("CompactAbs: %#v, want %#v", got, want)
+		}
+	})
+}

check/overlay.go

@@ -0,0 +1,38 @@
+package check
+
+import "strings"
+
+const (
+	// SpecialOverlayEscape is the escape string for overlay mount options.
+	//
+	// Deprecated: This is no longer used and will be removed in 0.5.
+	SpecialOverlayEscape = `\`
+	// SpecialOverlayOption is the separator string between overlay mount options.
+	//
+	// Deprecated: This is no longer used and will be removed in 0.5.
+	SpecialOverlayOption = ","
+	// SpecialOverlayPath is the separator string between overlay paths.
+	//
+	// Deprecated: This is no longer used and will be removed in 0.5.
+	SpecialOverlayPath = ":"
+)
+
+// EscapeOverlayDataSegment escapes a string for formatting into the data
+// argument of an overlay mount system call.
+//
+// Deprecated: This is no longer used and will be removed in 0.5.
+func EscapeOverlayDataSegment(s string) string {
+	if s == "" {
+		return ""
+	}
+
+	if f := strings.SplitN(s, "\x00", 2); len(f) > 0 {
+		s = f[0]
+	}
+
+	return strings.NewReplacer(
+		SpecialOverlayEscape, SpecialOverlayEscape+SpecialOverlayEscape,
+		SpecialOverlayOption, SpecialOverlayEscape+SpecialOverlayOption,
+		SpecialOverlayPath, SpecialOverlayEscape+SpecialOverlayPath,
+	).Replace(s)
+}

check/overlay_test.go

@@ -0,0 +1,31 @@
+package check_test
+
+import (
+	"testing"
+
+	"hakurei.app/check"
+)
+
+func TestEscapeOverlayDataSegment(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		s    string
+		want string
+	}{
+		{"zero", "", ""},
+		{"multi", `\\\:,:,\\\`, `\\\\\\\:\,\:\,\\\\\\`},
+		{"bwrap", `/path :,\`, `/path \:\,\\`},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := check.EscapeOverlayDataSegment(tc.s); got != tc.want {
+				t.Errorf("escapeOverlayDataSegment: %s, want %s", got, tc.want)
+			}
+		})
+	}
+}

cmd/dist/VERSION

@@ -0,0 +1 @@
+v0.4.3

cmd/dist/comp/_hakurei

@@ -1,21 +1,24 @@
 #compdef hakurei
 
-_hakurei_app() {
+_hakurei_run() {
   __hakurei_files
   return $?
 }
 
-_hakurei_run() {
+_hakurei_exec() {
   _arguments \
     '--id[Reverse-DNS style Application identifier, leave empty to inherit instance identifier]:id' \
     '-a[Application identity]: :_numbers' \
     '-g[Groups inherited by all container processes]: :_groups' \
     '-d[Container home directory]: :_files -/' \
     '-u[Passwd user name within sandbox]: :_users' \
+    '--private-runtime[Do not share XDG_RUNTIME_DIR between containers under the same identity]' \
+    '--private-tmpdir[Do not share TMPDIR between containers under the same identity]' \
     '--wayland[Enable connection to Wayland via security-context-v1]' \
     '-X[Enable direct connection to X11]' \
     '--dbus[Enable proxied connection to D-Bus]' \
-    '--pulse[Enable direct connection to PulseAudio]' \
+    '--pipewire[Enable connection to PipeWire via SecurityContext]' \
+    '--pulse[Enable PulseAudio compatibility daemon]' \
     '--dbus-config[Path to session bus proxy config file]: :_files -g "*.json"' \
     '--dbus-system[Path to system bus proxy config file]: :_files -g "*.json"' \
     '--mpris[Allow owning MPRIS D-Bus path]' \
@@ -54,9 +57,9 @@ __hakurei_instances() {
 {
   local -a _hakurei_cmds
   _hakurei_cmds=(
-    "app:Load app from configuration file"
-    "run:Configure and start a permissive default sandbox"
-    "show:Show live or local app configuration"
+    "run:Load and start container from configuration file"
+    "exec:Configure and start a permissive container"
+    "show:Show live or local instance configuration"
     "ps:List active instances"
     "version:Display version information"
     "license:Show full license text"

cmd/dist/dist.sh

@@ -0,0 +1,10 @@
+#!/bin/sh -e
+
+TOOLCHAIN_VERSION="$(go version)"
+cd "$(dirname -- "$0")/../.."
+echo "Building cmd/dist using ${TOOLCHAIN_VERSION}."
+FLAGS=''
+if test -n "$VERBOSE"; then
+    FLAGS="$FLAGS -v"
+fi
+go run $FLAGS --tags=dist ./cmd/dist

cmd/dist/main.go

@@ -0,0 +1,254 @@
+//go:build dist
+
+package main
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"context"
+	"crypto/sha512"
+	_ "embed"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"io/fs"
+	"log"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path/filepath"
+	"runtime"
+	"strings"
+)
+
+//go:generate sh -c "git describe --tags > VERSION"
+//go:embed VERSION
+var version string
+
+// getenv looks up an environment variable, and returns fallback if it is unset.
+func getenv(key, fallback string) string {
+	if v, ok := os.LookupEnv(key); ok {
+		return v
+	}
+	return fallback
+}
+
+// mustRun runs a command with the current process's environment and panics
+// on error or non-zero exit code.
+func mustRun(ctx context.Context, name string, arg ...string) {
+	cmd := exec.CommandContext(ctx, name, arg...)
+	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+	if err := cmd.Run(); err != nil {
+		panic(err)
+	}
+}
+
+//go:embed comp/_hakurei
+var comp []byte
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("")
+
+	verbose := os.Getenv("VERBOSE") != ""
+	runTests := os.Getenv("HAKUREI_DIST_MAKE") == ""
+	version = getenv("HAKUREI_VERSION", strings.TrimSpace(version))
+	prefix := getenv("PREFIX", "/usr")
+	destdir := getenv("DESTDIR", "dist")
+
+	if verbose {
+		log.Println()
+	}
+
+	if err := os.MkdirAll(destdir, 0755); err != nil {
+		log.Fatal(err)
+	}
+	s, err := os.MkdirTemp(destdir, ".dist.*")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer func() {
+		var code int
+
+		if err = os.RemoveAll(s); err != nil {
+			code = 1
+			log.Println(err)
+		}
+
+		if r := recover(); r != nil {
+			code = 1
+			log.Println(r)
+		}
+
+		os.Exit(code)
+	}()
+
+	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
+	defer cancel()
+
+	verboseFlag := "-v"
+	if !verbose {
+		verboseFlag = "-buildvcs=false"
+	}
+
+	log.Printf("Building hakurei for %s/%s.", runtime.GOOS, runtime.GOARCH)
+	mustRun(ctx, "go", "generate", "./...")
+	mustRun(
+		ctx, "go", "build",
+		"-trimpath",
+		verboseFlag, "-o", s,
+		"-ldflags=-s -w "+
+			"-buildid= -linkmode external -extldflags=-static "+
+			"-X hakurei.app/internal/info.buildVersion="+version+" "+
+			"-X hakurei.app/internal/info.hakureiPath="+prefix+"/bin/hakurei "+
+			"-X hakurei.app/internal/info.hsuPath="+prefix+"/bin/hsu "+
+			"-X main.hakureiPath="+prefix+"/bin/hakurei",
+		"./...",
+	)
+	log.Println()
+
+	if runTests {
+		log.Println("##### Testing Hakurei.")
+		mustRun(
+			ctx, "go", "test",
+			"-ldflags=-buildid= -linkmode external -extldflags=-static",
+			"./...",
+		)
+		log.Println()
+	}
+
+	log.Println("##### Creating distribution.")
+	const suffix = ".tar.gz"
+	distName := "hakurei-" + version + "-" + runtime.GOARCH
+	var f *os.File
+	if f, err = os.OpenFile(
+		filepath.Join(s, distName+suffix),
+		os.O_CREATE|os.O_EXCL|os.O_WRONLY,
+		0644,
+	); err != nil {
+		panic(err)
+	}
+	defer func() {
+		if f == nil {
+			return
+		}
+		if err = f.Close(); err != nil {
+			log.Println(err)
+		}
+	}()
+
+	h := sha512.New()
+	gw, _ := gzip.NewWriterLevel(io.MultiWriter(f, h), gzip.BestCompression)
+	tw := tar.NewWriter(gw)
+
+	mustWriteHeader := func(name string, size int64, mode os.FileMode) {
+		header := tar.Header{
+			Name:  filepath.Join(distName, name),
+			Size:  size,
+			Mode:  int64(mode),
+			Uname: "root",
+			Gname: "root",
+		}
+
+		if mode&os.ModeDir != 0 {
+			header.Typeflag = tar.TypeDir
+			fmt.Printf("%s %s\n", mode, name)
+		} else {
+			header.Typeflag = tar.TypeReg
+			fmt.Printf("%s %s (%d bytes)\n", mode, name, size)
+		}
+
+		if err = tw.WriteHeader(&header); err != nil {
+			panic(err)
+		}
+	}
+
+	mustWriteFile := func(name string, data []byte, mode os.FileMode) {
+		mustWriteHeader(name, int64(len(data)), mode)
+		if mode&os.ModeDir != 0 {
+			return
+		}
+		if _, err = tw.Write(data); err != nil {
+			panic(err)
+		}
+	}
+
+	mustWriteFromPath := func(dst, src string, mode os.FileMode) {
+		var r *os.File
+		if r, err = os.Open(src); err != nil {
+			panic(err)
+		}
+
+		var fi os.FileInfo
+		if fi, err = r.Stat(); err != nil {
+			_ = r.Close()
+			panic(err)
+		}
+
+		if mode == 0 {
+			mode = fi.Mode()
+		}
+
+		mustWriteHeader(dst, fi.Size(), mode)
+		if _, err = io.Copy(tw, r); err != nil {
+			_ = r.Close()
+			panic(err)
+		} else if err = r.Close(); err != nil {
+			panic(err)
+		}
+	}
+
+	mustWriteFile(".", nil, fs.ModeDir|0755)
+	mustWriteFile("comp/", nil, os.ModeDir|0755)
+	mustWriteFile("comp/_hakurei", comp, 0644)
+	mustWriteFile("install.sh", []byte(`#!/bin/sh -e
+cd "$(dirname -- "$0")" || exit 1
+
+install -vDm0755 "bin/hakurei" "${DESTDIR}`+prefix+`/bin/hakurei"
+install -vDm0755 "bin/sharefs" "${DESTDIR}`+prefix+`/bin/sharefs"
+
+install -vDm4511 "bin/hsu" "${DESTDIR}`+prefix+`/bin/hsu"
+if [ ! -f "${DESTDIR}/etc/hsurc" ]; then
+    install -vDm0400 "hsurc.default" "${DESTDIR}/etc/hsurc"
+fi
+
+install -vDm0644 "comp/_hakurei" "${DESTDIR}`+prefix+`/share/zsh/site-functions/_hakurei"
+`), 0755)
+
+	mustWriteFromPath("README.md", "README.md", 0)
+	mustWriteFile("hsurc.default", []byte("1000 0"), 0400)
+	mustWriteFromPath("bin/hsu", filepath.Join(s, "hsu"), 04511)
+	for _, name := range []string{
+		"hakurei",
+		"sharefs",
+	} {
+		mustWriteFromPath(
+			filepath.Join("bin", name),
+			filepath.Join(s, name),
+			0,
+		)
+	}
+
+	if err = tw.Close(); err != nil {
+		panic(err)
+	} else if err = gw.Close(); err != nil {
+		panic(err)
+	} else if err = f.Close(); err != nil {
+		panic(err)
+	}
+	f = nil
+
+	if err = os.WriteFile(
+		filepath.Join(destdir, distName+suffix+".sha512"),
+		append(hex.AppendEncode(nil, h.Sum(nil)), "  "+distName+suffix+"\n"...),
+		0644,
+	); err != nil {
+		panic(err)
+	}
+	if err = os.Rename(
+		filepath.Join(s, distName+suffix),
+		filepath.Join(destdir, distName+suffix),
+	); err != nil {
+		panic(err)
+	}
+}

cmd/earlyinit/main.go

@@ -0,0 +1,131 @@
+// The earlyinit is part of the Rosa OS initramfs and serves as the system init.
+//
+// This program is an internal detail of Rosa OS and is not usable on its own.
+// It is not covered by the compatibility promise.
+package main
+
+import (
+	"log"
+	"os"
+	"runtime"
+	"strings"
+	. "syscall"
+)
+
+func main() {
+	runtime.LockOSThread()
+	log.SetFlags(0)
+	log.SetPrefix("earlyinit: ")
+
+	var (
+		option map[string]string
+		flags  []string
+	)
+	if len(os.Args) > 1 {
+		option = make(map[string]string)
+		for _, s := range os.Args[1:] {
+			key, value, ok := strings.Cut(s, "=")
+			if !ok {
+				flags = append(flags, s)
+				continue
+			}
+			option[key] = value
+		}
+	}
+
+	if err := Mount(
+		"devtmpfs",
+		"/dev/",
+		"devtmpfs",
+		MS_NOSUID|MS_NOEXEC,
+		"",
+	); err != nil {
+		log.Fatalf("cannot mount devtmpfs: %v", err)
+	}
+
+	// The kernel might be unable to set up the console. When that happens,
+	// printk is called with "Warning: unable to open an initial console."
+	// and the init runs with no files. The checkfds runtime function
+	// populates 0-2 by opening /dev/null for them.
+	//
+	// This check replaces 1 and 2 with /dev/kmsg to improve the chance
+	// of output being visible to the user.
+	if fi, err := os.Stdout.Stat(); err == nil {
+		if stat, ok := fi.Sys().(*Stat_t); ok {
+			if stat.Rdev == 0x103 {
+				var fd int
+				if fd, err = Open(
+					"/dev/kmsg",
+					O_WRONLY|O_CLOEXEC,
+					0,
+				); err != nil {
+					log.Fatalf("cannot open kmsg: %v", err)
+				}
+
+				if err = Dup3(fd, Stdout, 0); err != nil {
+					log.Fatalf("cannot open stdout: %v", err)
+				}
+				if err = Dup3(fd, Stderr, 0); err != nil {
+					log.Fatalf("cannot open stderr: %v", err)
+				}
+
+				if err = Close(fd); err != nil {
+					log.Printf("cannot close kmsg: %v", err)
+				}
+			}
+		}
+	}
+
+	// staying in rootfs, these are no longer used
+	must(os.Remove("/root"))
+	must(os.Remove("/init"))
+
+	must(os.Mkdir("/proc", 0))
+	mustSyscall("mount proc", Mount(
+		"proc",
+		"/proc",
+		"proc",
+		MS_NOSUID|MS_NOEXEC|MS_NODEV,
+		"hidepid=1",
+	))
+
+	must(os.Mkdir("/sys", 0))
+	mustSyscall("mount sysfs", Mount(
+		"sysfs",
+		"/sys",
+		"sysfs",
+		0,
+		"",
+	))
+
+	// after top level has been set up
+	mustSyscall("remount root", Mount(
+		"",
+		"/",
+		"",
+		MS_REMOUNT|MS_BIND|
+			MS_RDONLY|MS_NODEV|MS_NOSUID|MS_NOEXEC,
+		"",
+	))
+
+	must(os.WriteFile(
+		"/sys/module/firmware_class/parameters/path",
+		[]byte("/system/lib/firmware"),
+		0,
+	))
+
+}
+
+// mustSyscall calls [log.Fatalln] if err is non-nil.
+func mustSyscall(action string, err error) {
+	if err != nil {
+		log.Fatalln("cannot "+action+":", err)
+	}
+}
+
+// must calls [log.Fatal] with err if it is non-nil.
+func must(err error) {
+	if err != nil {
+		log.Fatal(err)
+	}
+}

cmd/hakurei/command.go

@@ -2,77 +2,117 @@ package main
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"log"
 	"os"
-	"os/signal"
+	"os/exec"
 	"os/user"
 	"strconv"
 	"sync"
-	"syscall"
 	"time"
 
-	"hakurei.app/cmd/hakurei/internal/app"
-	"hakurei.app/cmd/hakurei/internal/app/instance"
-	"hakurei.app/cmd/hakurei/internal/state"
+	"hakurei.app/check"
 	"hakurei.app/command"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
 	"hakurei.app/hst"
-	"hakurei.app/internal"
-	"hakurei.app/internal/hlog"
-	"hakurei.app/system"
-	"hakurei.app/system/dbus"
+	"hakurei.app/internal/dbus"
+	"hakurei.app/internal/env"
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/outcome"
+	"hakurei.app/message"
 )
 
-func buildCommand(out io.Writer) command.Command {
+// optionalErrorUnwrap calls [errors.Unwrap] and returns the resulting value
+// if it is not nil, or the original value if it is.
+func optionalErrorUnwrap(err error) error {
+	if underlyingErr := errors.Unwrap(err); underlyingErr != nil {
+		return underlyingErr
+	}
+	return err
+}
+
+var errSuccess = errors.New("success")
+
+func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErrs, out io.Writer) command.Command {
 	var (
-		flagVerbose bool
-		flagJSON    bool
+		flagVerbose  bool
+		flagInsecure bool
+		flagJSON     bool
 	)
-	c := command.New(out, log.Printf, "hakurei", func([]string) error { internal.InstallOutput(flagVerbose); return nil }).
-		Flag(&flagVerbose, "v", command.BoolFlag(false), "Increase log verbosity").
-		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output in JSON when applicable")
+	c := command.New(out, log.Printf, "hakurei", func([]string) error {
+		msg.SwapVerbose(flagVerbose)
 
-	c.Command("shim", command.UsageInternal, func([]string) error { instance.ShimMain(); return errSuccess })
-
-	c.Command("app", "Load app from configuration file", func(args []string) error {
-		if len(args) < 1 {
-			log.Fatal("app requires at least 1 argument")
+		if early.yamaLSM != nil {
+			msg.Verbosef("cannot enable ptrace protection via Yama LSM: %v", early.yamaLSM)
+			// not fatal
 		}
 
-		// config extraArgs...
-		config := tryPath(args[0])
-		config.Args = append(config.Args, args[1:]...)
+		if early.dumpable != nil {
+			log.Printf("cannot set SUID_DUMP_DISABLE: %s", early.dumpable)
+			// not fatal
+		}
 
-		runApp(config)
-		panic("unreachable")
-	})
+		return nil
+	}).
+		Flag(&flagVerbose, "v", command.BoolFlag(false), "Increase log verbosity").
+		Flag(&flagInsecure, "insecure", command.BoolFlag(false), "Allow use of insecure compatibility options").
+		Flag(&flagJSON, "json", command.BoolFlag(false), "Serialise output in JSON when applicable")
+
+	c.Command("shim", command.UsageInternal, func([]string) error { outcome.Shim(msg); return errSuccess })
 
 	{
 		var (
-			dbusConfigSession string
-			dbusConfigSystem  string
-			mpris             bool
-			dbusVerbose       bool
-
-			fid      string
-			aid      int
-			groups   command.RepeatableFlag
-			homeDir  string
-			userName string
-
-			wayland, x11, dBus, pulse bool
+			flagIdentifierFile int
 		)
-
-		c.NewCommand("run", "Configure and start a permissive default sandbox", func(args []string) error {
-			// initialise config from flags
-			config := &hst.Config{
-				ID:   fid,
-				Args: args,
+		c.NewCommand("run", "Load and start container from configuration file", func(args []string) error {
+			if len(args) < 1 {
+				log.Fatal("run requires at least 1 argument")
 			}
 
-			if aid < 0 || aid > 9999 {
-				log.Fatalf("aid %d out of range", aid)
+			config := tryPath(msg, args[0])
+			if config != nil && config.Container != nil {
+				config.Container.Args = append(config.Container.Args, args[1:]...)
+			}
+
+			var flags int
+			if flagInsecure {
+				flags |= hst.VAllowInsecure
+			}
+
+			outcome.Main(ctx, msg, config, flags, flagIdentifierFile)
+			panic("unreachable")
+		}).
+			Flag(&flagIdentifierFile, "identifier-fd", command.IntFlag(-1),
+				"Write identifier of current instance to fd after successful startup")
+	}
+
+	{
+		var (
+			flagDBusConfigSession string
+			flagDBusConfigSystem  string
+			flagDBusMpris         bool
+			flagDBusVerbose       bool
+
+			flagID       string
+			flagIdentity int
+			flagGroups   command.RepeatableFlag
+			flagHomeDir  string
+			flagUserName string
+
+			flagSchedPolicy   string
+			flagSchedPriority int
+
+			flagPrivateRuntime, flagPrivateTmpdir bool
+
+			flagWayland, flagX11, flagDBus, flagPipeWire, flagPulse bool
+		)
+
+		c.NewCommand("exec", "Configure and start a permissive container", func(args []string) error {
+			if flagIdentity < hst.IdentityStart || flagIdentity > hst.IdentityEnd {
+				log.Fatalf("identity %d out of range", flagIdentity)
 			}
 
 			// resolve home/username from os when flag is unset
@@ -80,22 +120,15 @@ func buildCommand(out io.Writer) command.Command {
 				passwd     *user.User
 				passwdOnce sync.Once
 				passwdFunc = func() {
-					var us string
-					if uid, err := std.Uid(aid); err != nil {
-						hlog.PrintBaseError(err, "cannot obtain uid from setuid wrapper:")
-						os.Exit(1)
-					} else {
-						us = strconv.Itoa(uid)
-					}
-
+					us := strconv.Itoa(hst.ToUser(new(outcome.Hsu).MustID(msg), flagIdentity))
 					if u, err := user.LookupId(us); err != nil {
-						hlog.Verbosef("cannot look up uid %s", us)
+						msg.Verbosef("cannot look up uid %s", us)
 						passwd = &user.User{
 							Uid:      us,
 							Gid:      us,
 							Username: "chronos",
 							Name:     "Hakurei Permissive Default",
-							HomeDir:  "/var/empty",
+							HomeDir:  fhs.VarEmpty,
 						}
 					} else {
 						passwd = u
@@ -103,156 +136,256 @@ func buildCommand(out io.Writer) command.Command {
 				}
 			)
 
-			if homeDir == "os" {
+			// paths are identical, resolve inner shell and program path
+			shell := fhs.AbsRoot.Append("bin", "sh")
+			if a, err := check.NewAbs(os.Getenv("SHELL")); err == nil {
+				shell = a
+			}
+			progPath := shell
+			if len(args) > 0 {
+				if p, err := exec.LookPath(args[0]); err != nil {
+					log.Fatal(optionalErrorUnwrap(err))
+					return err
+				} else if progPath, err = check.NewAbs(p); err != nil {
+					log.Fatal(err)
+					return err
+				}
+			}
+
+			var et hst.Enablements
+			if flagWayland {
+				et |= hst.EWayland
+			}
+			if flagX11 {
+				et |= hst.EX11
+			}
+			if flagDBus {
+				et |= hst.EDBus
+			}
+			if flagPipeWire || flagPulse {
+				et |= hst.EPipeWire
+			}
+
+			config := hst.Config{
+				ID:          flagID,
+				Identity:    flagIdentity,
+				Groups:      flagGroups,
+				Enablements: &et,
+
+				Container: &hst.ContainerConfig{
+					Filesystem: []hst.FilesystemConfigJSON{
+						// autoroot, includes the home directory
+						{FilesystemConfig: &hst.FSBind{
+							Target:  fhs.AbsRoot,
+							Source:  fhs.AbsRoot,
+							Write:   true,
+							Special: true,
+						}},
+					},
+
+					Username: flagUserName,
+					Shell:    shell,
+
+					Path: progPath,
+					Args: args,
+
+					Flags: hst.FUserns | hst.FHostNet | hst.FHostAbstract | hst.FTty,
+				},
+			}
+
+			if err := config.SchedPolicy.UnmarshalText(
+				[]byte(flagSchedPolicy),
+			); err != nil {
+				log.Fatal(err)
+			}
+			config.SchedPriority = ext.Int(flagSchedPriority)
+
+			// bind GPU stuff
+			if et&(hst.EX11|hst.EWayland) != 0 {
+				config.Container.Filesystem = append(config.Container.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
+					Source:   fhs.AbsDev.Append("dri"),
+					Device:   true,
+					Optional: true,
+				}})
+			}
+
+			config.Container.Filesystem = append(config.Container.Filesystem,
+				// opportunistically bind kvm
+				hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
+					Source:   fhs.AbsDev.Append("kvm"),
+					Device:   true,
+					Optional: true,
+				}},
+
+				// do autoetc last
+				hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
+					Target:  fhs.AbsEtc,
+					Source:  fhs.AbsEtc,
+					Special: true,
+				}},
+			)
+
+			if config.Container.Username == "chronos" {
 				passwdOnce.Do(passwdFunc)
-				homeDir = passwd.HomeDir
+				config.Container.Username = passwd.Username
 			}
 
-			if userName == "chronos" {
-				passwdOnce.Do(passwdFunc)
-				userName = passwd.Username
+			{
+				homeDir := flagHomeDir
+				if homeDir == "os" {
+					passwdOnce.Do(passwdFunc)
+					homeDir = passwd.HomeDir
+				}
+				if a, err := check.NewAbs(homeDir); err != nil {
+					log.Fatal(err)
+					return err
+				} else {
+					config.Container.Home = a
+				}
 			}
 
-			config.Identity = aid
-			config.Groups = groups
-			config.Data = homeDir
-			config.Username = userName
-
-			if wayland {
-				config.Enablements |= system.EWayland
+			if !flagPrivateRuntime {
+				config.Container.Flags |= hst.FShareRuntime
 			}
-			if x11 {
-				config.Enablements |= system.EX11
-			}
-			if dBus {
-				config.Enablements |= system.EDBus
-			}
-			if pulse {
-				config.Enablements |= system.EPulse
+			if !flagPrivateTmpdir {
+				config.Container.Flags |= hst.FShareTmpdir
 			}
 
 			// parse D-Bus config file from flags if applicable
-			if dBus {
-				if dbusConfigSession == "builtin" {
-					config.SessionBus = dbus.NewConfig(fid, true, mpris)
+			if flagDBus {
+				if flagDBusConfigSession == "builtin" {
+					config.SessionBus = dbus.NewConfig(flagID, true, flagDBusMpris)
 				} else {
-					if conf, err := dbus.NewConfigFromFile(dbusConfigSession); err != nil {
-						log.Fatalf("cannot load session bus proxy config from %q: %s", dbusConfigSession, err)
+					if f, err := os.Open(flagDBusConfigSession); err != nil {
+						log.Fatal(err)
 					} else {
-						config.SessionBus = conf
+						decodeJSON(log.Fatal, "load session bus proxy config", f, &config.SessionBus)
+						if err = f.Close(); err != nil {
+							log.Fatal(err)
+						}
 					}
 				}
 
 				// system bus proxy is optional
-				if dbusConfigSystem != "nil" {
-					if conf, err := dbus.NewConfigFromFile(dbusConfigSystem); err != nil {
-						log.Fatalf("cannot load system bus proxy config from %q: %s", dbusConfigSystem, err)
+				if flagDBusConfigSystem != "nil" {
+					if f, err := os.Open(flagDBusConfigSystem); err != nil {
+						log.Fatal(err)
 					} else {
-						config.SystemBus = conf
+						decodeJSON(log.Fatal, "load system bus proxy config", f, &config.SystemBus)
+						if err = f.Close(); err != nil {
+							log.Fatal(err)
+						}
 					}
 				}
 
 				// override log from configuration
-				if dbusVerbose {
-					config.SessionBus.Log = true
-					config.SystemBus.Log = true
+				if flagDBusVerbose {
+					if config.SessionBus != nil {
+						config.SessionBus.Log = true
+					}
+					if config.SystemBus != nil {
+						config.SystemBus.Log = true
+					}
 				}
 			}
 
-			// invoke app
-			runApp(config)
+			outcome.Main(ctx, msg, &config, 0, -1)
 			panic("unreachable")
 		}).
-			Flag(&dbusConfigSession, "dbus-config", command.StringFlag("builtin"),
+			Flag(&flagDBusConfigSession, "dbus-config", command.StringFlag("builtin"),
 				"Path to session bus proxy config file, or \"builtin\" for defaults").
-			Flag(&dbusConfigSystem, "dbus-system", command.StringFlag("nil"),
+			Flag(&flagDBusConfigSystem, "dbus-system", command.StringFlag("nil"),
 				"Path to system bus proxy config file, or \"nil\" to disable").
-			Flag(&mpris, "mpris", command.BoolFlag(false),
+			Flag(&flagDBusMpris, "mpris", command.BoolFlag(false),
 				"Allow owning MPRIS D-Bus path, has no effect if custom config is available").
-			Flag(&dbusVerbose, "dbus-log", command.BoolFlag(false),
+			Flag(&flagDBusVerbose, "dbus-log", command.BoolFlag(false),
 				"Force buffered logging in the D-Bus proxy").
-			Flag(&fid, "id", command.StringFlag(""),
+			Flag(&flagID, "id", command.StringFlag(""),
 				"Reverse-DNS style Application identifier, leave empty to inherit instance identifier").
-			Flag(&aid, "a", command.IntFlag(0),
+			Flag(&flagIdentity, "a", command.IntFlag(0),
 				"Application identity").
-			Flag(nil, "g", &groups,
+			Flag(nil, "g", &flagGroups,
 				"Groups inherited by all container processes").
-			Flag(&homeDir, "d", command.StringFlag("os"),
+			Flag(&flagHomeDir, "d", command.StringFlag("os"),
 				"Container home directory").
-			Flag(&userName, "u", command.StringFlag("chronos"),
+			Flag(&flagUserName, "u", command.StringFlag("chronos"),
 				"Passwd user name within sandbox").
-			Flag(&wayland, "wayland", command.BoolFlag(false),
+			Flag(&flagSchedPolicy, "policy", command.StringFlag(""),
+				"Scheduling policy to set for the container").
+			Flag(&flagSchedPriority, "priority", command.IntFlag(0),
+				"Scheduling priority to set for the container").
+			Flag(&flagPrivateRuntime, "private-runtime", command.BoolFlag(false),
+				"Do not share XDG_RUNTIME_DIR between containers under the same identity").
+			Flag(&flagPrivateTmpdir, "private-tmpdir", command.BoolFlag(false),
+				"Do not share TMPDIR between containers under the same identity").
+			Flag(&flagWayland, "wayland", command.BoolFlag(false),
 				"Enable connection to Wayland via security-context-v1").
-			Flag(&x11, "X", command.BoolFlag(false),
+			Flag(&flagX11, "X", command.BoolFlag(false),
 				"Enable direct connection to X11").
-			Flag(&dBus, "dbus", command.BoolFlag(false),
+			Flag(&flagDBus, "dbus", command.BoolFlag(false),
 				"Enable proxied connection to D-Bus").
-			Flag(&pulse, "pulse", command.BoolFlag(false),
-				"Enable direct connection to PulseAudio")
+			Flag(&flagPipeWire, "pipewire", command.BoolFlag(false),
+				"Enable connection to PipeWire via SecurityContext").
+			Flag(&flagPulse, "pulse", command.BoolFlag(false),
+				"Enable PulseAudio compatibility daemon")
 	}
 
-	var showFlagShort bool
-	c.NewCommand("show", "Show live or local app configuration", func(args []string) error {
-		switch len(args) {
-		case 0: // system
-			printShowSystem(os.Stdout, showFlagShort, flagJSON)
+	{
+		var (
+			flagShort   bool
+			flagNoStore bool
+		)
+		c.NewCommand("show", "Show live or local instance configuration", func(args []string) error {
+			switch len(args) {
+			case 0: // system
+				printShowSystem(os.Stdout, flagShort, flagJSON)
 
-		case 1: // instance
-			name := args[0]
-			config, entry := tryShort(name)
-			if config == nil {
-				config = tryPath(name)
+			case 1: // instance
+				name := args[0]
+
+				var (
+					config *hst.Config
+					entry  *hst.State
+				)
+				if !flagNoStore {
+					var sc hst.Paths
+					env.CopyPaths().Copy(&sc, new(outcome.Hsu).MustID(nil))
+					entry = tryIdentifier(msg, name, outcome.NewStore(&sc))
+				}
+
+				if entry == nil {
+					config = tryPath(msg, name)
+				} else {
+					config = entry.Config
+				}
+
+				if !printShowInstance(os.Stdout, time.Now().UTC(), entry, config, flagShort, flagJSON) {
+					os.Exit(1)
+				}
+
+			default:
+				log.Fatal("show requires 1 argument")
 			}
-			printShowInstance(os.Stdout, time.Now().UTC(), entry, config, showFlagShort, flagJSON)
+			return errSuccess
+		}).
+			Flag(&flagShort, "short", command.BoolFlag(false), "Omit filesystem information").
+			Flag(&flagNoStore, "no-store", command.BoolFlag(false), "Do not attempt to match from active instances")
+	}
 
-		default:
-			log.Fatal("show requires 1 argument")
-		}
-		return errSuccess
-	}).Flag(&showFlagShort, "short", command.BoolFlag(false), "Omit filesystem information")
+	{
+		var flagShort bool
+		c.NewCommand("ps", "List active instances", func(args []string) error {
+			var sc hst.Paths
+			env.CopyPaths().Copy(&sc, new(outcome.Hsu).MustID(nil))
+			printPs(msg, os.Stdout, time.Now().UTC(), outcome.NewStore(&sc), flagShort, flagJSON)
+			return errSuccess
+		}).Flag(&flagShort, "short", command.BoolFlag(false), "Print instance id")
+	}
 
-	var psFlagShort bool
-	c.NewCommand("ps", "List active instances", func(args []string) error {
-		printPs(os.Stdout, time.Now().UTC(), state.NewMulti(std.Paths().RunDirPath), psFlagShort, flagJSON)
-		return errSuccess
-	}).Flag(&psFlagShort, "short", command.BoolFlag(false), "Print instance id")
-
-	c.Command("version", "Display version information", func(args []string) error {
-		fmt.Println(internal.Version())
-		return errSuccess
-	})
-
-	c.Command("license", "Show full license text", func(args []string) error {
-		fmt.Println(license)
-		return errSuccess
-	})
-
-	c.Command("template", "Produce a config template", func(args []string) error {
-		printJSON(os.Stdout, false, hst.Template())
-		return errSuccess
-	})
-
-	c.Command("help", "Show this help message", func([]string) error {
-		c.PrintHelp()
-		return errSuccess
-	})
+	c.Command("version", "Display version information", func(args []string) error { fmt.Println(info.Version()); return errSuccess })
+	c.Command("license", "Show full license text", func(args []string) error { fmt.Println(license); return errSuccess })
+	c.Command("template", "Produce a config template", func(args []string) error { encodeJSON(log.Fatal, os.Stdout, false, hst.Template()); return errSuccess })
+	c.Command("help", "Show this help message", func([]string) error { c.PrintHelp(); return errSuccess })
 
 	return c
 }
-
-func runApp(config *hst.Config) {
-	ctx, stop := signal.NotifyContext(context.Background(),
-		syscall.SIGINT, syscall.SIGTERM)
-	defer stop() // unreachable
-	a := instance.MustNew(instance.ISetuid, ctx, std)
-
-	rs := new(app.RunState)
-	if sa, err := a.Seal(config); err != nil {
-		hlog.PrintBaseError(err, "cannot seal app:")
-		internal.Exit(1)
-	} else {
-		internal.Exit(instance.PrintRunStateErr(instance.ISetuid, rs, sa.Run(rs)))
-	}
-
-	*(*int)(nil) = 0 // not reached
-}

cmd/hakurei/command_test.go

@@ -7,9 +7,12 @@ import (
 	"testing"
 
 	"hakurei.app/command"
+	"hakurei.app/message"
 )
 
 func TestHelp(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name string
 		args []string
@@ -17,12 +20,12 @@ func TestHelp(t *testing.T) {
 	}{
 		{
 			"main", []string{}, `
-Usage:	hakurei [-h | --help] [-v] [--json] COMMAND [OPTIONS]
+Usage:	hakurei [-h | --help] [-v] [--insecure] [--json] COMMAND [OPTIONS]
 
 Commands:
-    app         Load app from configuration file
-    run         Configure and start a permissive default sandbox
-    show        Show live or local app configuration
+    run         Load and start container from configuration file
+    exec        Configure and start a permissive container
+    show        Show live or local instance configuration
     ps          List active instances
     version     Display version information
     license     Show full license text
@@ -32,8 +35,8 @@ Commands:
 `,
 		},
 		{
-			"run", []string{"run", "-h"}, `
-Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--wayland] [-X] [--dbus] [--pulse] COMMAND [OPTIONS]
+			"exec", []string{"exec", "-h"}, `
+Usage:	hakurei exec [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--policy <value>] [--priority <int>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
 
 Flags:
   -X	Enable direct connection to X11
@@ -55,8 +58,18 @@ Flags:
     	Reverse-DNS style Application identifier, leave empty to inherit instance identifier
   -mpris
     	Allow owning MPRIS D-Bus path, has no effect if custom config is available
+  -pipewire
+    	Enable connection to PipeWire via SecurityContext
+  -policy string
+    	Scheduling policy to set for the container
+  -priority int
+    	Scheduling priority to set for the container
+  -private-runtime
+    	Do not share XDG_RUNTIME_DIR between containers under the same identity
+  -private-tmpdir
+    	Do not share TMPDIR between containers under the same identity
   -pulse
-    	Enable direct connection to PulseAudio
+    	Enable PulseAudio compatibility daemon
   -u string
     	Passwd user name within sandbox (default "chronos")
   -wayland
@@ -67,8 +80,10 @@ Flags:
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
 			out := new(bytes.Buffer)
-			c := buildCommand(out)
+			c := buildCommand(t.Context(), message.New(nil), new(earlyHardeningErrs), out)
 			if err := c.Parse(tc.args); !errors.Is(err, command.ErrHelp) && !errors.Is(err, flag.ErrHelp) {
 				t.Errorf("Parse: error = %v; want %v",
 					err, command.ErrHelp)

cmd/hakurei/internal/app/app.go

@@ -1,49 +0,0 @@
-// Package app defines the generic [App] interface.
-package app
-
-import (
-	"syscall"
-	"time"
-
-	"hakurei.app/hst"
-)
-
-type App interface {
-	// ID returns a copy of [ID] held by App.
-	ID() ID
-
-	// Seal determines the outcome of config as a [SealedApp].
-	// The value of config might be overwritten and must not be used again.
-	Seal(config *hst.Config) (SealedApp, error)
-
-	String() string
-}
-
-type SealedApp interface {
-	// Run commits sealed system setup and starts the app process.
-	Run(rs *RunState) error
-}
-
-// RunState stores the outcome of a call to [SealedApp.Run].
-type RunState struct {
-	// Time is the exact point in time where the process was created.
-	// Location must be set to UTC.
-	//
-	// Time is nil if no process was ever created.
-	Time *time.Time
-	// RevertErr is stored by the deferred revert call.
-	RevertErr error
-	// WaitErr is the generic error value created by the standard library.
-	WaitErr error
-
-	syscall.WaitStatus
-}
-
-// SetStart stores the current time in [RunState] once.
-func (rs *RunState) SetStart() {
-	if rs.Time != nil {
-		panic("attempted to store time twice")
-	}
-	now := time.Now().UTC()
-	rs.Time = &now
-}

cmd/hakurei/internal/app/id.go

@@ -1,48 +0,0 @@
-package app
-
-import (
-	"crypto/rand"
-	"encoding/hex"
-	"errors"
-	"fmt"
-)
-
-type ID [16]byte
-
-var (
-	ErrInvalidLength = errors.New("string representation must have a length of 32")
-)
-
-func (a *ID) String() string {
-	return hex.EncodeToString(a[:])
-}
-
-func NewAppID(id *ID) error {
-	_, err := rand.Read(id[:])
-	return err
-}
-
-func ParseAppID(id *ID, s string) error {
-	if len(s) != 32 {
-		return ErrInvalidLength
-	}
-
-	for i, b := range s {
-		if b < '0' || b > 'f' {
-			return fmt.Errorf("invalid char %q at byte %d", b, i)
-		}
-
-		v := uint8(b)
-		if v > '9' {
-			v = 10 + v - 'a'
-		} else {
-			v -= '0'
-		}
-		if i%2 == 0 {
-			v <<= 4
-		}
-		id[i/2] += v
-	}
-
-	return nil
-}

cmd/hakurei/internal/app/id_test.go

@@ -1,63 +0,0 @@
-package app_test
-
-import (
-	"errors"
-	"testing"
-
-	. "hakurei.app/cmd/hakurei/internal/app"
-)
-
-func TestParseAppID(t *testing.T) {
-	t.Run("bad length", func(t *testing.T) {
-		if err := ParseAppID(new(ID), "meow"); !errors.Is(err, ErrInvalidLength) {
-			t.Errorf("ParseAppID: error = %v, wantErr =  %v", err, ErrInvalidLength)
-		}
-	})
-
-	t.Run("bad byte", func(t *testing.T) {
-		wantErr := "invalid char '\\n' at byte 15"
-		if err := ParseAppID(new(ID), "02bc7f8936b2af6\n\ne2535cd71ef0bb7"); err == nil || err.Error() != wantErr {
-			t.Errorf("ParseAppID: error = %v, wantErr =  %v", err, wantErr)
-		}
-	})
-
-	t.Run("fuzz 16 iterations", func(t *testing.T) {
-		for i := 0; i < 16; i++ {
-			testParseAppIDWithRandom(t)
-		}
-	})
-}
-
-func FuzzParseAppID(f *testing.F) {
-	for i := 0; i < 16; i++ {
-		id := new(ID)
-		if err := NewAppID(id); err != nil {
-			panic(err.Error())
-		}
-		f.Add(id[0], id[1], id[2], id[3], id[4], id[5], id[6], id[7], id[8], id[9], id[10], id[11], id[12], id[13], id[14], id[15])
-	}
-
-	f.Fuzz(func(t *testing.T, b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15 byte) {
-		testParseAppID(t, &ID{b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15})
-	})
-}
-
-func testParseAppIDWithRandom(t *testing.T) {
-	id := new(ID)
-	if err := NewAppID(id); err != nil {
-		t.Fatalf("cannot generate app ID: %v", err)
-	}
-	testParseAppID(t, id)
-}
-
-func testParseAppID(t *testing.T, id *ID) {
-	s := id.String()
-	got := new(ID)
-	if err := ParseAppID(got, s); err != nil {
-		t.Fatalf("cannot parse app ID: %v", err)
-	}
-
-	if *got != *id {
-		t.Fatalf("ParseAppID(%#v) = \n%#v, want \n%#v", s, got, id)
-	}
-}

cmd/hakurei/internal/app/instance/common/container.go

@@ -1,192 +0,0 @@
-package common
-
-import (
-	"errors"
-	"fmt"
-	"io/fs"
-	"maps"
-	"path"
-	"syscall"
-
-	"hakurei.app/container"
-	"hakurei.app/container/seccomp"
-	"hakurei.app/hst"
-	"hakurei.app/internal/sys"
-	"hakurei.app/system/dbus"
-)
-
-// in practice there should be less than 30 entries added by the runtime;
-// allocating slightly more as a margin for future expansion
-const preallocateOpsCount = 1 << 5
-
-// NewContainer initialises [sandbox.Params] via [hst.ContainerConfig].
-// Note that remaining container setup must be queued by the caller.
-func NewContainer(s *hst.ContainerConfig, os sys.State, uid, gid *int) (*container.Params, map[string]string, error) {
-	if s == nil {
-		return nil, nil, syscall.EBADE
-	}
-
-	params := &container.Params{
-		Hostname:       s.Hostname,
-		SeccompFlags:   s.SeccompFlags,
-		SeccompPresets: s.SeccompPresets,
-		RetainSession:  s.Tty,
-		HostNet:        s.Net,
-	}
-
-	{
-		ops := make(container.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover))
-		params.Ops = &ops
-	}
-
-	if s.Multiarch {
-		params.SeccompFlags |= seccomp.AllowMultiarch
-	}
-
-	if !s.SeccompCompat {
-		params.SeccompPresets |= seccomp.PresetExt
-	}
-	if !s.Devel {
-		params.SeccompPresets |= seccomp.PresetDenyDevel
-	}
-	if !s.Userns {
-		params.SeccompPresets |= seccomp.PresetDenyNS
-	}
-	if !s.Tty {
-		params.SeccompPresets |= seccomp.PresetDenyTTY
-	}
-
-	if s.MapRealUID {
-		/* some programs fail to connect to dbus session running as a different uid
-		so this workaround is introduced to map priv-side caller uid in container */
-		params.Uid = os.Getuid()
-		*uid = params.Uid
-		params.Gid = os.Getgid()
-		*gid = params.Gid
-	} else {
-		*uid = container.OverflowUid()
-		*gid = container.OverflowGid()
-	}
-
-	params.
-		Proc("/proc").
-		Tmpfs(hst.Tmp, 1<<12, 0755)
-
-	if !s.Device {
-		params.Dev("/dev").Mqueue("/dev/mqueue")
-	} else {
-		params.Bind("/dev", "/dev", container.BindWritable|container.BindDevice)
-	}
-
-	/* retrieve paths and hide them if they're made available in the sandbox;
-	this feature tries to improve user experience of permissive defaults, and
-	to warn about issues in custom configuration; it is NOT a security feature
-	and should not be treated as such, ALWAYS be careful with what you bind */
-	var hidePaths []string
-	sc := os.Paths()
-	hidePaths = append(hidePaths, sc.RuntimePath, sc.SharePath)
-	_, systemBusAddr := dbus.Address()
-	if entries, err := dbus.Parse([]byte(systemBusAddr)); err != nil {
-		return nil, nil, err
-	} else {
-		// there is usually only one, do not preallocate
-		for _, entry := range entries {
-			if entry.Method != "unix" {
-				continue
-			}
-			for _, pair := range entry.Values {
-				if pair[0] == "path" {
-					if path.IsAbs(pair[1]) {
-						// get parent dir of socket
-						dir := path.Dir(pair[1])
-						if dir == "." || dir == "/" {
-							os.Printf("dbus socket %q is in an unusual location", pair[1])
-						}
-						hidePaths = append(hidePaths, dir)
-					} else {
-						os.Printf("dbus socket %q is not absolute", pair[1])
-					}
-				}
-			}
-		}
-	}
-	hidePathMatch := make([]bool, len(hidePaths))
-	for i := range hidePaths {
-		if err := evalSymlinks(os, &hidePaths[i]); err != nil {
-			return nil, nil, err
-		}
-	}
-
-	for _, c := range s.Filesystem {
-		if c == nil {
-			continue
-		}
-
-		if !path.IsAbs(c.Src) {
-			return nil, nil, fmt.Errorf("src path %q is not absolute", c.Src)
-		}
-
-		dest := c.Dst
-		if c.Dst == "" {
-			dest = c.Src
-		} else if !path.IsAbs(dest) {
-			return nil, nil, fmt.Errorf("dst path %q is not absolute", dest)
-		}
-
-		srcH := c.Src
-		if err := evalSymlinks(os, &srcH); err != nil {
-			return nil, nil, err
-		}
-
-		for i := range hidePaths {
-			// skip matched entries
-			if hidePathMatch[i] {
-				continue
-			}
-
-			if ok, err := deepContainsH(srcH, hidePaths[i]); err != nil {
-				return nil, nil, err
-			} else if ok {
-				hidePathMatch[i] = true
-				os.Printf("hiding paths from %q", c.Src)
-			}
-		}
-
-		var flags int
-		if c.Write {
-			flags |= container.BindWritable
-		}
-		if c.Device {
-			flags |= container.BindDevice | container.BindWritable
-		}
-		if !c.Must {
-			flags |= container.BindOptional
-		}
-		params.Bind(c.Src, dest, flags)
-	}
-
-	// cover matched paths
-	for i, ok := range hidePathMatch {
-		if ok {
-			params.Tmpfs(hidePaths[i], 1<<13, 0755)
-		}
-	}
-
-	for _, l := range s.Link {
-		params.Link(l[0], l[1])
-	}
-
-	return params, maps.Clone(s.Env), nil
-}
-
-func evalSymlinks(os sys.State, v *string) error {
-	if p, err := os.EvalSymlinks(*v); err != nil {
-		if !errors.Is(err, fs.ErrNotExist) {
-			return err
-		}
-		os.Printf("path %q does not yet exist", *v)
-	} else {
-		*v = p
-	}
-	return nil
-}

cmd/hakurei/internal/app/instance/common/path.go

@@ -1,11 +0,0 @@
-package common
-
-import (
-	"path/filepath"
-	"strings"
-)
-
-func deepContainsH(basepath, targpath string) (bool, error) {
-	rel, err := filepath.Rel(basepath, targpath)
-	return err == nil && rel != ".." && !strings.HasPrefix(rel, string([]byte{'.', '.', filepath.Separator})), err
-}

cmd/hakurei/internal/app/instance/errors.go

@@ -1,17 +0,0 @@
-package instance
-
-import (
-	"syscall"
-
-	"hakurei.app/cmd/hakurei/internal/app"
-	"hakurei.app/cmd/hakurei/internal/app/internal/setuid"
-)
-
-func PrintRunStateErr(whence int, rs *app.RunState, runErr error) (code int) {
-	switch whence {
-	case ISetuid:
-		return setuid.PrintRunStateErr(rs, runErr)
-	default:
-		panic(syscall.EINVAL)
-	}
-}

cmd/hakurei/internal/app/instance/new.go

@@ -1,33 +0,0 @@
-// Package instance exposes cross-package implementation details and provides constructors for builtin implementations.
-package instance
-
-import (
-	"context"
-	"log"
-	"syscall"
-
-	"hakurei.app/cmd/hakurei/internal/app"
-	"hakurei.app/cmd/hakurei/internal/app/internal/setuid"
-	"hakurei.app/internal/sys"
-)
-
-const (
-	ISetuid = iota
-)
-
-func New(whence int, ctx context.Context, os sys.State) (app.App, error) {
-	switch whence {
-	case ISetuid:
-		return setuid.New(ctx, os)
-	default:
-		return nil, syscall.EINVAL
-	}
-}
-
-func MustNew(whence int, ctx context.Context, os sys.State) app.App {
-	a, err := New(whence, ctx, os)
-	if err != nil {
-		log.Fatalf("cannot create app: %v", err)
-	}
-	return a
-}

cmd/hakurei/internal/app/instance/shim.go

@@ -1,6 +0,0 @@
-package instance
-
-import "hakurei.app/cmd/hakurei/internal/app/internal/setuid"
-
-// ShimMain is the main function of the shim process and runs as the unconstrained target user.
-func ShimMain() { setuid.ShimMain() }

cmd/hakurei/internal/app/internal/setuid/app.go

@@ -1,74 +0,0 @@
-package setuid
-
-import (
-	"context"
-	"fmt"
-	"sync"
-
-	. "hakurei.app/cmd/hakurei/internal/app"
-	"hakurei.app/hst"
-	"hakurei.app/internal/hlog"
-	"hakurei.app/internal/sys"
-)
-
-func New(ctx context.Context, os sys.State) (App, error) {
-	a := new(app)
-	a.sys = os
-	a.ctx = ctx
-
-	id := new(ID)
-	err := NewAppID(id)
-	a.id = newID(id)
-
-	return a, err
-}
-
-type app struct {
-	id  *stringPair[ID]
-	sys sys.State
-	ctx context.Context
-
-	*outcome
-	mu sync.RWMutex
-}
-
-func (a *app) ID() ID { a.mu.RLock(); defer a.mu.RUnlock(); return a.id.unwrap() }
-
-func (a *app) String() string {
-	if a == nil {
-		return "(invalid app)"
-	}
-
-	a.mu.RLock()
-	defer a.mu.RUnlock()
-
-	if a.outcome != nil {
-		if a.outcome.user.uid == nil {
-			return fmt.Sprintf("(sealed app %s with invalid uid)", a.id)
-		}
-		return fmt.Sprintf("(sealed app %s as uid %s)", a.id, a.outcome.user.uid)
-	}
-
-	return fmt.Sprintf("(unsealed app %s)", a.id)
-}
-
-func (a *app) Seal(config *hst.Config) (SealedApp, error) {
-	a.mu.Lock()
-	defer a.mu.Unlock()
-
-	if a.outcome != nil {
-		panic("app sealed twice")
-	}
-	if config == nil {
-		return nil, hlog.WrapErr(ErrConfig,
-			"attempted to seal app with nil config")
-	}
-
-	seal := new(outcome)
-	seal.id = a.id
-	err := seal.finalise(a.ctx, a.sys, config)
-	if err == nil {
-		a.outcome = seal
-	}
-	return seal, err
-}

cmd/hakurei/internal/app/internal/setuid/app_nixos_test.go

@@ -1,149 +0,0 @@
-package setuid_test
-
-import (
-	"hakurei.app/cmd/hakurei/internal/app"
-	"hakurei.app/container"
-	"hakurei.app/container/seccomp"
-	"hakurei.app/hst"
-	"hakurei.app/system"
-	"hakurei.app/system/acl"
-	"hakurei.app/system/dbus"
-)
-
-var testCasesNixos = []sealTestCase{
-	{
-		"nixos chromium direct wayland", new(stubNixOS),
-		&hst.Config{
-			ID:          "org.chromium.Chromium",
-			Path:        "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
-			Enablements: system.EWayland | system.EDBus | system.EPulse,
-
-			Container: &hst.ContainerConfig{
-				Userns: true, Net: true, MapRealUID: true, Env: nil, AutoEtc: true,
-				Filesystem: []*hst.FilesystemConfig{
-					{Src: "/bin", Must: true}, {Src: "/usr/bin", Must: true},
-					{Src: "/nix/store", Must: true}, {Src: "/run/current-system", Must: true},
-					{Src: "/sys/block"}, {Src: "/sys/bus"}, {Src: "/sys/class"}, {Src: "/sys/dev"}, {Src: "/sys/devices"},
-					{Src: "/run/opengl-driver", Must: true}, {Src: "/dev/dri", Device: true},
-				},
-				Cover: []string{"/var/run/nscd"},
-			},
-			SystemBus: &dbus.Config{
-				Talk:   []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
-				Filter: true,
-			},
-			SessionBus: &dbus.Config{
-				Talk: []string{
-					"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
-					"org.freedesktop.ScreenSaver", "org.freedesktop.secrets",
-					"org.kde.kwalletd5", "org.kde.kwalletd6",
-				},
-				Own: []string{
-					"org.chromium.Chromium.*",
-					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
-					"org.mpris.MediaPlayer2.chromium.*",
-				},
-				Call: map[string]string{}, Broadcast: map[string]string{},
-				Filter: true,
-			},
-			DirectWayland: true,
-
-			Username: "u0_a1",
-			Data:     "/var/lib/persist/module/hakurei/0/1",
-			Identity: 1, Groups: []string{},
-		},
-		app.ID{
-			0x8e, 0x2c, 0x76, 0xb0,
-			0x66, 0xda, 0xbe, 0x57,
-			0x4c, 0xf0, 0x73, 0xbd,
-			0xb4, 0x6e, 0xb5, 0xc1,
-		},
-		system.New(1000001).
-			Ensure("/tmp/hakurei.1971", 0711).
-			Ensure("/tmp/hakurei.1971/runtime", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime", acl.Execute).
-			Ensure("/tmp/hakurei.1971/runtime/1", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime/1", acl.Read, acl.Write, acl.Execute).
-			Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute).
-			Ensure("/tmp/hakurei.1971/tmpdir/1", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/1", acl.Read, acl.Write, acl.Execute).
-			Ensure("/run/user/1971/hakurei", 0700).UpdatePermType(system.User, "/run/user/1971/hakurei", acl.Execute).
-			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
-			UpdatePermType(system.EWayland, "/run/user/1971/wayland-0", acl.Read, acl.Write, acl.Execute).
-			Ephemeral(system.Process, "/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1", 0700).UpdatePermType(system.Process, "/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1", acl.Execute).
-			Link("/run/user/1971/pulse/native", "/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse").
-			CopyFile(nil, "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
-			Ephemeral(system.Process, "/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1", 0711).
-			MustProxyDBus("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", &dbus.Config{
-				Talk: []string{
-					"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
-					"org.freedesktop.ScreenSaver", "org.freedesktop.secrets",
-					"org.kde.kwalletd5", "org.kde.kwalletd6",
-				},
-				Own: []string{
-					"org.chromium.Chromium.*",
-					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
-					"org.mpris.MediaPlayer2.chromium.*",
-				},
-				Call: map[string]string{}, Broadcast: map[string]string{},
-				Filter: true,
-			}, "/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", &dbus.Config{
-				Talk: []string{
-					"org.bluez",
-					"org.freedesktop.Avahi",
-					"org.freedesktop.UPower",
-				},
-				Filter: true,
-			}).
-			UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", acl.Read, acl.Write).
-			UpdatePerm("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", acl.Read, acl.Write),
-		&container.Params{
-			Uid:  1971,
-			Gid:  100,
-			Dir:  "/var/lib/persist/module/hakurei/0/1",
-			Path: "/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start",
-			Args: []string{"/nix/store/yqivzpzzn7z5x0lq9hmbzygh45d8rhqd-chromium-start"},
-			Env: []string{
-				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1971/bus",
-				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket",
-				"HOME=/var/lib/persist/module/hakurei/0/1",
-				"PULSE_COOKIE=" + hst.Tmp + "/pulse-cookie",
-				"PULSE_SERVER=unix:/run/user/1971/pulse/native",
-				"SHELL=/run/current-system/sw/bin/zsh",
-				"TERM=xterm-256color",
-				"USER=u0_a1",
-				"WAYLAND_DISPLAY=wayland-0",
-				"XDG_RUNTIME_DIR=/run/user/1971",
-				"XDG_SESSION_CLASS=user",
-				"XDG_SESSION_TYPE=tty",
-			},
-			Ops: new(container.Ops).
-				Proc("/proc").
-				Tmpfs(hst.Tmp, 4096, 0755).
-				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/bin", "/bin", 0).
-				Bind("/usr/bin", "/usr/bin", 0).
-				Bind("/nix/store", "/nix/store", 0).
-				Bind("/run/current-system", "/run/current-system", 0).
-				Bind("/sys/block", "/sys/block", container.BindOptional).
-				Bind("/sys/bus", "/sys/bus", container.BindOptional).
-				Bind("/sys/class", "/sys/class", container.BindOptional).
-				Bind("/sys/dev", "/sys/dev", container.BindOptional).
-				Bind("/sys/devices", "/sys/devices", container.BindOptional).
-				Bind("/run/opengl-driver", "/run/opengl-driver", 0).
-				Bind("/dev/dri", "/dev/dri", container.BindDevice|container.BindWritable|container.BindOptional).
-				Etc("/etc", "8e2c76b066dabe574cf073bdb46eb5c1").
-				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/1", "/run/user/1971", container.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/1", "/tmp", container.BindWritable).
-				Bind("/var/lib/persist/module/hakurei/0/1", "/var/lib/persist/module/hakurei/0/1", container.BindWritable).
-				Place("/etc/passwd", []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
-				Place("/etc/group", []byte("hakurei:x:100:\n")).
-				Bind("/run/user/1971/wayland-0", "/run/user/1971/wayland-0", 0).
-				Bind("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse", "/run/user/1971/pulse/native", 0).
-				Place(hst.Tmp+"/pulse-cookie", nil).
-				Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus", 0).
-				Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket", 0).
-				Tmpfs("/var/run/nscd", 8192, 0755),
-			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyTTY | seccomp.PresetDenyDevel,
-			HostNet:        true,
-		},
-	},
-}

cmd/hakurei/internal/app/internal/setuid/app_pd_test.go

@@ -1,225 +0,0 @@
-package setuid_test
-
-import (
-	"os"
-
-	"hakurei.app/cmd/hakurei/internal/app"
-	"hakurei.app/container"
-	"hakurei.app/container/seccomp"
-	"hakurei.app/hst"
-	"hakurei.app/system"
-	"hakurei.app/system/acl"
-	"hakurei.app/system/dbus"
-)
-
-var testCasesPd = []sealTestCase{
-	{
-		"nixos permissive defaults no enablements", new(stubNixOS),
-		&hst.Config{Username: "chronos", Data: "/home/chronos"},
-		app.ID{
-			0x4a, 0x45, 0x0b, 0x65,
-			0x96, 0xd7, 0xbc, 0x15,
-			0xbd, 0x01, 0x78, 0x0e,
-			0xb9, 0xa6, 0x07, 0xac,
-		},
-		system.New(1000000).
-			Ensure("/tmp/hakurei.1971", 0711).
-			Ensure("/tmp/hakurei.1971/runtime", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime", acl.Execute).
-			Ensure("/tmp/hakurei.1971/runtime/0", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime/0", acl.Read, acl.Write, acl.Execute).
-			Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute).
-			Ensure("/tmp/hakurei.1971/tmpdir/0", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/0", acl.Read, acl.Write, acl.Execute),
-		&container.Params{
-			Dir:  "/home/chronos",
-			Path: "/run/current-system/sw/bin/zsh",
-			Args: []string{"/run/current-system/sw/bin/zsh"},
-			Env: []string{
-				"HOME=/home/chronos",
-				"SHELL=/run/current-system/sw/bin/zsh",
-				"TERM=xterm-256color",
-				"USER=chronos",
-				"XDG_RUNTIME_DIR=/run/user/65534",
-				"XDG_SESSION_CLASS=user",
-				"XDG_SESSION_TYPE=tty",
-			},
-			Ops: new(container.Ops).
-				Proc("/proc").
-				Tmpfs(hst.Tmp, 4096, 0755).
-				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/bin", "/bin", container.BindWritable).
-				Bind("/boot", "/boot", container.BindWritable).
-				Bind("/home", "/home", container.BindWritable).
-				Bind("/lib", "/lib", container.BindWritable).
-				Bind("/lib64", "/lib64", container.BindWritable).
-				Bind("/nix", "/nix", container.BindWritable).
-				Bind("/root", "/root", container.BindWritable).
-				Bind("/run", "/run", container.BindWritable).
-				Bind("/srv", "/srv", container.BindWritable).
-				Bind("/sys", "/sys", container.BindWritable).
-				Bind("/usr", "/usr", container.BindWritable).
-				Bind("/var", "/var", container.BindWritable).
-				Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional).
-				Tmpfs("/run/user/1971", 8192, 0755).
-				Tmpfs("/run/dbus", 8192, 0755).
-				Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac").
-				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/0", "/run/user/65534", container.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", container.BindWritable).
-				Bind("/home/chronos", "/home/chronos", container.BindWritable).
-				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
-				Place("/etc/group", []byte("hakurei:x:65534:\n")).
-				Tmpfs("/var/run/nscd", 8192, 0755),
-			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
-			HostNet:        true,
-			RetainSession:  true,
-		},
-	},
-	{
-		"nixos permissive defaults chromium", new(stubNixOS),
-		&hst.Config{
-			ID:       "org.chromium.Chromium",
-			Args:     []string{"zsh", "-c", "exec chromium "},
-			Identity: 9,
-			Groups:   []string{"video"},
-			Username: "chronos",
-			Data:     "/home/chronos",
-			SessionBus: &dbus.Config{
-				Talk: []string{
-					"org.freedesktop.Notifications",
-					"org.freedesktop.FileManager1",
-					"org.freedesktop.ScreenSaver",
-					"org.freedesktop.secrets",
-					"org.kde.kwalletd5",
-					"org.kde.kwalletd6",
-					"org.gnome.SessionManager",
-				},
-				Own: []string{
-					"org.chromium.Chromium.*",
-					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
-					"org.mpris.MediaPlayer2.chromium.*",
-				},
-				Call: map[string]string{
-					"org.freedesktop.portal.*": "*",
-				},
-				Broadcast: map[string]string{
-					"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
-				},
-				Filter: true,
-			},
-			SystemBus: &dbus.Config{
-				Talk: []string{
-					"org.bluez",
-					"org.freedesktop.Avahi",
-					"org.freedesktop.UPower",
-				},
-				Filter: true,
-			},
-			Enablements: system.EWayland | system.EDBus | system.EPulse,
-		},
-		app.ID{
-			0xeb, 0xf0, 0x83, 0xd1,
-			0xb1, 0x75, 0x91, 0x17,
-			0x82, 0xd4, 0x13, 0x36,
-			0x9b, 0x64, 0xce, 0x7c,
-		},
-		system.New(1000009).
-			Ensure("/tmp/hakurei.1971", 0711).
-			Ensure("/tmp/hakurei.1971/runtime", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime", acl.Execute).
-			Ensure("/tmp/hakurei.1971/runtime/9", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/runtime/9", acl.Read, acl.Write, acl.Execute).
-			Ensure("/tmp/hakurei.1971/tmpdir", 0700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir", acl.Execute).
-			Ensure("/tmp/hakurei.1971/tmpdir/9", 01700).UpdatePermType(system.User, "/tmp/hakurei.1971/tmpdir/9", acl.Read, acl.Write, acl.Execute).
-			Ephemeral(system.Process, "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c", 0711).
-			Wayland(new(*os.File), "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/1971/wayland-0", "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
-			Ensure("/run/user/1971/hakurei", 0700).UpdatePermType(system.User, "/run/user/1971/hakurei", acl.Execute).
-			Ensure("/run/user/1971", 0700).UpdatePermType(system.User, "/run/user/1971", acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
-			Ephemeral(system.Process, "/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c", 0700).UpdatePermType(system.Process, "/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c", acl.Execute).
-			Link("/run/user/1971/pulse/native", "/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse").
-			CopyFile(new([]byte), "/home/ophestra/xdg/config/pulse/cookie", 256, 256).
-			MustProxyDBus("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", &dbus.Config{
-				Talk: []string{
-					"org.freedesktop.Notifications",
-					"org.freedesktop.FileManager1",
-					"org.freedesktop.ScreenSaver",
-					"org.freedesktop.secrets",
-					"org.kde.kwalletd5",
-					"org.kde.kwalletd6",
-					"org.gnome.SessionManager",
-				},
-				Own: []string{
-					"org.chromium.Chromium.*",
-					"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
-					"org.mpris.MediaPlayer2.chromium.*",
-				},
-				Call: map[string]string{
-					"org.freedesktop.portal.*": "*",
-				},
-				Broadcast: map[string]string{
-					"org.freedesktop.portal.*": "@/org/freedesktop/portal/*",
-				},
-				Filter: true,
-			}, "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", &dbus.Config{
-				Talk: []string{
-					"org.bluez",
-					"org.freedesktop.Avahi",
-					"org.freedesktop.UPower",
-				},
-				Filter: true,
-			}).
-			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", acl.Read, acl.Write).
-			UpdatePerm("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", acl.Read, acl.Write),
-		&container.Params{
-			Dir:  "/home/chronos",
-			Path: "/run/current-system/sw/bin/zsh",
-			Args: []string{"zsh", "-c", "exec chromium "},
-			Env: []string{
-				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus",
-				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket",
-				"HOME=/home/chronos",
-				"PULSE_COOKIE=" + hst.Tmp + "/pulse-cookie",
-				"PULSE_SERVER=unix:/run/user/65534/pulse/native",
-				"SHELL=/run/current-system/sw/bin/zsh",
-				"TERM=xterm-256color",
-				"USER=chronos",
-				"WAYLAND_DISPLAY=wayland-0",
-				"XDG_RUNTIME_DIR=/run/user/65534",
-				"XDG_SESSION_CLASS=user",
-				"XDG_SESSION_TYPE=tty",
-			},
-			Ops: new(container.Ops).
-				Proc("/proc").
-				Tmpfs(hst.Tmp, 4096, 0755).
-				Dev("/dev").Mqueue("/dev/mqueue").
-				Bind("/bin", "/bin", container.BindWritable).
-				Bind("/boot", "/boot", container.BindWritable).
-				Bind("/home", "/home", container.BindWritable).
-				Bind("/lib", "/lib", container.BindWritable).
-				Bind("/lib64", "/lib64", container.BindWritable).
-				Bind("/nix", "/nix", container.BindWritable).
-				Bind("/root", "/root", container.BindWritable).
-				Bind("/run", "/run", container.BindWritable).
-				Bind("/srv", "/srv", container.BindWritable).
-				Bind("/sys", "/sys", container.BindWritable).
-				Bind("/usr", "/usr", container.BindWritable).
-				Bind("/var", "/var", container.BindWritable).
-				Bind("/dev/dri", "/dev/dri", container.BindWritable|container.BindDevice|container.BindOptional).
-				Bind("/dev/kvm", "/dev/kvm", container.BindWritable|container.BindDevice|container.BindOptional).
-				Tmpfs("/run/user/1971", 8192, 0755).
-				Tmpfs("/run/dbus", 8192, 0755).
-				Etc("/etc", "ebf083d1b175911782d413369b64ce7c").
-				Tmpfs("/run/user", 4096, 0755).
-				Bind("/tmp/hakurei.1971/runtime/9", "/run/user/65534", container.BindWritable).
-				Bind("/tmp/hakurei.1971/tmpdir/9", "/tmp", container.BindWritable).
-				Bind("/home/chronos", "/home/chronos", container.BindWritable).
-				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
-				Place("/etc/group", []byte("hakurei:x:65534:\n")).
-				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", "/run/user/65534/wayland-0", 0).
-				Bind("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native", 0).
-				Place(hst.Tmp+"/pulse-cookie", nil).
-				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus", 0).
-				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket", 0).
-				Tmpfs("/var/run/nscd", 8192, 0755),
-			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
-			HostNet:        true,
-			RetainSession:  true,
-		},
-	},
-}

cmd/hakurei/internal/app/internal/setuid/app_stub_test.go

@@ -1,134 +0,0 @@
-package setuid_test
-
-import (
-	"fmt"
-	"io/fs"
-	"log"
-	"os/user"
-	"strconv"
-
-	"hakurei.app/hst"
-)
-
-// fs methods are not implemented using a real FS
-// to help better understand filesystem access behaviour
-type stubNixOS struct {
-	lookPathErr map[string]error
-	usernameErr map[string]error
-}
-
-func (s *stubNixOS) Getuid() int                              { return 1971 }
-func (s *stubNixOS) Getgid() int                              { return 100 }
-func (s *stubNixOS) TempDir() string                          { return "/tmp" }
-func (s *stubNixOS) MustExecutable() string                   { return "/run/wrappers/bin/hakurei" }
-func (s *stubNixOS) Exit(code int)                            { panic("called exit on stub with code " + strconv.Itoa(code)) }
-func (s *stubNixOS) EvalSymlinks(path string) (string, error) { return path, nil }
-func (s *stubNixOS) Uid(aid int) (int, error)                 { return 1000000 + 0*10000 + aid, nil }
-
-func (s *stubNixOS) Println(v ...any)               { log.Println(v...) }
-func (s *stubNixOS) Printf(format string, v ...any) { log.Printf(format, v...) }
-
-func (s *stubNixOS) LookupEnv(key string) (string, bool) {
-	switch key {
-	case "SHELL":
-		return "/run/current-system/sw/bin/zsh", true
-	case "TERM":
-		return "xterm-256color", true
-	case "WAYLAND_DISPLAY":
-		return "wayland-0", true
-	case "PULSE_COOKIE":
-		return "", false
-	case "HOME":
-		return "/home/ophestra", true
-	case "XDG_CONFIG_HOME":
-		return "/home/ophestra/xdg/config", true
-	default:
-		panic(fmt.Sprintf("attempted to access unexpected environment variable %q", key))
-	}
-}
-
-func (s *stubNixOS) LookPath(file string) (string, error) {
-	if s.lookPathErr != nil {
-		if err, ok := s.lookPathErr[file]; ok {
-			return "", err
-		}
-	}
-
-	switch file {
-	case "zsh":
-		return "/run/current-system/sw/bin/zsh", nil
-	default:
-		panic(fmt.Sprintf("attempted to look up unexpected executable %q", file))
-	}
-}
-
-func (s *stubNixOS) LookupGroup(name string) (*user.Group, error) {
-	switch name {
-	case "video":
-		return &user.Group{Gid: "26", Name: "video"}, nil
-	default:
-		return nil, user.UnknownGroupError(name)
-	}
-}
-
-func (s *stubNixOS) ReadDir(name string) ([]fs.DirEntry, error) {
-	switch name {
-	case "/":
-		return stubDirEntries("bin", "boot", "dev", "etc", "home", "lib",
-			"lib64", "nix", "proc", "root", "run", "srv", "sys", "tmp", "usr", "var")
-	case "/run":
-		return stubDirEntries("agetty.reload", "binfmt", "booted-system",
-			"credentials", "cryptsetup", "current-system", "dbus", "host", "keys",
-			"libvirt", "libvirtd.pid", "lock", "log", "lvm", "mount", "NetworkManager",
-			"nginx", "nixos", "nscd", "opengl-driver", "pppd", "resolvconf", "sddm",
-			"store", "syncoid", "system", "systemd", "tmpfiles.d", "udev", "udisks2",
-			"user", "utmp", "virtlogd.pid", "wrappers", "zed.pid", "zed.state")
-	case "/etc":
-		return stubDirEntries("alsa", "bashrc", "binfmt.d", "dbus-1", "default",
-			"ethertypes", "fonts", "fstab", "fuse.conf", "group", "host.conf", "hostid",
-			"hostname", "hostname.CHECKSUM", "hosts", "inputrc", "ipsec.d", "issue", "kbd",
-			"libblockdev", "locale.conf", "localtime", "login.defs", "lsb-release", "lvm",
-			"machine-id", "man_db.conf", "modprobe.d", "modules-load.d", "mtab", "nanorc",
-			"netgroup", "NetworkManager", "nix", "nixos", "NIXOS", "nscd.conf", "nsswitch.conf",
-			"opensnitchd", "os-release", "pam", "pam.d", "passwd", "pipewire", "pki", "polkit-1",
-			"profile", "protocols", "qemu", "resolv.conf", "resolvconf.conf", "rpc", "samba",
-			"sddm.conf", "secureboot", "services", "set-environment", "shadow", "shells", "ssh",
-			"ssl", "static", "subgid", "subuid", "sudoers", "sysctl.d", "systemd", "terminfo",
-			"tmpfiles.d", "udev", "udisks2", "UPower", "vconsole.conf", "X11", "zfs", "zinputrc",
-			"zoneinfo", "zprofile", "zshenv", "zshrc")
-	default:
-		panic(fmt.Sprintf("attempted to read unexpected directory %q", name))
-	}
-}
-
-func (s *stubNixOS) Stat(name string) (fs.FileInfo, error) {
-	switch name {
-	case "/var/run/nscd":
-		return nil, nil
-	case "/run/user/1971/pulse":
-		return nil, nil
-	case "/run/user/1971/pulse/native":
-		return stubFileInfoMode(0666), nil
-	case "/home/ophestra/.pulse-cookie":
-		return stubFileInfoIsDir(true), nil
-	case "/home/ophestra/xdg/config/pulse/cookie":
-		return stubFileInfoIsDir(false), nil
-	default:
-		panic(fmt.Sprintf("attempted to stat unexpected path %q", name))
-	}
-}
-
-func (s *stubNixOS) Open(name string) (fs.File, error) {
-	switch name {
-	default:
-		panic(fmt.Sprintf("attempted to open unexpected file %q", name))
-	}
-}
-
-func (s *stubNixOS) Paths() hst.Paths {
-	return hst.Paths{
-		SharePath:   "/tmp/hakurei.1971",
-		RuntimePath: "/run/user/1971",
-		RunDirPath:  "/run/user/1971/hakurei",
-	}
-}

cmd/hakurei/internal/app/internal/setuid/app_test.go

@@ -1,104 +0,0 @@
-package setuid_test
-
-import (
-	"encoding/json"
-	"io/fs"
-	"reflect"
-	"testing"
-	"time"
-
-	"hakurei.app/cmd/hakurei/internal/app"
-	"hakurei.app/cmd/hakurei/internal/app/internal/setuid"
-	"hakurei.app/container"
-	"hakurei.app/hst"
-	"hakurei.app/internal/sys"
-	"hakurei.app/system"
-)
-
-type sealTestCase struct {
-	name          string
-	os            sys.State
-	config        *hst.Config
-	id            app.ID
-	wantSys       *system.I
-	wantContainer *container.Params
-}
-
-func TestApp(t *testing.T) {
-	testCases := append(testCasesPd, testCasesNixos...)
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			a := setuid.NewWithID(tc.id, tc.os)
-			var (
-				gotSys       *system.I
-				gotContainer *container.Params
-			)
-			if !t.Run("seal", func(t *testing.T) {
-				if sa, err := a.Seal(tc.config); err != nil {
-					t.Errorf("Seal: error = %v", err)
-					return
-				} else {
-					gotSys, gotContainer = setuid.AppIParams(a, sa)
-				}
-			}) {
-				return
-			}
-
-			t.Run("compare sys", func(t *testing.T) {
-				if !gotSys.Equal(tc.wantSys) {
-					t.Errorf("Seal: sys = %#v, want %#v",
-						gotSys, tc.wantSys)
-				}
-			})
-
-			t.Run("compare params", func(t *testing.T) {
-				if !reflect.DeepEqual(gotContainer, tc.wantContainer) {
-					t.Errorf("seal: params =\n%s\n, want\n%s",
-						mustMarshal(gotContainer), mustMarshal(tc.wantContainer))
-				}
-			})
-		})
-	}
-}
-
-func mustMarshal(v any) string {
-	if b, err := json.Marshal(v); err != nil {
-		panic(err.Error())
-	} else {
-		return string(b)
-	}
-}
-
-func stubDirEntries(names ...string) (e []fs.DirEntry, err error) {
-	e = make([]fs.DirEntry, len(names))
-	for i, name := range names {
-		e[i] = stubDirEntryPath(name)
-	}
-	return
-}
-
-type stubDirEntryPath string
-
-func (p stubDirEntryPath) Name() string               { return string(p) }
-func (p stubDirEntryPath) IsDir() bool                { panic("attempted to call IsDir") }
-func (p stubDirEntryPath) Type() fs.FileMode          { panic("attempted to call Type") }
-func (p stubDirEntryPath) Info() (fs.FileInfo, error) { panic("attempted to call Info") }
-
-type stubFileInfoMode fs.FileMode
-
-func (s stubFileInfoMode) Name() string       { panic("attempted to call Name") }
-func (s stubFileInfoMode) Size() int64        { panic("attempted to call Size") }
-func (s stubFileInfoMode) Mode() fs.FileMode  { return fs.FileMode(s) }
-func (s stubFileInfoMode) ModTime() time.Time { panic("attempted to call ModTime") }
-func (s stubFileInfoMode) IsDir() bool        { panic("attempted to call IsDir") }
-func (s stubFileInfoMode) Sys() any           { panic("attempted to call Sys") }
-
-type stubFileInfoIsDir bool
-
-func (s stubFileInfoIsDir) Name() string       { panic("attempted to call Name") }
-func (s stubFileInfoIsDir) Size() int64        { panic("attempted to call Size") }
-func (s stubFileInfoIsDir) Mode() fs.FileMode  { panic("attempted to call Mode") }
-func (s stubFileInfoIsDir) ModTime() time.Time { panic("attempted to call ModTime") }
-func (s stubFileInfoIsDir) IsDir() bool        { return bool(s) }
-func (s stubFileInfoIsDir) Sys() any           { panic("attempted to call Sys") }

cmd/hakurei/internal/app/internal/setuid/errors.go

@@ -1,182 +0,0 @@
-package setuid
-
-import (
-	"errors"
-	"log"
-
-	. "hakurei.app/cmd/hakurei/internal/app"
-	"hakurei.app/internal/hlog"
-)
-
-func PrintRunStateErr(rs *RunState, runErr error) (code int) {
-	code = rs.ExitStatus()
-
-	if runErr != nil {
-		if rs.Time == nil {
-			hlog.PrintBaseError(runErr, "cannot start app:")
-		} else {
-			var e *hlog.BaseError
-			if !hlog.AsBaseError(runErr, &e) {
-				log.Println("wait failed:", runErr)
-			} else {
-				// Wait only returns either *app.ProcessError or *app.StateStoreError wrapped in a *app.BaseError
-				var se *StateStoreError
-				if !errors.As(runErr, &se) {
-					// does not need special handling
-					log.Print(e.Message())
-				} else {
-					// inner error are either unwrapped store errors
-					// or joined errors returned by *appSealTx revert
-					// wrapped in *app.BaseError
-					var ej RevertCompoundError
-					if !errors.As(se.InnerErr, &ej) {
-						// does not require special handling
-						log.Print(e.Message())
-					} else {
-						errs := ej.Unwrap()
-
-						// every error here is wrapped in *app.BaseError
-						for _, ei := range errs {
-							var eb *hlog.BaseError
-							if !errors.As(ei, &eb) {
-								// unreachable
-								log.Println("invalid error type returned by revert:", ei)
-							} else {
-								// print inner *app.BaseError message
-								log.Print(eb.Message())
-							}
-						}
-					}
-				}
-			}
-		}
-
-		if code == 0 {
-			code = 126
-		}
-	}
-
-	if rs.RevertErr != nil {
-		var stateStoreError *StateStoreError
-		if !errors.As(rs.RevertErr, &stateStoreError) || stateStoreError == nil {
-			hlog.PrintBaseError(rs.RevertErr, "generic fault during cleanup:")
-			goto out
-		}
-
-		if stateStoreError.Err != nil {
-			if len(stateStoreError.Err) == 2 {
-				if stateStoreError.Err[0] != nil {
-					if joinedErrs, ok := stateStoreError.Err[0].(interface{ Unwrap() []error }); !ok {
-						hlog.PrintBaseError(stateStoreError.Err[0], "generic fault during revert:")
-					} else {
-						for _, err := range joinedErrs.Unwrap() {
-							if err != nil {
-								hlog.PrintBaseError(err, "fault during revert:")
-							}
-						}
-					}
-				}
-				if stateStoreError.Err[1] != nil {
-					log.Printf("cannot close store: %v", stateStoreError.Err[1])
-				}
-			} else {
-				log.Printf("fault during cleanup: %v",
-					errors.Join(stateStoreError.Err...))
-			}
-		}
-
-		if stateStoreError.OpErr != nil {
-			log.Printf("blind revert due to store fault: %v",
-				stateStoreError.OpErr)
-		}
-
-		if stateStoreError.DoErr != nil {
-			hlog.PrintBaseError(stateStoreError.DoErr, "state store operation unsuccessful:")
-		}
-
-		if stateStoreError.Inner && stateStoreError.InnerErr != nil {
-			hlog.PrintBaseError(stateStoreError.InnerErr, "cannot destroy state entry:")
-		}
-
-	out:
-		if code == 0 {
-			code = 128
-		}
-	}
-	if rs.WaitErr != nil {
-		hlog.Verbosef("wait: %v", rs.WaitErr)
-	}
-	return
-}
-
-// StateStoreError is returned for a failed state save
-type StateStoreError struct {
-	// whether inner function was called
-	Inner bool
-	// returned by the Save/Destroy method of [state.Cursor]
-	InnerErr error
-	// returned by the Do method of [state.Store]
-	DoErr error
-	// stores an arbitrary store operation error
-	OpErr error
-	// stores arbitrary errors
-	Err []error
-}
-
-// save saves arbitrary errors in [StateStoreError] once.
-func (e *StateStoreError) save(errs ...error) {
-	if len(errs) == 0 || e.Err != nil {
-		panic("invalid call to save")
-	}
-	e.Err = errs
-}
-
-func (e *StateStoreError) equiv(a ...any) error {
-	if e.Inner && e.InnerErr == nil && e.DoErr == nil && e.OpErr == nil && errors.Join(e.Err...) == nil {
-		return nil
-	} else {
-		return hlog.WrapErrSuffix(e, a...)
-	}
-}
-
-func (e *StateStoreError) Error() string {
-	if e.Inner && e.InnerErr != nil {
-		return e.InnerErr.Error()
-	}
-	if e.DoErr != nil {
-		return e.DoErr.Error()
-	}
-	if e.OpErr != nil {
-		return e.OpErr.Error()
-	}
-	if err := errors.Join(e.Err...); err != nil {
-		return err.Error()
-	}
-
-	// equiv nullifies e for values where this is reached
-	panic("unreachable")
-}
-
-func (e *StateStoreError) Unwrap() (errs []error) {
-	errs = make([]error, 0, 3)
-	if e.InnerErr != nil {
-		errs = append(errs, e.InnerErr)
-	}
-	if e.DoErr != nil {
-		errs = append(errs, e.DoErr)
-	}
-	if e.OpErr != nil {
-		errs = append(errs, e.OpErr)
-	}
-	if err := errors.Join(e.Err...); err != nil {
-		errs = append(errs, err)
-	}
-	return
-}
-
-// A RevertCompoundError encapsulates errors returned by
-// the Revert method of [system.I].
-type RevertCompoundError interface {
-	Error() string
-	Unwrap() []error
-}

cmd/hakurei/internal/app/internal/setuid/export_test.go

@@ -1,24 +0,0 @@
-package setuid
-
-import (
-	. "hakurei.app/cmd/hakurei/internal/app"
-	"hakurei.app/container"
-	"hakurei.app/internal/sys"
-	"hakurei.app/system"
-)
-
-func NewWithID(id ID, os sys.State) App {
-	a := new(app)
-	a.id = newID(&id)
-	a.sys = os
-	return a
-}
-
-func AppIParams(a App, sa SealedApp) (*system.I, *container.Params) {
-	v := a.(*app)
-	seal := sa.(*outcome)
-	if v.outcome != seal || v.id != seal.id {
-		panic("broken app/outcome link")
-	}
-	return seal.sys, seal.container
-}

cmd/hakurei/internal/app/internal/setuid/process.go

@@ -1,195 +0,0 @@
-package setuid
-
-import (
-	"context"
-	"encoding/gob"
-	"errors"
-	"log"
-	"os"
-	"os/exec"
-	"strconv"
-	"strings"
-	"syscall"
-	"time"
-
-	. "hakurei.app/cmd/hakurei/internal/app"
-	"hakurei.app/cmd/hakurei/internal/state"
-	"hakurei.app/container"
-	"hakurei.app/internal"
-	"hakurei.app/internal/hlog"
-	"hakurei.app/system"
-)
-
-const shimWaitTimeout = 5 * time.Second
-
-func (seal *outcome) Run(rs *RunState) error {
-	if !seal.f.CompareAndSwap(false, true) {
-		// run does much more than just starting a process; calling it twice, even if the first call fails, will result
-		// in inconsistent state that is impossible to clean up; return here to limit damage and hopefully give the
-		// other Run a chance to return
-		return errors.New("outcome: attempted to run twice")
-	}
-
-	if rs == nil {
-		panic("invalid state")
-	}
-
-	// read comp value early to allow for early failure
-	hsuPath := internal.MustHsuPath()
-
-	if err := seal.sys.Commit(seal.ctx); err != nil {
-		return err
-	}
-	store := state.NewMulti(seal.runDirPath)
-	deferredStoreFunc := func(c state.Cursor) error { return nil } // noop until state in store
-	defer func() {
-		var revertErr error
-		storeErr := new(StateStoreError)
-		storeErr.Inner, storeErr.DoErr = store.Do(seal.user.aid.unwrap(), func(c state.Cursor) {
-			revertErr = func() error {
-				storeErr.InnerErr = deferredStoreFunc(c)
-
-				var rt system.Enablement
-				ec := system.Process
-				if states, err := c.Load(); err != nil {
-					// revert per-process state here to limit damage
-					storeErr.OpErr = err
-					return seal.sys.Revert((*system.Criteria)(&ec))
-				} else {
-					if l := len(states); l == 0 {
-						ec |= system.User
-					} else {
-						hlog.Verbosef("found %d instances, cleaning up without user-scoped operations", l)
-					}
-
-					// accumulate enablements of remaining launchers
-					for i, s := range states {
-						if s.Config != nil {
-							rt |= s.Config.Enablements
-						} else {
-							log.Printf("state entry %d does not contain config", i)
-						}
-					}
-				}
-				ec |= rt ^ (system.EWayland | system.EX11 | system.EDBus | system.EPulse)
-				if hlog.Load() {
-					if ec > 0 {
-						hlog.Verbose("reverting operations scope", system.TypeString(ec))
-					}
-				}
-
-				return seal.sys.Revert((*system.Criteria)(&ec))
-			}()
-		})
-		storeErr.save(revertErr, store.Close())
-		rs.RevertErr = storeErr.equiv("error during cleanup:")
-	}()
-
-	ctx, cancel := context.WithCancel(seal.ctx)
-	defer cancel()
-	cmd := exec.CommandContext(ctx, hsuPath)
-	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	cmd.Dir = "/" // container init enters final working directory
-	// shim runs in the same session as monitor; see shim.go for behaviour
-	cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGCONT) }
-
-	var e *gob.Encoder
-	if fd, encoder, err := container.Setup(&cmd.ExtraFiles); err != nil {
-		return hlog.WrapErrSuffix(err,
-			"cannot create shim setup pipe:")
-	} else {
-		e = encoder
-		cmd.Env = []string{
-			// passed through to shim by hsu
-			shimEnv + "=" + strconv.Itoa(fd),
-			// interpreted by hsu
-			"HAKUREI_APP_ID=" + seal.user.aid.String(),
-		}
-	}
-
-	if len(seal.user.supp) > 0 {
-		hlog.Verbosef("attaching supplementary group ids %s", seal.user.supp)
-		// interpreted by hsu
-		cmd.Env = append(cmd.Env, "HAKUREI_GROUPS="+strings.Join(seal.user.supp, " "))
-	}
-
-	hlog.Verbosef("setuid helper at %s", hsuPath)
-	hlog.Suspend()
-	if err := cmd.Start(); err != nil {
-		return hlog.WrapErrSuffix(err,
-			"cannot start setuid wrapper:")
-	}
-	rs.SetStart()
-
-	// this prevents blocking forever on an early failure
-	waitErr, setupErr := make(chan error, 1), make(chan error, 1)
-	go func() { waitErr <- cmd.Wait(); cancel() }()
-	go func() { setupErr <- e.Encode(&shimParams{os.Getpid(), seal.container, seal.user.data, hlog.Load()}) }()
-
-	select {
-	case err := <-setupErr:
-		if err != nil {
-			hlog.Resume()
-			return hlog.WrapErrSuffix(err,
-				"cannot transmit shim config:")
-		}
-
-	case <-ctx.Done():
-		hlog.Resume()
-		return hlog.WrapErr(syscall.ECANCELED,
-			"shim setup canceled")
-	}
-
-	// returned after blocking on waitErr
-	var earlyStoreErr = new(StateStoreError)
-	{
-		// shim accepted setup payload, create process state
-		sd := state.State{
-			ID:   seal.id.unwrap(),
-			PID:  cmd.Process.Pid,
-			Time: *rs.Time,
-		}
-		earlyStoreErr.Inner, earlyStoreErr.DoErr = store.Do(seal.user.aid.unwrap(), func(c state.Cursor) {
-			earlyStoreErr.InnerErr = c.Save(&sd, seal.ct)
-		})
-	}
-
-	// state in store at this point, destroy defunct state entry on return
-	deferredStoreFunc = func(c state.Cursor) error { return c.Destroy(seal.id.unwrap()) }
-
-	waitTimeout := make(chan struct{})
-	go func() { <-seal.ctx.Done(); time.Sleep(shimWaitTimeout); close(waitTimeout) }()
-
-	select {
-	case rs.WaitErr = <-waitErr:
-		rs.WaitStatus = cmd.ProcessState.Sys().(syscall.WaitStatus)
-		if hlog.Load() {
-			switch {
-			case rs.Exited():
-				hlog.Verbosef("process %d exited with code %d", cmd.Process.Pid, rs.ExitStatus())
-			case rs.CoreDump():
-				hlog.Verbosef("process %d dumped core", cmd.Process.Pid)
-			case rs.Signaled():
-				hlog.Verbosef("process %d got %s", cmd.Process.Pid, rs.Signal())
-			default:
-				hlog.Verbosef("process %d exited with status %#x", cmd.Process.Pid, rs.WaitStatus)
-			}
-		}
-	case <-waitTimeout:
-		rs.WaitErr = syscall.ETIMEDOUT
-		hlog.Resume()
-		log.Printf("process %d did not terminate", cmd.Process.Pid)
-	}
-
-	hlog.Resume()
-	if seal.sync != nil {
-		if err := seal.sync.Close(); err != nil {
-			log.Printf("cannot close wayland security context: %v", err)
-		}
-	}
-	if seal.dbusMsg != nil {
-		seal.dbusMsg()
-	}
-
-	return earlyStoreErr.equiv("cannot save process state:")
-}

cmd/hakurei/internal/app/internal/setuid/seal.go

@@ -1,586 +0,0 @@
-package setuid
-
-import (
-	"bytes"
-	"context"
-	"encoding/gob"
-	"errors"
-	"fmt"
-	"io"
-	"io/fs"
-	"os"
-	"path"
-	"regexp"
-	"slices"
-	"strings"
-	"sync/atomic"
-	"syscall"
-
-	. "hakurei.app/cmd/hakurei/internal/app"
-	"hakurei.app/cmd/hakurei/internal/app/instance/common"
-	"hakurei.app/container"
-	"hakurei.app/hst"
-	"hakurei.app/internal"
-	"hakurei.app/internal/hlog"
-	"hakurei.app/internal/sys"
-	"hakurei.app/system"
-	"hakurei.app/system/acl"
-	"hakurei.app/system/dbus"
-	"hakurei.app/system/wayland"
-)
-
-const (
-	home  = "HOME"
-	shell = "SHELL"
-
-	xdgConfigHome   = "XDG_CONFIG_HOME"
-	xdgRuntimeDir   = "XDG_RUNTIME_DIR"
-	xdgSessionClass = "XDG_SESSION_CLASS"
-	xdgSessionType  = "XDG_SESSION_TYPE"
-
-	term    = "TERM"
-	display = "DISPLAY"
-
-	pulseServer = "PULSE_SERVER"
-	pulseCookie = "PULSE_COOKIE"
-
-	dbusSessionBusAddress = "DBUS_SESSION_BUS_ADDRESS"
-	dbusSystemBusAddress  = "DBUS_SYSTEM_BUS_ADDRESS"
-)
-
-var (
-	ErrConfig = errors.New("no configuration to seal")
-	ErrUser   = errors.New("invalid aid")
-	ErrHome   = errors.New("invalid home directory")
-	ErrName   = errors.New("invalid username")
-
-	ErrXDisplay = errors.New(display + " unset")
-
-	ErrPulseCookie = errors.New("pulse cookie not present")
-	ErrPulseSocket = errors.New("pulse socket not present")
-	ErrPulseMode   = errors.New("unexpected pulse socket mode")
-)
-
-var posixUsername = regexp.MustCompilePOSIX("^[a-z_]([A-Za-z0-9_-]{0,31}|[A-Za-z0-9_-]{0,30}\\$)$")
-
-// outcome stores copies of various parts of [hst.Config]
-type outcome struct {
-	// copied from initialising [app]
-	id *stringPair[ID]
-	// copied from [sys.State] response
-	runDirPath string
-
-	// initial [hst.Config] gob stream for state data;
-	// this is prepared ahead of time as config is clobbered during seal creation
-	ct io.WriterTo
-	// dump dbus proxy message buffer
-	dbusMsg func()
-
-	user hsuUser
-	sys  *system.I
-	ctx  context.Context
-
-	container *container.Params
-	env       map[string]string
-	sync      *os.File
-
-	f atomic.Bool
-}
-
-// shareHost holds optional share directory state that must not be accessed directly
-type shareHost struct {
-	// whether XDG_RUNTIME_DIR is used post hsu
-	useRuntimeDir bool
-	// process-specific directory in tmpdir, empty if unused
-	sharePath string
-	// process-specific directory in XDG_RUNTIME_DIR, empty if unused
-	runtimeSharePath string
-
-	seal *outcome
-	sc   hst.Paths
-}
-
-// ensureRuntimeDir must be called if direct access to paths within XDG_RUNTIME_DIR is required
-func (share *shareHost) ensureRuntimeDir() {
-	if share.useRuntimeDir {
-		return
-	}
-	share.useRuntimeDir = true
-	share.seal.sys.Ensure(share.sc.RunDirPath, 0700)
-	share.seal.sys.UpdatePermType(system.User, share.sc.RunDirPath, acl.Execute)
-	share.seal.sys.Ensure(share.sc.RuntimePath, 0700) // ensure this dir in case XDG_RUNTIME_DIR is unset
-	share.seal.sys.UpdatePermType(system.User, share.sc.RuntimePath, acl.Execute)
-}
-
-// instance returns a process-specific share path within tmpdir
-func (share *shareHost) instance() string {
-	if share.sharePath != "" {
-		return share.sharePath
-	}
-	share.sharePath = path.Join(share.sc.SharePath, share.seal.id.String())
-	share.seal.sys.Ephemeral(system.Process, share.sharePath, 0711)
-	return share.sharePath
-}
-
-// runtime returns a process-specific share path within XDG_RUNTIME_DIR
-func (share *shareHost) runtime() string {
-	if share.runtimeSharePath != "" {
-		return share.runtimeSharePath
-	}
-	share.ensureRuntimeDir()
-	share.runtimeSharePath = path.Join(share.sc.RunDirPath, share.seal.id.String())
-	share.seal.sys.Ephemeral(system.Process, share.runtimeSharePath, 0700)
-	share.seal.sys.UpdatePerm(share.runtimeSharePath, acl.Execute)
-	return share.runtimeSharePath
-}
-
-// hsuUser stores post-hsu credentials and metadata
-type hsuUser struct {
-	// application id
-	aid *stringPair[int]
-	// target uid resolved by fid:aid
-	uid *stringPair[int]
-
-	// supplementary group ids
-	supp []string
-
-	// home directory host path
-	data string
-	// app user home directory
-	home string
-	// passwd database username
-	username string
-}
-
-func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Config) error {
-	if seal.ctx != nil {
-		panic("finalise called twice")
-	}
-	seal.ctx = ctx
-
-	{
-		// encode initial configuration for state tracking
-		ct := new(bytes.Buffer)
-		if err := gob.NewEncoder(ct).Encode(config); err != nil {
-			return hlog.WrapErrSuffix(err,
-				"cannot encode initial config:")
-		}
-		seal.ct = ct
-	}
-
-	// allowed aid range 0 to 9999, this is checked again in hsu
-	if config.Identity < 0 || config.Identity > 9999 {
-		return hlog.WrapErr(ErrUser,
-			fmt.Sprintf("identity %d out of range", config.Identity))
-	}
-
-	seal.user = hsuUser{
-		aid:      newInt(config.Identity),
-		data:     config.Data,
-		home:     config.Dir,
-		username: config.Username,
-	}
-	if seal.user.username == "" {
-		seal.user.username = "chronos"
-	} else if !posixUsername.MatchString(seal.user.username) ||
-		len(seal.user.username) >= internal.Sysconf(internal.SC_LOGIN_NAME_MAX) {
-		return hlog.WrapErr(ErrName,
-			fmt.Sprintf("invalid user name %q", seal.user.username))
-	}
-	if seal.user.data == "" || !path.IsAbs(seal.user.data) {
-		return hlog.WrapErr(ErrHome,
-			fmt.Sprintf("invalid home directory %q", seal.user.data))
-	}
-	if seal.user.home == "" {
-		seal.user.home = seal.user.data
-	}
-	if u, err := sys.Uid(seal.user.aid.unwrap()); err != nil {
-		return err
-	} else {
-		seal.user.uid = newInt(u)
-	}
-	seal.user.supp = make([]string, len(config.Groups))
-	for i, name := range config.Groups {
-		if g, err := sys.LookupGroup(name); err != nil {
-			return hlog.WrapErr(err,
-				fmt.Sprintf("unknown group %q", name))
-		} else {
-			seal.user.supp[i] = g.Gid
-		}
-	}
-
-	// this also falls back to host path if encountering an invalid path
-	if !path.IsAbs(config.Shell) {
-		config.Shell = "/bin/sh"
-		if s, ok := sys.LookupEnv(shell); ok && path.IsAbs(s) {
-			config.Shell = s
-		}
-	}
-	// do not use the value of shell before this point
-
-	// permissive defaults
-	if config.Container == nil {
-		hlog.Verbose("container configuration not supplied, PROCEED WITH CAUTION")
-
-		// hsu clears the environment so resolve paths early
-		if !path.IsAbs(config.Path) {
-			if len(config.Args) > 0 {
-				if p, err := sys.LookPath(config.Args[0]); err != nil {
-					return hlog.WrapErr(err, err.Error())
-				} else {
-					config.Path = p
-				}
-			} else {
-				config.Path = config.Shell
-			}
-		}
-
-		conf := &hst.ContainerConfig{
-			Userns:  true,
-			Net:     true,
-			Tty:     true,
-			AutoEtc: true,
-		}
-		// bind entries in /
-		if d, err := sys.ReadDir("/"); err != nil {
-			return err
-		} else {
-			b := make([]*hst.FilesystemConfig, 0, len(d))
-			for _, ent := range d {
-				p := "/" + ent.Name()
-				switch p {
-				case "/proc":
-				case "/dev":
-				case "/tmp":
-				case "/mnt":
-				case "/etc":
-
-				default:
-					b = append(b, &hst.FilesystemConfig{Src: p, Write: true, Must: true})
-				}
-			}
-			conf.Filesystem = append(conf.Filesystem, b...)
-		}
-
-		// hide nscd from sandbox if present
-		nscd := "/var/run/nscd"
-		if _, err := sys.Stat(nscd); !errors.Is(err, fs.ErrNotExist) {
-			conf.Cover = append(conf.Cover, nscd)
-		}
-		// bind GPU stuff
-		if config.Enablements&(system.EX11|system.EWayland) != 0 {
-			conf.Filesystem = append(conf.Filesystem, &hst.FilesystemConfig{Src: "/dev/dri", Device: true})
-		}
-		// opportunistically bind kvm
-		conf.Filesystem = append(conf.Filesystem, &hst.FilesystemConfig{Src: "/dev/kvm", Device: true})
-
-		config.Container = conf
-	}
-
-	var mapuid, mapgid *stringPair[int]
-	{
-		var uid, gid int
-		var err error
-		seal.container, seal.env, err = common.NewContainer(config.Container, sys, &uid, &gid)
-		if err != nil {
-			return hlog.WrapErrSuffix(err,
-				"cannot initialise container configuration:")
-		}
-		if !path.IsAbs(config.Path) {
-			return hlog.WrapErr(syscall.EINVAL,
-				"invalid program path")
-		}
-		if len(config.Args) == 0 {
-			config.Args = []string{config.Path}
-		}
-		seal.container.Path = config.Path
-		seal.container.Args = config.Args
-
-		mapuid = newInt(uid)
-		mapgid = newInt(gid)
-		if seal.env == nil {
-			seal.env = make(map[string]string, 1<<6)
-		}
-	}
-
-	if !config.Container.AutoEtc {
-		if config.Container.Etc != "" {
-			seal.container.Bind(config.Container.Etc, "/etc", 0)
-		}
-	} else {
-		etcPath := config.Container.Etc
-		if etcPath == "" {
-			etcPath = "/etc"
-		}
-		seal.container.Etc(etcPath, seal.id.String())
-	}
-
-	// inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as mapped uid
-	innerRuntimeDir := path.Join("/run/user", mapuid.String())
-	seal.env[xdgRuntimeDir] = innerRuntimeDir
-	seal.env[xdgSessionClass] = "user"
-	seal.env[xdgSessionType] = "tty"
-
-	share := &shareHost{seal: seal, sc: sys.Paths()}
-	seal.runDirPath = share.sc.RunDirPath
-	seal.sys = system.New(seal.user.uid.unwrap())
-	seal.sys.Ensure(share.sc.SharePath, 0711)
-
-	{
-		runtimeDir := path.Join(share.sc.SharePath, "runtime")
-		seal.sys.Ensure(runtimeDir, 0700)
-		seal.sys.UpdatePermType(system.User, runtimeDir, acl.Execute)
-		runtimeDirInst := path.Join(runtimeDir, seal.user.aid.String())
-		seal.sys.Ensure(runtimeDirInst, 0700)
-		seal.sys.UpdatePermType(system.User, runtimeDirInst, acl.Read, acl.Write, acl.Execute)
-		seal.container.Tmpfs("/run/user", 1<<12, 0755)
-		seal.container.Bind(runtimeDirInst, innerRuntimeDir, container.BindWritable)
-	}
-
-	{
-		tmpdir := path.Join(share.sc.SharePath, "tmpdir")
-		seal.sys.Ensure(tmpdir, 0700)
-		seal.sys.UpdatePermType(system.User, tmpdir, acl.Execute)
-		tmpdirInst := path.Join(tmpdir, seal.user.aid.String())
-		seal.sys.Ensure(tmpdirInst, 01700)
-		seal.sys.UpdatePermType(system.User, tmpdirInst, acl.Read, acl.Write, acl.Execute)
-		// mount inner /tmp from share so it shares persistence and storage behaviour of host /tmp
-		seal.container.Bind(tmpdirInst, "/tmp", container.BindWritable)
-	}
-
-	{
-		homeDir := "/var/empty"
-		if seal.user.home != "" {
-			homeDir = seal.user.home
-		}
-		username := "chronos"
-		if seal.user.username != "" {
-			username = seal.user.username
-		}
-		seal.container.Bind(seal.user.data, homeDir, container.BindWritable)
-		seal.container.Dir = homeDir
-		seal.env["HOME"] = homeDir
-		seal.env["USER"] = username
-		seal.env[shell] = config.Shell
-
-		seal.container.Place("/etc/passwd",
-			[]byte(username+":x:"+mapuid.String()+":"+mapgid.String()+":Hakurei:"+homeDir+":"+config.Shell+"\n"))
-		seal.container.Place("/etc/group",
-			[]byte("hakurei:x:"+mapgid.String()+":\n"))
-	}
-
-	// pass TERM for proper terminal I/O in initial process
-	if t, ok := sys.LookupEnv(term); ok {
-		seal.env[term] = t
-	}
-
-	if config.Enablements&system.EWayland != 0 {
-		// outer wayland socket (usually `/run/user/%d/wayland-%d`)
-		var socketPath string
-		if name, ok := sys.LookupEnv(wayland.WaylandDisplay); !ok {
-			hlog.Verbose(wayland.WaylandDisplay + " is not set, assuming " + wayland.FallbackName)
-			socketPath = path.Join(share.sc.RuntimePath, wayland.FallbackName)
-		} else if !path.IsAbs(name) {
-			socketPath = path.Join(share.sc.RuntimePath, name)
-		} else {
-			socketPath = name
-		}
-
-		innerPath := path.Join(innerRuntimeDir, wayland.FallbackName)
-		seal.env[wayland.WaylandDisplay] = wayland.FallbackName
-
-		if !config.DirectWayland { // set up security-context-v1
-			appID := config.ID
-			if appID == "" {
-				// use instance ID in case app id is not set
-				appID = "app.hakurei." + seal.id.String()
-			}
-			// downstream socket paths
-			outerPath := path.Join(share.instance(), "wayland")
-			seal.sys.Wayland(&seal.sync, outerPath, socketPath, appID, seal.id.String())
-			seal.container.Bind(outerPath, innerPath, 0)
-		} else { // bind mount wayland socket (insecure)
-			hlog.Verbose("direct wayland access, PROCEED WITH CAUTION")
-			share.ensureRuntimeDir()
-			seal.container.Bind(socketPath, innerPath, 0)
-			seal.sys.UpdatePermType(system.EWayland, socketPath, acl.Read, acl.Write, acl.Execute)
-		}
-	}
-
-	if config.Enablements&system.EX11 != 0 {
-		if d, ok := sys.LookupEnv(display); !ok {
-			return hlog.WrapErr(ErrXDisplay,
-				"DISPLAY is not set")
-		} else {
-			seal.sys.ChangeHosts("#" + seal.user.uid.String())
-			seal.env[display] = d
-			seal.container.Bind("/tmp/.X11-unix", "/tmp/.X11-unix", 0)
-		}
-	}
-
-	if config.Enablements&system.EPulse != 0 {
-		// PulseAudio runtime directory (usually `/run/user/%d/pulse`)
-		pulseRuntimeDir := path.Join(share.sc.RuntimePath, "pulse")
-		// PulseAudio socket (usually `/run/user/%d/pulse/native`)
-		pulseSocket := path.Join(pulseRuntimeDir, "native")
-
-		if _, err := sys.Stat(pulseRuntimeDir); err != nil {
-			if !errors.Is(err, fs.ErrNotExist) {
-				return hlog.WrapErrSuffix(err,
-					fmt.Sprintf("cannot access PulseAudio directory %q:", pulseRuntimeDir))
-			}
-			return hlog.WrapErr(ErrPulseSocket,
-				fmt.Sprintf("PulseAudio directory %q not found", pulseRuntimeDir))
-		}
-
-		if s, err := sys.Stat(pulseSocket); err != nil {
-			if !errors.Is(err, fs.ErrNotExist) {
-				return hlog.WrapErrSuffix(err,
-					fmt.Sprintf("cannot access PulseAudio socket %q:", pulseSocket))
-			}
-			return hlog.WrapErr(ErrPulseSocket,
-				fmt.Sprintf("PulseAudio directory %q found but socket does not exist", pulseRuntimeDir))
-		} else {
-			if m := s.Mode(); m&0o006 != 0o006 {
-				return hlog.WrapErr(ErrPulseMode,
-					fmt.Sprintf("unexpected permissions on %q:", pulseSocket), m)
-			}
-		}
-
-		// hard link pulse socket into target-executable share
-		innerPulseRuntimeDir := path.Join(share.runtime(), "pulse")
-		innerPulseSocket := path.Join(innerRuntimeDir, "pulse", "native")
-		seal.sys.Link(pulseSocket, innerPulseRuntimeDir)
-		seal.container.Bind(innerPulseRuntimeDir, innerPulseSocket, 0)
-		seal.env[pulseServer] = "unix:" + innerPulseSocket
-
-		// publish current user's pulse cookie for target user
-		if src, err := discoverPulseCookie(sys); err != nil {
-			// not fatal
-			hlog.Verbose(strings.TrimSpace(err.(*hlog.BaseError).Message()))
-		} else {
-			innerDst := hst.Tmp + "/pulse-cookie"
-			seal.env[pulseCookie] = innerDst
-			var payload *[]byte
-			seal.container.PlaceP(innerDst, &payload)
-			seal.sys.CopyFile(payload, src, 256, 256)
-		}
-	}
-
-	if config.Enablements&system.EDBus != 0 {
-		// ensure dbus session bus defaults
-		if config.SessionBus == nil {
-			config.SessionBus = dbus.NewConfig(config.ID, true, true)
-		}
-
-		// downstream socket paths
-		sharePath := share.instance()
-		sessionPath, systemPath := path.Join(sharePath, "bus"), path.Join(sharePath, "system_bus_socket")
-
-		// configure dbus proxy
-		if f, err := seal.sys.ProxyDBus(
-			config.SessionBus, config.SystemBus,
-			sessionPath, systemPath,
-		); err != nil {
-			return err
-		} else {
-			seal.dbusMsg = f
-		}
-
-		// share proxy sockets
-		sessionInner := path.Join(innerRuntimeDir, "bus")
-		seal.env[dbusSessionBusAddress] = "unix:path=" + sessionInner
-		seal.container.Bind(sessionPath, sessionInner, 0)
-		seal.sys.UpdatePerm(sessionPath, acl.Read, acl.Write)
-		if config.SystemBus != nil {
-			systemInner := "/run/dbus/system_bus_socket"
-			seal.env[dbusSystemBusAddress] = "unix:path=" + systemInner
-			seal.container.Bind(systemPath, systemInner, 0)
-			seal.sys.UpdatePerm(systemPath, acl.Read, acl.Write)
-		}
-	}
-
-	for _, dest := range config.Container.Cover {
-		seal.container.Tmpfs(dest, 1<<13, 0755)
-	}
-
-	// append ExtraPerms last
-	for _, p := range config.ExtraPerms {
-		if p == nil {
-			continue
-		}
-
-		if p.Ensure {
-			seal.sys.Ensure(p.Path, 0700)
-		}
-
-		perms := make(acl.Perms, 0, 3)
-		if p.Read {
-			perms = append(perms, acl.Read)
-		}
-		if p.Write {
-			perms = append(perms, acl.Write)
-		}
-		if p.Execute {
-			perms = append(perms, acl.Execute)
-		}
-		seal.sys.UpdatePermType(system.User, p.Path, perms...)
-	}
-
-	// flatten and sort env for deterministic behaviour
-	seal.container.Env = make([]string, 0, len(seal.env))
-	for k, v := range seal.env {
-		if strings.IndexByte(k, '=') != -1 {
-			return hlog.WrapErr(syscall.EINVAL,
-				fmt.Sprintf("invalid environment variable %s", k))
-		}
-		seal.container.Env = append(seal.container.Env, k+"="+v)
-	}
-	slices.Sort(seal.container.Env)
-
-	if hlog.Load() {
-		hlog.Verbosef("created application seal for uid %s (%s) groups: %v, argv: %s, ops: %d",
-			seal.user.uid, seal.user.username, config.Groups, seal.container.Args, len(*seal.container.Ops))
-	}
-
-	return nil
-}
-
-// discoverPulseCookie attempts various standard methods to discover the current user's PulseAudio authentication cookie
-func discoverPulseCookie(sys sys.State) (string, error) {
-	if p, ok := sys.LookupEnv(pulseCookie); ok {
-		return p, nil
-	}
-
-	// dotfile $HOME/.pulse-cookie
-	if p, ok := sys.LookupEnv(home); ok {
-		p = path.Join(p, ".pulse-cookie")
-		if s, err := sys.Stat(p); err != nil {
-			if !errors.Is(err, fs.ErrNotExist) {
-				return p, hlog.WrapErrSuffix(err,
-					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
-			}
-			// not found, try next method
-		} else if !s.IsDir() {
-			return p, nil
-		}
-	}
-
-	// $XDG_CONFIG_HOME/pulse/cookie
-	if p, ok := sys.LookupEnv(xdgConfigHome); ok {
-		p = path.Join(p, "pulse", "cookie")
-		if s, err := sys.Stat(p); err != nil {
-			if !errors.Is(err, fs.ErrNotExist) {
-				return p, hlog.WrapErrSuffix(err,
-					fmt.Sprintf("cannot access PulseAudio cookie %q:", p))
-			}
-			// not found, try next method
-		} else if !s.IsDir() {
-			return p, nil
-		}
-	}
-
-	return "", hlog.WrapErr(ErrPulseCookie,
-		fmt.Sprintf("cannot locate PulseAudio cookie (tried $%s, $%s/pulse/cookie, $%s/.pulse-cookie)",
-			pulseCookie, xdgConfigHome, home))
-}

cmd/hakurei/internal/app/internal/setuid/shim.go

@@ -1,184 +0,0 @@
-package setuid
-
-import (
-	"context"
-	"errors"
-	"log"
-	"os"
-	"os/exec"
-	"os/signal"
-	"syscall"
-	"time"
-
-	"hakurei.app/container"
-	"hakurei.app/container/seccomp"
-	"hakurei.app/internal"
-	"hakurei.app/internal/hlog"
-)
-
-/*
-#include <stdlib.h>
-#include <unistd.h>
-#include <stdio.h>
-#include <errno.h>
-#include <signal.h>
-
-static pid_t hakurei_shim_param_ppid = -1;
-
-// this cannot unblock hlog since Go code is not async-signal-safe
-static void hakurei_shim_sigaction(int sig, siginfo_t *si, void *ucontext) {
-  if (sig != SIGCONT || si == NULL) {
-    // unreachable
-    fprintf(stderr, "sigaction: sa_sigaction got invalid siginfo\n");
-    return;
-  }
-
-  // monitor requests shim exit
-  if (si->si_pid == hakurei_shim_param_ppid)
-    exit(254);
-
-  fprintf(stderr, "sigaction: got SIGCONT from process %d\n", si->si_pid);
-
-  // shim orphaned before monitor delivers a signal
-  if (getppid() != hakurei_shim_param_ppid)
-    exit(3);
-}
-
-void hakurei_shim_setup_cont_signal(pid_t ppid) {
-  struct sigaction new_action = {0}, old_action = {0};
-  if (sigaction(SIGCONT, NULL, &old_action) != 0)
-    return;
-  if (old_action.sa_handler != SIG_DFL) {
-    errno = ENOTRECOVERABLE;
-    return;
-  }
-
-  new_action.sa_sigaction = hakurei_shim_sigaction;
-  if (sigemptyset(&new_action.sa_mask) != 0)
-    return;
-  new_action.sa_flags = SA_ONSTACK | SA_SIGINFO;
-
-  if (sigaction(SIGCONT, &new_action, NULL) != 0)
-    return;
-
-  errno = 0;
-  hakurei_shim_param_ppid = ppid;
-}
-*/
-import "C"
-
-const shimEnv = "HAKUREI_SHIM"
-
-type shimParams struct {
-	// monitor pid, checked against ppid in signal handler
-	Monitor int
-
-	// finalised container params
-	Container *container.Params
-	// path to outer home directory
-	Home string
-
-	// verbosity pass through
-	Verbose bool
-}
-
-// ShimMain is the main function of the shim process and runs as the unconstrained target user.
-func ShimMain() {
-	hlog.Prepare("shim")
-
-	if err := container.SetDumpable(container.SUID_DUMP_DISABLE); err != nil {
-		log.Fatalf("cannot set SUID_DUMP_DISABLE: %s", err)
-	}
-
-	var (
-		params     shimParams
-		closeSetup func() error
-	)
-	if f, err := container.Receive(shimEnv, &params, nil); err != nil {
-		if errors.Is(err, container.ErrInvalid) {
-			log.Fatal("invalid config descriptor")
-		}
-		if errors.Is(err, container.ErrNotSet) {
-			log.Fatal("HAKUREI_SHIM not set")
-		}
-
-		log.Fatalf("cannot receive shim setup params: %v", err)
-	} else {
-		internal.InstallOutput(params.Verbose)
-		closeSetup = f
-
-		// the Go runtime does not expose siginfo_t so SIGCONT is handled in C to check si_pid
-		if _, err = C.hakurei_shim_setup_cont_signal(C.pid_t(params.Monitor)); err != nil {
-			log.Fatalf("cannot install SIGCONT handler: %v", err)
-		}
-
-		// pdeath_signal delivery is checked as if the dying process called kill(2), see kernel/exit.c
-		if _, _, errno := syscall.Syscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, uintptr(syscall.SIGCONT), 0); errno != 0 {
-			log.Fatalf("cannot set parent-death signal: %v", errno)
-		}
-	}
-
-	if params.Container == nil || params.Container.Ops == nil {
-		log.Fatal("invalid container params")
-	}
-
-	// close setup socket
-	if err := closeSetup(); err != nil {
-		log.Printf("cannot close setup pipe: %v", err)
-		// not fatal
-	}
-
-	// ensure home directory as target user
-	if s, err := os.Stat(params.Home); err != nil {
-		if os.IsNotExist(err) {
-			if err = os.Mkdir(params.Home, 0700); err != nil {
-				log.Fatalf("cannot create home directory: %v", err)
-			}
-		} else {
-			log.Fatalf("cannot access home directory: %v", err)
-		}
-
-		// home directory is created, proceed
-	} else if !s.IsDir() {
-		log.Fatalf("path %q is not a directory", params.Home)
-	}
-
-	var name string
-	if len(params.Container.Args) > 0 {
-		name = params.Container.Args[0]
-	}
-	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
-	defer stop() // unreachable
-	z := container.New(ctx, name)
-	z.Params = *params.Container
-	z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
-	z.Cancel = func(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) }
-	z.WaitDelay = 2 * time.Second
-
-	if err := z.Start(); err != nil {
-		hlog.PrintBaseError(err, "cannot start container:")
-		os.Exit(1)
-	}
-	if err := z.Serve(); err != nil {
-		hlog.PrintBaseError(err, "cannot configure container:")
-	}
-
-	if err := seccomp.Load(
-		seccomp.Preset(seccomp.PresetStrict, seccomp.AllowMultiarch),
-		seccomp.AllowMultiarch,
-	); err != nil {
-		log.Fatalf("cannot load syscall filter: %v", err)
-	}
-
-	if err := z.Wait(); err != nil {
-		var exitError *exec.ExitError
-		if !errors.As(err, &exitError) {
-			if errors.Is(err, context.Canceled) {
-				os.Exit(2)
-			}
-			log.Printf("wait: %v", err)
-			os.Exit(127)
-		}
-		os.Exit(exitError.ExitCode())
-	}
-}

cmd/hakurei/internal/app/internal/setuid/strings.go

@@ -1,19 +0,0 @@
-package setuid
-
-import (
-	"strconv"
-
-	. "hakurei.app/cmd/hakurei/internal/app"
-)
-
-func newInt(v int) *stringPair[int] { return &stringPair[int]{v, strconv.Itoa(v)} }
-func newID(id *ID) *stringPair[ID]  { return &stringPair[ID]{*id, id.String()} }
-
-// stringPair stores a value and its string representation.
-type stringPair[T comparable] struct {
-	v T
-	s string
-}
-
-func (s *stringPair[T]) unwrap() T      { return s.v }
-func (s *stringPair[T]) String() string { return s.s }

cmd/hakurei/internal/state/join.go

@@ -1,60 +0,0 @@
-package state
-
-import (
-	"errors"
-	"maps"
-)
-
-var (
-	ErrDuplicate = errors.New("store contains duplicates")
-)
-
-/*
-Joiner is the interface that wraps the Join method.
-
-The Join function uses Joiner if available.
-*/
-type Joiner interface{ Join() (Entries, error) }
-
-// Join returns joined state entries of all active aids.
-func Join(s Store) (Entries, error) {
-	if j, ok := s.(Joiner); ok {
-		return j.Join()
-	}
-
-	var (
-		aids    []int
-		entries = make(Entries)
-
-		el      int
-		res     Entries
-		loadErr error
-	)
-
-	if ln, err := s.List(); err != nil {
-		return nil, err
-	} else {
-		aids = ln
-	}
-
-	for _, aid := range aids {
-		if _, err := s.Do(aid, func(c Cursor) {
-			res, loadErr = c.Load()
-		}); err != nil {
-			return nil, err
-		}
-
-		if loadErr != nil {
-			return nil, loadErr
-		}
-
-		// save expected length
-		el = len(entries) + len(res)
-		maps.Copy(entries, res)
-		if len(entries) != el {
-			return nil, ErrDuplicate
-		}
-	}
-
-	return entries, nil
-}

cmd/hakurei/internal/state/multi.go

@@ -1,373 +0,0 @@
-package state
-
-import (
-	"encoding/binary"
-	"encoding/gob"
-	"errors"
-	"fmt"
-	"io"
-	"io/fs"
-	"os"
-	"path"
-	"strconv"
-	"sync"
-	"syscall"
-
-	"hakurei.app/cmd/hakurei/internal/app"
-	"hakurei.app/hst"
-	"hakurei.app/internal/hlog"
-)
-
-// fine-grained locking and access
-type multiStore struct {
-	base string
-
-	// initialised backends
-	backends *sync.Map
-
-	lock sync.RWMutex
-}
-
-func (s *multiStore) Do(aid int, f func(c Cursor)) (bool, error) {
-	s.lock.RLock()
-	defer s.lock.RUnlock()
-
-	// load or initialise new backend
-	b := new(multiBackend)
-	b.lock.Lock()
-	if v, ok := s.backends.LoadOrStore(aid, b); ok {
-		b = v.(*multiBackend)
-	} else {
-		b.path = path.Join(s.base, strconv.Itoa(aid))
-
-		// ensure directory
-		if err := os.MkdirAll(b.path, 0700); err != nil && !errors.Is(err, fs.ErrExist) {
-			s.backends.CompareAndDelete(aid, b)
-			return false, err
-		}
-
-		// open locker file
-		if l, err := os.OpenFile(b.path+".lock", os.O_RDWR|os.O_CREATE, 0600); err != nil {
-			s.backends.CompareAndDelete(aid, b)
-			return false, err
-		} else {
-			b.lockfile = l
-		}
-		b.lock.Unlock()
-	}
-
-	// lock backend
-	if err := b.lockFile(); err != nil {
-		return false, err
-	}
-
-	// expose backend methods without exporting the pointer
-	c := new(struct{ *multiBackend })
-	c.multiBackend = b
-	f(b)
-	// disable access to the backend on a best-effort basis
-	c.multiBackend = nil
-
-	// unlock backend
-	return true, b.unlockFile()
-}
-
-func (s *multiStore) List() ([]int, error) {
-	var entries []os.DirEntry
-
-	// read base directory to get all aids
-	if v, err := os.ReadDir(s.base); err != nil && !errors.Is(err, os.ErrNotExist) {
-		return nil, err
-	} else {
-		entries = v
-	}
-
-	aidsBuf := make([]int, 0, len(entries))
-	for _, e := range entries {
-		// skip non-directories
-		if !e.IsDir() {
-			hlog.Verbosef("skipped non-directory entry %q", e.Name())
-			continue
-		}
-
-		// skip non-numerical names
-		if v, err := strconv.Atoi(e.Name()); err != nil {
-			hlog.Verbosef("skipped non-aid entry %q", e.Name())
-			continue
-		} else {
-			if v < 0 || v > 9999 {
-				hlog.Verbosef("skipped out of bounds entry %q", e.Name())
-				continue
-			}
-
-			aidsBuf = append(aidsBuf, v)
-		}
-	}
-
-	return append([]int(nil), aidsBuf...), nil
-}
-
-func (s *multiStore) Close() error {
-	s.lock.Lock()
-	defer s.lock.Unlock()
-
-	var errs []error
-	s.backends.Range(func(_, value any) bool {
-		b := value.(*multiBackend)
-		errs = append(errs, b.close())
-		return true
-	})
-
-	return errors.Join(errs...)
-}
-
-type multiBackend struct {
-	path string
-
-	// created/opened by prepare
-	lockfile *os.File
-
-	lock sync.RWMutex
-}
-
-func (b *multiBackend) filename(id *app.ID) string {
-	return path.Join(b.path, id.String())
-}
-
-func (b *multiBackend) lockFileAct(lt int) (err error) {
-	op := "LockAct"
-	switch lt {
-	case syscall.LOCK_EX:
-		op = "Lock"
-	case syscall.LOCK_UN:
-		op = "Unlock"
-	}
-
-	for {
-		err = syscall.Flock(int(b.lockfile.Fd()), lt)
-		if !errors.Is(err, syscall.EINTR) {
-			break
-		}
-	}
-	if err != nil {
-		return &fs.PathError{
-			Op:   op,
-			Path: b.lockfile.Name(),
-			Err:  err,
-		}
-	}
-	return nil
-}
-
-func (b *multiBackend) lockFile() error {
-	return b.lockFileAct(syscall.LOCK_EX)
-}
-
-func (b *multiBackend) unlockFile() error {
-	return b.lockFileAct(syscall.LOCK_UN)
-}
-
-// reads all launchers in simpleBackend
-// file contents are ignored if decode is false
-func (b *multiBackend) load(decode bool) (Entries, error) {
-	b.lock.RLock()
-	defer b.lock.RUnlock()
-
-	// read directory contents, should only contain files named after ids
-	var entries []os.DirEntry
-	if pl, err := os.ReadDir(b.path); err != nil {
-		return nil, err
-	} else {
-		entries = pl
-	}
-
-	// allocate as if every entry is valid
-	// since that should be the case assuming no external interference happens
-	r := make(Entries, len(entries))
-
-	for _, e := range entries {
-		if e.IsDir() {
-			return nil, fmt.Errorf("unexpected directory %q in store", e.Name())
-		}
-
-		id := new(app.ID)
-		if err := app.ParseAppID(id, e.Name()); err != nil {
-			return nil, err
-		}
-
-		// run in a function to better handle file closing
-		if err := func() error {
-			// open state file for reading
-			if f, err := os.Open(path.Join(b.path, e.Name())); err != nil {
-				return err
-			} else {
-				defer func() {
-					if f.Close() != nil {
-						// unreachable
-						panic("foreign state file closed prematurely")
-					}
-				}()
-
-				s := new(State)
-				r[*id] = s
-
-				// append regardless, but only parse if required, implements Len
-				if decode {
-					if err = b.decodeState(f, s); err != nil {
-						return err
-					}
-					if s.ID != *id {
-						return fmt.Errorf("state entry %s has unexpected id %s", id, &s.ID)
-					}
-				}
-
-				return nil
-			}
-		}(); err != nil {
-			return nil, err
-		}
-	}
-
-	return r, nil
-}
-
-// state file consists of an eight byte header, followed by concatenated gobs
-// of [hst.Config] and [State], if [State.Config] is not nil or offset < 0,
-// the first gob is skipped
-func (b *multiBackend) decodeState(r io.ReadSeeker, state *State) error {
-	offset := make([]byte, 8)
-	if l, err := r.Read(offset); err != nil {
-		if errors.Is(err, io.EOF) {
-			return fmt.Errorf("state file too short: %d bytes", l)
-		}
-		return err
-	}
-
-	// decode volatile state first
-	var skipConfig bool
-	{
-		o := int64(binary.LittleEndian.Uint64(offset))
-		skipConfig = o < 0
-
-		if !skipConfig {
-			if l, err := r.Seek(o, io.SeekCurrent); err != nil {
-				return err
-			} else if l != 8+o {
-				return fmt.Errorf("invalid seek offset %d", l)
-			}
-		}
-	}
-	if err := gob.NewDecoder(r).Decode(state); err != nil {
-		return err
-	}
-
-	// decode sealed config
-	if state.Config == nil {
-		// config must be provided either as part of volatile state,
-		// or in the config segment
-		if skipConfig {
-			return ErrNoConfig
-		}
-
-		state.Config = new(hst.Config)
-		if _, err := r.Seek(8, io.SeekStart); err != nil {
-			return err
-		}
-		return gob.NewDecoder(r).Decode(state.Config)
-	} else {
-		return nil
-	}
-}
-
-// Save writes process state to filesystem
-func (b *multiBackend) Save(state *State, configWriter io.WriterTo) error {
-	b.lock.Lock()
-	defer b.lock.Unlock()
-
-	if configWriter == nil && state.Config == nil {
-		return ErrNoConfig
-	}
-
-	statePath := b.filename(&state.ID)
-
-	if f, err := os.OpenFile(statePath, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600); err != nil {
-		return err
-	} else {
-		defer func() {
-			if f.Close() != nil {
-				// unreachable
-				panic("state file closed prematurely")
-			}
-		}()
-		return b.encodeState(f, state, configWriter)
-	}
-}
-
-func (b *multiBackend) encodeState(w io.WriteSeeker, state *State, configWriter io.WriterTo) error {
-	offset := make([]byte, 8)
-
-	// skip header bytes
-	if _, err := w.Seek(8, io.SeekStart); err != nil {
-		return err
-	}
-
-	if configWriter != nil {
-		// write config gob and encode header
-		if l, err := configWriter.WriteTo(w); err != nil {
-			return err
-		} else {
-			binary.LittleEndian.PutUint64(offset, uint64(l))
-		}
-	} else {
-		// offset == -1 indicates absence of config gob
-		binary.LittleEndian.PutUint64(offset, 0xffffffffffffffff)
-	}
-
-	// encode volatile state
-	if err := gob.NewEncoder(w).Encode(state); err != nil {
-		return err
-	}
-
-	// write header
-	if _, err := w.Seek(0, io.SeekStart); err != nil {
-		return err
-	}
-	_, err := w.Write(offset)
-	return err
-}
-
-func (b *multiBackend) Destroy(id app.ID) error {
-	b.lock.Lock()
-	defer b.lock.Unlock()
-
-	return os.Remove(b.filename(&id))
-}
-
-func (b *multiBackend) Load() (Entries, error) {
-	return b.load(true)
-}
-
-func (b *multiBackend) Len() (int, error) {
-	// rn consists of only nil entries but has the correct length
-	rn, err := b.load(false)
-	return len(rn), err
-}
-
-func (b *multiBackend) close() error {
-	b.lock.Lock()
-	defer b.lock.Unlock()
-
-	err := b.lockfile.Close()
-	if err == nil || errors.Is(err, os.ErrInvalid) || errors.Is(err, os.ErrClosed) {
-		return nil
-	}
-	return err
-}
-
-// NewMulti returns an instance of the multi-file store.
-func NewMulti(runDir string) Store {
-	b := new(multiStore)
-	b.base = path.Join(runDir, "state")
-	b.backends = new(sync.Map)
-	return b
-}

cmd/hakurei/internal/state/multi_test.go

@@ -1,9 +0,0 @@
-package state_test
-
-import (
-	"testing"
-
-	"hakurei.app/cmd/hakurei/internal/state"
-)
-
-func TestMulti(t *testing.T) { testStore(t, state.NewMulti(t.TempDir())) }

cmd/hakurei/internal/state/state.go

@@ -1,49 +0,0 @@
-package state
-
-import (
-	"errors"
-	"io"
-	"time"
-
-	"hakurei.app/cmd/hakurei/internal/app"
-	"hakurei.app/hst"
-)
-
-var ErrNoConfig = errors.New("state does not contain config")
-
-type Entries map[app.ID]*State
-
-type Store interface {
-	// Do calls f exactly once and ensures store exclusivity until f returns.
-	// Returns whether f is called and any errors during the locking process.
-	// Cursor provided to f becomes invalid as soon as f returns.
-	Do(aid int, f func(c Cursor)) (ok bool, err error)
-
-	// List queries the store and returns a list of aids known to the store.
-	// Note that some or all returned aids might not have any active apps.
-	List() (aids []int, err error)
-
-	// Close releases any resources held by Store.
-	Close() error
-}
-
-// Cursor provides access to the store
-type Cursor interface {
-	Save(state *State, configWriter io.WriterTo) error
-	Destroy(id app.ID) error
-	Load() (Entries, error)
-	Len() (int, error)
-}
-
-// State is an instance state
-type State struct {
-	// hakurei instance id
-	ID app.ID `json:"instance"`
-	// child process PID value
-	PID int `json:"pid"`
-	// sealed app configuration
-	Config *hst.Config `json:"config"`
-
-	// process start time
-	Time time.Time `json:"time"`
-}

cmd/hakurei/internal/state/state_test.go

@@ -1,145 +0,0 @@
-package state_test
-
-import (
-	"bytes"
-	"encoding/gob"
-	"io"
-	"math/rand/v2"
-	"reflect"
-	"slices"
-	"testing"
-	"time"
-
-	"hakurei.app/cmd/hakurei/internal/app"
-	"hakurei.app/cmd/hakurei/internal/state"
-	"hakurei.app/hst"
-)
-
-func testStore(t *testing.T, s state.Store) {
-	t.Run("list empty store", func(t *testing.T) {
-		if aids, err := s.List(); err != nil {
-			t.Fatalf("List: error = %v", err)
-		} else if len(aids) != 0 {
-			t.Fatalf("List: aids = %#v", aids)
-		}
-	})
-
-	const (
-		insertEntryChecked = iota
-		insertEntryNoCheck
-		insertEntryOtherApp
-
-		tl
-	)
-
-	var tc [tl]struct {
-		state state.State
-		ct    bytes.Buffer
-	}
-	for i := 0; i < tl; i++ {
-		makeState(t, &tc[i].state, &tc[i].ct)
-	}
-
-	do := func(aid int, f func(c state.Cursor)) {
-		if ok, err := s.Do(aid, f); err != nil {
-			t.Fatalf("Do: ok = %v, error = %v", ok, err)
-		}
-	}
-
-	insert := func(i, aid int) {
-		do(aid, func(c state.Cursor) {
-			if err := c.Save(&tc[i].state, &tc[i].ct); err != nil {
-				t.Fatalf("Save(&tc[%v]): error = %v", i, err)
-			}
-		})
-	}
-
-	check := func(i, aid int) {
-		do(aid, func(c state.Cursor) {
-			if entries, err := c.Load(); err != nil {
-				t.Fatalf("Load: error = %v", err)
-			} else if got, ok := entries[tc[i].state.ID]; !ok {
-				t.Fatalf("Load: entry %s missing",
-					&tc[i].state.ID)
-			} else {
-				got.Time = tc[i].state.Time
-				tc[i].state.Config = hst.Template()
-				if !reflect.DeepEqual(got, &tc[i].state) {
-					t.Fatalf("Load: entry %s got %#v, want %#v",
-						&tc[i].state.ID, got, &tc[i].state)
-				}
-				tc[i].state.Config = nil
-			}
-		})
-	}
-
-	t.Run("insert entry checked", func(t *testing.T) {
-		insert(insertEntryChecked, 0)
-		check(insertEntryChecked, 0)
-	})
-
-	t.Run("insert entry unchecked", func(t *testing.T) {
-		insert(insertEntryNoCheck, 0)
-	})
-
-	t.Run("insert entry different aid", func(t *testing.T) {
-		insert(insertEntryOtherApp, 1)
-		check(insertEntryOtherApp, 1)
-	})
-
-	t.Run("check previous insertion", func(t *testing.T) {
-		check(insertEntryNoCheck, 0)
-	})
-
-	t.Run("list aids", func(t *testing.T) {
-		if aids, err := s.List(); err != nil {
-			t.Fatalf("List: error = %v", err)
-		} else {
-			slices.Sort(aids)
-			want := []int{0, 1}
-			if !slices.Equal(aids, want) {
-				t.Fatalf("List() = %#v, want %#v", aids, want)
-			}
-		}
-	})
-
-	t.Run("join store", func(t *testing.T) {
-		if entries, err := state.Join(s); err != nil {
-			t.Fatalf("Join: error = %v", err)
-		} else if len(entries) != 3 {
-			t.Fatalf("Join(s) = %#v", entries)
-		}
-	})
-
-	t.Run("clear aid 1", func(t *testing.T) {
-		do(1, func(c state.Cursor) {
-			if err := c.Destroy(tc[insertEntryOtherApp].state.ID); err != nil {
-				t.Fatalf("Destroy: error = %v", err)
-			}
-		})
-		do(1, func(c state.Cursor) {
-			if l, err := c.Len(); err != nil {
-				t.Fatalf("Len: error = %v", err)
-			} else if l != 0 {
-				t.Fatalf("Len() = %d, want 0", l)
-			}
-		})
-	})
-
-	t.Run("close store", func(t *testing.T) {
-		if err := s.Close(); err != nil {
-			t.Fatalf("Close: error = %v", err)
-		}
-	})
-}
-
-func makeState(t *testing.T, s *state.State, ct io.Writer) {
-	if err := app.NewAppID(&s.ID); err != nil {
-		t.Fatalf("cannot create dummy state: %v", err)
-	}
-	if err := gob.NewEncoder(ct).Encode(hst.Template()); err != nil {
-		t.Fatalf("cannot encode dummy config: %v", err)
-	}
-	s.PID = rand.Int()
-	s.Time = time.Now()
-}

cmd/hakurei/json.go

@@ -0,0 +1,60 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"io"
+	"strconv"
+)
+
+// decodeJSON decodes json from r and stores it in v. A non-nil error results in a call to fatal.
+func decodeJSON(fatal func(v ...any), op string, r io.Reader, v any) {
+	err := json.NewDecoder(r).Decode(v)
+	if err == nil {
+		return
+	}
+
+	var (
+		syntaxError        *json.SyntaxError
+		unmarshalTypeError *json.UnmarshalTypeError
+
+		msg string
+	)
+
+	switch {
+	case errors.As(err, &syntaxError) && syntaxError != nil:
+		msg = syntaxError.Error() +
+			" at byte " + strconv.FormatInt(syntaxError.Offset, 10)
+
+	case errors.As(err, &unmarshalTypeError) && unmarshalTypeError != nil:
+		msg = "inappropriate " + unmarshalTypeError.Value +
+			" at byte " + strconv.FormatInt(unmarshalTypeError.Offset, 10)
+
+	default:
+		// InvalidUnmarshalError: incorrect usage, does not need to be handled
+		// io.ErrUnexpectedEOF: no additional error information available
+		msg = err.Error()
+	}
+
+	fatal("cannot " + op + ": " + msg)
+}
+
+// encodeJSON encodes v to output. A non-nil error results in a call to fatal.
+func encodeJSON(fatal func(v ...any), output io.Writer, short bool, v any) {
+	encoder := json.NewEncoder(output)
+	if !short {
+		encoder.SetIndent("", "  ")
+	}
+
+	if err := encoder.Encode(v); err != nil {
+		var marshalerError *json.MarshalerError
+		if errors.As(err, &marshalerError) && marshalerError != nil {
+			// this likely indicates an implementation error in hst
+			fatal("cannot encode json for " + marshalerError.Type.String() + ": " + marshalerError.Err.Error())
+			return
+		}
+
+		// UnsupportedTypeError, UnsupportedValueError: incorrect usage, does not need to be handled
+		fatal("cannot write json: " + err.Error())
+	}
+}

cmd/hakurei/json_test.go

@@ -0,0 +1,99 @@
+package main
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+
+	"hakurei.app/internal/stub"
+)
+
+func TestDecodeJSON(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		t    reflect.Type
+		data string
+		want any
+		msg  string
+	}{
+		{"success", reflect.TypeFor[uintptr](), "3735928559\n", uintptr(0xdeadbeef), ""},
+
+		{"syntax", reflect.TypeFor[*int](), "\x00", nil,
+			`cannot load sample: invalid character '\x00' looking for beginning of value at byte 1`},
+		{"type", reflect.TypeFor[uintptr](), "-1", nil,
+			`cannot load sample: inappropriate number -1 at byte 2`},
+		{"default", reflect.TypeFor[*int](), "{", nil,
+			"cannot load sample: unexpected EOF"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var (
+				gotP   = reflect.New(tc.t)
+				gotMsg *string
+			)
+			decodeJSON(func(v ...any) {
+				if gotMsg != nil {
+					t.Fatal("fatal called twice")
+				}
+				msg := v[0].(string)
+				gotMsg = &msg
+			}, "load sample", strings.NewReader(tc.data), gotP.Interface())
+			if tc.msg != "" {
+				if gotMsg == nil {
+					t.Errorf("decodeJSON: success, want fatal %q", tc.msg)
+				} else if *gotMsg != tc.msg {
+					t.Errorf("decodeJSON: fatal = %q, want %q", *gotMsg, tc.msg)
+				}
+			} else if gotMsg != nil {
+				t.Errorf("decodeJSON: fatal = %q", *gotMsg)
+			} else if !reflect.DeepEqual(gotP.Elem().Interface(), tc.want) {
+				t.Errorf("decodeJSON: %#v, want %#v", gotP.Elem().Interface(), tc.want)
+			}
+		})
+	}
+}
+
+func TestEncodeJSON(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		v    any
+		want string
+	}{
+		{"marshaler", errorJSONMarshaler{},
+			`cannot encode json for main.errorJSONMarshaler: unique error 3735928559 injected by the test suite`},
+		{"default", func() {},
+			`cannot write json: json: unsupported type: func()`},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var called bool
+			encodeJSON(func(v ...any) {
+				if called {
+					t.Fatal("fatal called twice")
+				}
+				called = true
+
+				if v[0].(string) != tc.want {
+					t.Errorf("encodeJSON: fatal = %q, want %q", v[0].(string), tc.want)
+				}
+			}, nil, false, tc.v)
+
+			if !called {
+				t.Errorf("encodeJSON: success, want fatal %q", tc.want)
+			}
+		})
+	}
+}
+
+// errorJSONMarshaler implements json.Marshaler.
+type errorJSONMarshaler struct{}
+
+func (errorJSONMarshaler) MarshalJSON() ([]byte, error) { return nil, stub.UniqueError(0xdeadbeef) }

cmd/hakurei/main.go

@@ -1,48 +1,88 @@
+// Hakurei runs user-specified containers as subordinate users.
+//
+// This program is generally invoked by another, higher level program, which
+// creates container configuration via package [hst] or an implementation of it.
+//
+// The parent may leave files open and specify their file descriptor for various
+// uses. In these cases, standard streams and netpoll files are treated as
+// invalid file descriptors and rejected. All string representations must be in
+// decimal.
+//
+// When specifying a [hst.Config] JSON stream or file to the run subcommand, the
+// argument "-" is equivalent to stdin. Otherwise, file descriptor rules
+// described above applies. Invalid file descriptors are treated as file names
+// in their string representation, with the exception that if a netpoll file
+// descriptor is attempted, the program fails.
+//
+// The flag --identifier-fd can be optionally specified to the run subcommand to
+// receive the identifier of the newly started instance. File descriptor rules
+// described above applies, and the file must be writable. This is sent after
+// its state is made available, so the client must not attempt to poll for it.
+// This uses the internal binary format of [hst.ID].
+//
+// For the show and ps subcommands, the flag --json can be applied to the main
+// hakurei command to serialise output in JSON when applicable. Additionally,
+// the flag --short targeting each subcommand is used to omit some information
+// in both JSON and user-facing output. Only JSON-encoded output is covered
+// under the compatibility promise.
+//
+// A template for [hst.Config] demonstrating all available configuration fields
+// is returned by [hst.Template]. The JSON-encoded equivalent of this can be
+// obtained via the template subcommand. Fields left unpopulated in the template
+// (the direct_* family of fields, which are insecure under any configuration if
+// enabled) are unsupported.
+//
+// For simple (but insecure) testing scenarios, the exec subcommand can be used
+// to generate a simple, permissive configuration in-memory. See its help
+// message for all available options.
 package main
 
-// this works around go:embed '..' limitation
-//go:generate cp ../../LICENSE .
-
 import (
+	"context"
 	_ "embed"
 	"errors"
 	"log"
 	"os"
+	"os/signal"
+	"syscall"
 
 	"hakurei.app/container"
-	"hakurei.app/internal"
-	"hakurei.app/internal/hlog"
-	"hakurei.app/internal/sys"
+	"hakurei.app/ext"
+	"hakurei.app/message"
 )
 
-var (
-	errSuccess = errors.New("success")
+//go:generate cp ../../LICENSE .
+//go:embed LICENSE
+var license string
 
-	//go:embed LICENSE
-	license string
-)
-
-func init() { hlog.Prepare("hakurei") }
-
-var std sys.State = new(sys.Std)
+// earlyHardeningErrs are errors collected while setting up early hardening feature.
+type earlyHardeningErrs struct{ yamaLSM, dumpable error }
 
 func main() {
 	// early init path, skips root check and duplicate PR_SET_DUMPABLE
-	container.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallOutput)
+	container.TryArgv0(nil)
 
-	if err := container.SetDumpable(container.SUID_DUMP_DISABLE); err != nil {
-		log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
-		// not fatal: this program runs as the privileged user
+	log.SetFlags(0)
+	log.SetPrefix("hakurei: ")
+	msg := message.New(log.Default())
+
+	early := earlyHardeningErrs{
+		yamaLSM:  ext.SetPtracer(0),
+		dumpable: ext.SetDumpable(ext.SUID_DUMP_DISABLE),
 	}
 
 	if os.Geteuid() == 0 {
 		log.Fatal("this program must not run as root")
 	}
 
-	buildCommand(os.Stderr).MustParse(os.Args[1:], func(err error) {
-		hlog.Verbosef("command returned %v", err)
+	ctx, stop := signal.NotifyContext(context.Background(),
+		syscall.SIGINT, syscall.SIGTERM)
+	defer stop() // unreachable
+
+	buildCommand(ctx, msg, &early, os.Stderr).MustParse(os.Args[1:], func(err error) {
+		msg.Verbosef("command returned %v", err)
 		if errors.Is(err, errSuccess) {
-			hlog.BeforeExit()
+			msg.BeforeExit()
 			os.Exit(0)
 		}
 		// this catches faulty command handlers that fail to return before this point

cmd/hakurei/parse.go

@@ -1,7 +1,7 @@
 package main
 
 import (
-	"encoding/json"
+	"encoding/hex"
 	"errors"
 	"io"
 	"log"
@@ -10,67 +10,105 @@ import (
 	"strings"
 	"syscall"
 
-	"hakurei.app/cmd/hakurei/internal/state"
 	"hakurei.app/hst"
-	"hakurei.app/internal/hlog"
+	"hakurei.app/internal/outcome"
+	"hakurei.app/internal/store"
+	"hakurei.app/message"
 )
 
-func tryPath(name string) (config *hst.Config) {
-	var r io.Reader
+// tryPath attempts to read [hst.Config] from multiple sources.
+//
+// tryPath reads from [os.Stdin] if name has value "-". Otherwise, name is
+// passed to tryFd, and if that returns nil, name is passed to [os.Open].
+func tryPath(msg message.Msg, name string) (config *hst.Config) {
+	var r io.ReadCloser
 	config = new(hst.Config)
 
 	if name != "-" {
-		r = tryFd(name)
+		r = tryFd(msg, name)
 		if r == nil {
-			hlog.Verbose("load configuration from file")
+			msg.Verbose("load configuration from file")
 
 			if f, err := os.Open(name); err != nil {
-				log.Fatalf("cannot access configuration file %q: %s", name, err)
+				log.Fatal(err.Error())
+				return
 			} else {
-				// finalizer closes f
 				r = f
 			}
-		} else {
-			defer func() {
-				if err := r.(io.ReadCloser).Close(); err != nil {
-					log.Printf("cannot close config fd: %v", err)
-				}
-			}()
 		}
 	} else {
 		r = os.Stdin
 	}
 
-	if err := json.NewDecoder(r).Decode(&config); err != nil {
-		log.Fatalf("cannot load configuration: %v", err)
+	decodeJSON(log.Fatal, "load configuration", r, &config)
+	if err := r.Close(); err != nil {
+		log.Fatal(err.Error())
 	}
-
 	return
 }
 
-func tryFd(name string) io.ReadCloser {
+// tryFd returns a [io.ReadCloser] if name represents an integer corresponding
+// to a valid file descriptor.
+func tryFd(msg message.Msg, name string) io.ReadCloser {
 	if v, err := strconv.Atoi(name); err != nil {
 		if !errors.Is(err, strconv.ErrSyntax) {
-			hlog.Verbosef("name cannot be interpreted as int64: %v", err)
+			msg.Verbosef("name cannot be interpreted as int64: %v", err)
 		}
 		return nil
 	} else {
-		hlog.Verbosef("trying config stream from %d", v)
+		if v < 3 { // reject standard streams
+			return nil
+		}
+
+		msg.Verbosef("trying config stream from %d", v)
 		fd := uintptr(v)
-		if _, _, errno := syscall.Syscall(syscall.SYS_FCNTL, fd, syscall.F_GETFD, 0); errno != 0 {
-			if errors.Is(errno, syscall.EBADF) {
+		if _, _, errno := syscall.Syscall(
+			syscall.SYS_FCNTL,
+			fd,
+			syscall.F_GETFD,
+			0,
+		); errno != 0 {
+			if errors.Is(errno, syscall.EBADF) { // reject bad fd
 				return nil
 			}
 			log.Fatalf("cannot get fd %d: %v", fd, errno)
 		}
+
+		if outcome.IsPollDescriptor(fd) { // reject runtime internals
+			log.Fatalf("invalid config stream %d", fd)
+		}
+
 		return os.NewFile(fd, strconv.Itoa(v))
 	}
 }
 
-func tryShort(name string) (config *hst.Config, entry *state.State) {
-	likePrefix := false
-	if len(name) <= 32 {
-		likePrefix = true
+// shortLengthMin is the minimum length a short form identifier can have and
+// still be interpreted as an identifier.
+const shortLengthMin = 1 << 3
+
+// shortIdentifier returns an eight character short representation of [hst.ID]
+// from its random bytes.
+func shortIdentifier(id *hst.ID) string {
+	return shortIdentifierString(id.String())
+}
+
+// shortIdentifierString implements shortIdentifier on an arbitrary string.
+func shortIdentifierString(s string) string {
+	return s[len(hst.ID{}) : len(hst.ID{})+shortLengthMin]
+}
+
+// tryIdentifier attempts to match [hst.State] from a [hex] representation of
+// [hst.ID] or a prefix of its lower half.
+func tryIdentifier(msg message.Msg, name string, s *store.Store) *hst.State {
+	const (
+		likeShort = 1 << iota
+		likeFull
+	)
+
+	var likely uintptr
+	// half the hex representation
+	if len(name) >= shortLengthMin && len(name) <= len(hst.ID{}) {
+		// cannot safely decode here due to unknown alignment
 		for _, c := range name {
 			if c >= '0' && c <= '9' {
 				continue
@@ -78,33 +116,68 @@ func tryShort(name string) (config *hst.Config, entry *state.State) {
 			if c >= 'a' && c <= 'f' {
 				continue
 			}
-			likePrefix = false
-			break
+			return nil
 		}
+		likely |= likeShort
+	} else if len(name) == hex.EncodedLen(len(hst.ID{})) {
+		likely |= likeFull
 	}
 
-	// try to match from state store
-	if likePrefix && len(name) >= 8 {
-		hlog.Verbose("argument looks like prefix")
+	if likely == 0 {
+		return nil
+	}
 
-		s := state.NewMulti(std.Paths().RunDirPath)
-		if entries, err := state.Join(s); err != nil {
-			log.Printf("cannot join store: %v", err)
-			// drop to fetch from file
-		} else {
-			for id := range entries {
-				v := id.String()
-				if strings.HasPrefix(v, name) {
-					// match, use config from this state entry
-					entry = entries[id]
-					config = entry.Config
-					break
+	entries, copyError := s.All()
+	defer func() {
+		if err := copyError(); err != nil {
+			msg.GetLogger().Println(getMessage("cannot iterate over store:", err))
+		}
+	}()
+
+	switch {
+	case likely&likeShort != 0:
+		msg.Verbose("argument looks like short identifier")
+		for eh := range entries {
+			if eh.DecodeErr != nil {
+				msg.Verbose(getMessage("skipping instance:", eh.DecodeErr))
+				continue
+			}
+
+			if strings.HasPrefix(eh.ID.String()[len(hst.ID{}):], name) {
+				var entry hst.State
+				if _, err := eh.Load(&entry); err != nil {
+					msg.GetLogger().Println(getMessage("cannot load state entry:", err))
+					continue
 				}
-
-				hlog.Verbosef("instance %s skipped", v)
+				return &entry
 			}
 		}
-	}
+		return nil
 
-	return
+	case likely&likeFull != 0:
+		var likelyID hst.ID
+		if likelyID.UnmarshalText([]byte(name)) != nil {
+			return nil
+		}
+		msg.Verbose("argument looks like identifier")
+		for eh := range entries {
+			if eh.DecodeErr != nil {
+				msg.Verbose(getMessage("skipping instance:", eh.DecodeErr))
+				continue
+			}
+
+			if eh.ID == likelyID {
+				var entry hst.State
+				if _, err := eh.Load(&entry); err != nil {
+					msg.GetLogger().Println(getMessage("cannot load state entry:", err))
+					continue
+				}
+				return &entry
+			}
+		}
+		return nil
+
+	default:
+		panic("unreachable")
+	}
 }

cmd/hakurei/parse_test.go

@@ -0,0 +1,117 @@
+package main
+
+import (
+	"bytes"
+	"reflect"
+	"testing"
+	"time"
+
+	"hakurei.app/check"
+	"hakurei.app/hst"
+	"hakurei.app/internal/store"
+	"hakurei.app/message"
+)
+
+func TestShortIdentifier(t *testing.T) {
+	t.Parallel()
+	id := hst.ID{
+		0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+		0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+	}
+
+	const want = "fedcba98"
+	if got := shortIdentifier(&id); got != want {
+		t.Errorf("shortIdentifier: %q, want %q", got, want)
+	}
+}
+
+func TestTryIdentifier(t *testing.T) {
+	t.Parallel()
+
+	msg := message.New(nil)
+	id := hst.ID{
+		0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+		0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+	}
+	withBase := func(extra ...hst.State) []hst.State {
+		return append([]hst.State{
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xaa}, len(hst.ID{}))), PID: 0xbeef, ShimPID: 0xcafe, Config: hst.Template(), Time: time.Unix(0, 0xdeadbeef0)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xab}, len(hst.ID{}))), PID: 0x1beef, ShimPID: 0x1cafe, Config: hst.Template(), Time: time.Unix(0, 0xdeadbeef1)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xf0}, len(hst.ID{}))), PID: 0x2beef, ShimPID: 0x2cafe, Config: hst.Template(), Time: time.Unix(0, 0xdeadbeef2)},
+
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xfe}, len(hst.ID{}))), PID: 0xbed, ShimPID: 0xfff, Config: func() *hst.Config {
+				template := hst.Template()
+				template.Identity = hst.IdentityEnd
+				return template
+			}(), Time: time.Unix(0, 0xcafebabe0)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xfc}, len(hst.ID{}))), PID: 0x1bed, ShimPID: 0x1fff, Config: func() *hst.Config {
+				template := hst.Template()
+				template.Identity = 0xfc
+				return template
+			}(), Time: time.Unix(0, 0xcafebabe1)},
+			{ID: (hst.ID)(bytes.Repeat([]byte{0xce}, len(hst.ID{}))), PID: 0x2bed, ShimPID: 0x2fff, Config: func() *hst.Config {
+				template := hst.Template()
+				template.Identity = 0xce
+				return template
+			}(), Time: time.Unix(0, 0xcafebabe2)},
+		}, extra...)
+	}
+	sampleEntry := hst.State{
+		ID:      id,
+		PID:     0xcafe,
+		ShimPID: 0xdead,
+		Config:  hst.Template(),
+	}
+
+	testCases := []struct {
+		name string
+		s    string
+		data []hst.State
+		want *hst.State
+	}{
+		{"likely entries fault", "ffffffff", nil, nil},
+
+		{"likely short too short", "ff", nil, nil},
+		{"likely short too long", "fffffffffffffffff", nil, nil},
+		{"likely short invalid lower", "fffffff\x00", nil, nil},
+		{"likely short invalid higher", "0000000\xff", nil, nil},
+		{"short no match", "fedcba98", withBase(), nil},
+		{"short match", "fedcba98", withBase(sampleEntry), &sampleEntry},
+		{"short match single", "fedcba98", []hst.State{sampleEntry}, &sampleEntry},
+		{"short match longer", "fedcba98765", withBase(sampleEntry), &sampleEntry},
+
+		{"likely long invalid", "0123456789abcdeffedcba987654321\x00", nil, nil},
+		{"long no match", "0123456789abcdeffedcba9876543210", withBase(), nil},
+		{"long match", "0123456789abcdeffedcba9876543210", withBase(sampleEntry), &sampleEntry},
+		{"long match single", "0123456789abcdeffedcba9876543210", []hst.State{sampleEntry}, &sampleEntry},
+	}
+	for _, tc := range testCases {
+		base := check.MustAbs(t.TempDir()).Append("store")
+		s := store.New(base)
+		for i := range tc.data {
+			if h, err := s.Handle(tc.data[i].Identity); err != nil {
+				t.Fatalf("Handle: error = %v", err)
+			} else {
+				var unlock func()
+				if unlock, err = h.Lock(); err != nil {
+					t.Fatalf("Lock: error = %v", err)
+				}
+				_, err = h.Save(&tc.data[i])
+				unlock()
+				if err != nil {
+					t.Fatalf("Save: error = %v", err)
+				}
+			}
+		}
+
+		// store must not be written to beyond this point
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := tryIdentifier(msg, tc.s, store.New(base))
+			if !reflect.DeepEqual(got, tc.want) {
+				t.Errorf("tryIdentifier: %#v, want %#v", got, tc.want)
+			}
+		})
+	}
+}

cmd/hakurei/print.go

@@ -1,54 +1,54 @@
 package main
 
 import (
-	"encoding/json"
+	"bytes"
 	"fmt"
 	"io"
 	"log"
-	"os"
 	"slices"
 	"strconv"
 	"strings"
 	"text/tabwriter"
 	"time"
 
-	"hakurei.app/cmd/hakurei/internal/state"
 	"hakurei.app/hst"
-	"hakurei.app/internal/hlog"
-	"hakurei.app/system/dbus"
+	"hakurei.app/internal/outcome"
+	"hakurei.app/internal/store"
+	"hakurei.app/message"
 )
 
+// printShowSystem populates and writes a representation of [hst.Info] to output.
 func printShowSystem(output io.Writer, short, flagJSON bool) {
 	t := newPrinter(output)
 	defer t.MustFlush()
-
-	info := new(hst.Info)
-
-	// get fid by querying uid of aid 0
-	if uid, err := std.Uid(0); err != nil {
-		hlog.PrintBaseError(err, "cannot obtain uid from setuid wrapper:")
-		os.Exit(1)
-	} else {
-		info.User = (uid / 10000) - 100
-	}
+	hi := outcome.Info()
 
 	if flagJSON {
-		printJSON(output, short, info)
+		encodeJSON(log.Fatal, output, short, hi)
 		return
 	}
 
-	t.Printf("User:\t%d\n", info.User)
+	t.Printf("Version:\t%s (libwayland %s)\n", hi.Version, hi.WaylandVersion)
+	t.Printf("User:\t%d\n", hi.User)
+	t.Printf("TempDir:\t%s\n", hi.TempDir)
+	t.Printf("SharePath:\t%s\n", hi.SharePath)
+	t.Printf("RuntimePath:\t%s\n", hi.RuntimePath)
+	t.Printf("RunDirPath:\t%s\n", hi.RunDirPath)
 }
 
+// printShowInstance writes a representation of [hst.State] or [hst.Config] to output.
 func printShowInstance(
 	output io.Writer, now time.Time,
-	instance *state.State, config *hst.Config,
-	short, flagJSON bool) {
+	instance *hst.State, config *hst.Config,
+	short, flagJSON bool,
+) (valid bool) {
+	valid = true
+
 	if flagJSON {
 		if instance != nil {
-			printJSON(output, short, instance)
+			encodeJSON(log.Fatal, output, short, instance)
 		} else {
-			printJSON(output, short, config)
+			encodeJSON(log.Fatal, output, short, config)
 		}
 		return
 	}
@@ -56,13 +56,21 @@ func printShowInstance(
 	t := newPrinter(output)
 	defer t.MustFlush()
 
-	if config.Container == nil {
-		mustPrint(output, "Warning: this configuration uses permissive defaults!\n\n")
+	if err := config.Validate(hst.VAllowInsecure); err != nil {
+		valid = false
+		if m, ok := message.GetMessage(err); ok {
+			mustPrint(output, "Error: "+m+"!\n\n")
+		}
+	}
+
+	if config == nil {
+		// nothing to print
+		return
 	}
 
 	if instance != nil {
 		t.Printf("State\n")
-		t.Printf(" Instance:\t%s (%d)\n", instance.ID.String(), instance.PID)
+		t.Printf(" Instance:\t%s (%d -> %d)\n", instance.ID.String(), instance.PID, instance.ShimPID)
 		t.Printf(" Uptime:\t%s\n", now.Sub(instance.Time).Round(time.Second).String())
 		t.Printf("\n")
 	}
@@ -73,51 +81,37 @@ func printShowInstance(
 	} else {
 		t.Printf(" Identity:\t%d\n", config.Identity)
 	}
-	t.Printf(" Enablements:\t%s\n", config.Enablements.String())
+	t.Printf(" Enablements:\t%s\n", config.Enablements.Unwrap().String())
 	if len(config.Groups) > 0 {
 		t.Printf(" Groups:\t%s\n", strings.Join(config.Groups, ", "))
 	}
-	if config.Data != "" {
-		t.Printf(" Data:\t%s\n", config.Data)
-	}
 	if config.Container != nil {
-		container := config.Container
-		if container.Hostname != "" {
-			t.Printf(" Hostname:\t%s\n", container.Hostname)
-		}
-		flags := make([]string, 0, 7)
-		writeFlag := func(name string, value bool) {
-			if value {
-				flags = append(flags, name)
+		flags := config.Container.Flags.String()
+
+		// this is included in the upper hst.Config struct but is relevant here
+		const flagDirectWayland = "directwl"
+		if config.DirectWayland {
+			// hardcoded value when every flag is unset
+			if flags == "none" {
+				flags = flagDirectWayland
+			} else {
+				flags += ", " + flagDirectWayland
 			}
 		}
-		writeFlag("userns", container.Userns)
-		writeFlag("devel", container.Devel)
-		writeFlag("net", container.Net)
-		writeFlag("device", container.Device)
-		writeFlag("tty", container.Tty)
-		writeFlag("mapuid", container.MapRealUID)
-		writeFlag("directwl", config.DirectWayland)
-		writeFlag("autoetc", container.AutoEtc)
-		if len(flags) == 0 {
-			flags = append(flags, "none")
-		}
-		t.Printf(" Flags:\t%s\n", strings.Join(flags, " "))
+		t.Printf(" Flags:\t%s\n", flags)
 
-		etc := container.Etc
-		if etc == "" {
-			etc = "/etc"
+		if config.Container.Home != nil {
+			t.Printf(" Home:\t%s\n", config.Container.Home)
 		}
-		t.Printf(" Etc:\t%s\n", etc)
-
-		if len(container.Cover) > 0 {
-			t.Printf(" Cover:\t%s\n", strings.Join(container.Cover, " "))
+		if config.Container.Hostname != "" {
+			t.Printf(" Hostname:\t%s\n", config.Container.Hostname)
+		}
+		if config.Container.Path != nil {
+			t.Printf(" Path:\t%s\n", config.Container.Path)
+		}
+		if len(config.Container.Args) > 0 {
+			t.Printf(" Arguments:\t%s\n", strings.Join(config.Container.Args, " "))
 		}
-
-		t.Printf(" Path:\t%s\n", config.Path)
-	}
-	if len(config.Args) > 0 {
-		t.Printf(" Arguments:\t%s\n", strings.Join(config.Args, " "))
 	}
 	t.Printf("\n")
 
@@ -125,46 +119,25 @@ func printShowInstance(
 		if config.Container != nil && len(config.Container.Filesystem) > 0 {
 			t.Printf("Filesystem\n")
 			for _, f := range config.Container.Filesystem {
-				if f == nil {
+				if !f.Valid() {
+					valid = false
+					t.Println(" <invalid>")
 					continue
 				}
-
-				expr := new(strings.Builder)
-				expr.Grow(3 + len(f.Src) + 1 + len(f.Dst))
-
-				if f.Device {
-					expr.WriteString(" d")
-				} else if f.Write {
-					expr.WriteString(" w")
-				} else {
-					expr.WriteString(" ")
-				}
-				if f.Must {
-					expr.WriteString("*")
-				} else {
-					expr.WriteString("+")
-				}
-				expr.WriteString(f.Src)
-				if f.Dst != "" {
-					expr.WriteString(":" + f.Dst)
-				}
-				t.Printf("%s\n", expr.String())
+				t.Printf(" %s\n", f)
 			}
 			t.Printf("\n")
 		}
 		if len(config.ExtraPerms) > 0 {
 			t.Printf("Extra ACL\n")
-			for _, p := range config.ExtraPerms {
-				if p == nil {
-					continue
-				}
-				t.Printf(" %s\n", p.String())
+			for i := range config.ExtraPerms {
+				t.Printf(" %s\n", config.ExtraPerms[i].String())
 			}
 			t.Printf("\n")
 		}
 	}
 
-	printDBus := func(c *dbus.Config) {
+	printDBus := func(c *hst.BusConfig) {
 		t.Printf(" Filter:\t%v\n", c.Filter)
 		if len(c.See) > 0 {
 			t.Printf(" See:\t%q\n", c.See)
@@ -192,59 +165,57 @@ func printShowInstance(
 		printDBus(config.SystemBus)
 		t.Printf("\n")
 	}
+
+	return
 }
 
-func printPs(output io.Writer, now time.Time, s state.Store, short, flagJSON bool) {
-	var entries state.Entries
-	if e, err := state.Join(s); err != nil {
-		log.Fatalf("cannot join store: %v", err)
-	} else {
-		entries = e
-	}
-	if err := s.Close(); err != nil {
-		log.Printf("cannot close store: %v", err)
+// printPs writes a representation of active instances to output.
+func printPs(msg message.Msg, output io.Writer, now time.Time, s *store.Store, short, flagJSON bool) {
+	f := func(a func(eh *store.EntryHandle)) {
+		entries, copyError := s.All()
+		for eh := range entries {
+			a(eh)
+		}
+		if err := copyError(); err != nil {
+			msg.GetLogger().Println(getMessage("cannot iterate over store:", err))
+		}
 	}
 
-	if !short && flagJSON {
-		es := make(map[string]*state.State, len(entries))
-		for id, instance := range entries {
-			es[id.String()] = instance
+	if short { // short output requires identifier only
+		var identifiers []*hst.ID
+		f(func(eh *store.EntryHandle) {
+			if _, err := eh.Load(nil); err != nil { // passes through decode error
+				msg.GetLogger().Println(getMessage("cannot validate state entry header:", err))
+				return
+			}
+			identifiers = append(identifiers, &eh.ID)
+		})
+		slices.SortFunc(identifiers, func(a, b *hst.ID) int { return bytes.Compare(a[:], b[:]) })
+
+		if flagJSON {
+			encodeJSON(log.Fatal, output, short, identifiers)
+		} else {
+			for _, id := range identifiers {
+				mustPrintln(output, shortIdentifier(id))
+			}
 		}
-		printJSON(output, short, es)
 		return
 	}
 
-	// sort state entries by id string to ensure consistency between runs
-	exp := make([]*expandedStateEntry, 0, len(entries))
-	for id, instance := range entries {
-		// gracefully skip nil states
-		if instance == nil {
-			log.Printf("got invalid state entry %s", id.String())
-			continue
+	// long output requires full instance state
+	var instances []*hst.State
+	f(func(eh *store.EntryHandle) {
+		var state hst.State
+		if _, err := eh.Load(&state); err != nil { // passes through decode error
+			msg.GetLogger().Println(getMessage("cannot load state entry:", err))
+			return
 		}
+		instances = append(instances, &state)
+	})
+	slices.SortFunc(instances, func(a, b *hst.State) int { return bytes.Compare(a.ID[:], b.ID[:]) })
 
-		// gracefully skip inconsistent states
-		if id != instance.ID {
-			log.Printf("possible store corruption: entry %s has id %s",
-				id.String(), instance.ID.String())
-			continue
-		}
-		exp = append(exp, &expandedStateEntry{s: id.String(), State: instance})
-	}
-	slices.SortFunc(exp, func(a, b *expandedStateEntry) int { return a.Time.Compare(b.Time) })
-
-	if short {
-		if flagJSON {
-			v := make([]string, len(exp))
-			for i, e := range exp {
-				v[i] = e.s
-			}
-			printJSON(output, short, v)
-		} else {
-			for _, e := range exp {
-				mustPrintln(output, e.s[:8])
-			}
-		}
+	if flagJSON {
+		encodeJSON(log.Fatal, output, short, instances)
 		return
 	}
 
@@ -252,61 +223,48 @@ func printPs(output io.Writer, now time.Time, s state.Store, short, flagJSON boo
 	defer t.MustFlush()
 
 	t.Println("\tInstance\tPID\tApplication\tUptime")
-	for _, e := range exp {
-		if len(e.s) != 1<<5 {
-			// unreachable
-			log.Printf("possible store corruption: invalid instance string %s", e.s)
-			continue
-		}
-
+	for _, instance := range instances {
 		as := "(No configuration information)"
-		if e.Config != nil {
-			as = strconv.Itoa(e.Config.Identity)
-			id := e.Config.ID
+		if instance.Config != nil {
+			as = strconv.Itoa(instance.Config.Identity)
+			id := instance.Config.ID
 			if id == "" {
-				id = "app.hakurei." + e.s[:8]
+				id = "app.hakurei." + shortIdentifier(&instance.ID)
 			}
 			as += " (" + id + ")"
 		}
 		t.Printf("\t%s\t%d\t%s\t%s\n",
-			e.s[:8], e.PID, as, now.Sub(e.Time).Round(time.Second).String())
-	}
-}
-
-type expandedStateEntry struct {
-	s string
-	*state.State
-}
-
-func printJSON(output io.Writer, short bool, v any) {
-	encoder := json.NewEncoder(output)
-	if !short {
-		encoder.SetIndent("", "  ")
-	}
-	if err := encoder.Encode(v); err != nil {
-		log.Fatalf("cannot serialise: %v", err)
+			shortIdentifier(&instance.ID), instance.PID, as, now.Sub(instance.Time).Round(time.Second).String())
 	}
 }
 
+// newPrinter returns a configured, wrapped [tabwriter.Writer].
 func newPrinter(output io.Writer) *tp { return &tp{tabwriter.NewWriter(output, 0, 1, 4, ' ', 0)} }
 
+// tp wraps [tabwriter.Writer] to provide additional formatting methods.
 type tp struct{ *tabwriter.Writer }
 
+// Printf calls [fmt.Fprintf] on the underlying [tabwriter.Writer].
 func (p *tp) Printf(format string, a ...any) {
 	if _, err := fmt.Fprintf(p, format, a...); err != nil {
 		log.Fatalf("cannot write to tabwriter: %v", err)
 	}
 }
+
+// Println calls [fmt.Fprintln] on the underlying [tabwriter.Writer].
 func (p *tp) Println(a ...any) {
 	if _, err := fmt.Fprintln(p, a...); err != nil {
 		log.Fatalf("cannot write to tabwriter: %v", err)
 	}
 }
+
+// MustFlush calls the Flush method of [tabwriter.Writer] and calls [log.Fatalf] on a non-nil error.
 func (p *tp) MustFlush() {
 	if err := p.Writer.Flush(); err != nil {
 		log.Fatalf("cannot flush tabwriter: %v", err)
 	}
 }
+
 func mustPrint(output io.Writer, a ...any) {
 	if _, err := fmt.Fprint(output, a...); err != nil {
 		log.Fatalf("cannot print: %v", err)
@@ -317,3 +275,11 @@ func mustPrintln(output io.Writer, a ...any) {
 		log.Fatalf("cannot print: %v", err)
 	}
 }
+
+// getMessage returns a [message.Error] message if available, or err prefixed with fallback otherwise.
+func getMessage(fallback string, err error) string {
+	if m, ok := message.GetMessage(err); ok {
+		return m
+	}
+	return fmt.Sprintln(fallback, err)
+}

cmd/hsu/conf.go

@@ -0,0 +1,7 @@
+//go:build !rosa
+
+package main
+
+// hsuConfPath is an absolute pathname to the hsu configuration file. Its
+// contents are interpreted by parseConfig.
+const hsuConfPath = "/etc/hsurc"

cmd/hsu/config_rosa.go

@@ -0,0 +1,7 @@
+//go:build rosa
+
+package main
+
+// hsuConfPath is the pathname to the hsu configuration file, specific to
+// Rosa OS. Its contents are interpreted by parseConfig.
+const hsuConfPath = "/system/etc/hsurc"

cmd/hsu/hst.go

@@ -0,0 +1,16 @@
+package main
+
+/* keep in sync with hst */
+
+const (
+	userOffset = 100000
+	rangeSize  = userOffset / 10
+
+	identityStart = 0
+	identityEnd   = appEnd - appStart
+
+	appStart = rangeSize * 1
+	appEnd   = appStart + rangeSize - 1
+)
+
+func toUser(userid, appid uint32) uint32 { return userid*userOffset + appStart + appid }

cmd/hsu/main.go

@@ -1,3 +1,56 @@
+// hsu starts the hakurei shim as the target subordinate user.
+//
+// The hsu program must be installed with the setuid and setgid bit set, and
+// owned by root. A configuration file must be installed at /etc/hsurc with
+// permission bits 0400, and owned by root. Each line of the file specifies a
+// hakurei userid to kernel uid mapping. A line consists of the decimal string
+// representation of the uid of the user wishing to start hakurei containers,
+// followed by a space, followed by the decimal string representation of its
+// userid. Duplicate uid entries are ignored, with the first occurrence taking
+// effect.
+//
+// For example, to map the kernel uid 1000 to the hakurei user id 0:
+//
+//	1000 0
+//
+// # Internals
+//
+// Hakurei and hsu holds pathnames pointing to each other set at link time. For
+// this reason, a distribution of hakurei has fixed installation prefix. Since
+// this program is never invoked by the user, behaviour described in the
+// following paragraphs are considered an internal detail and not covered by the
+// compatibility promise.
+//
+// After checking credentials, hsu checks via /proc/ the absolute pathname of
+// its parent process, and fails if it does not match the hakurei pathname set
+// at link time. This is not a security feature: the priv-side is considered
+// trusted, and this feature makes no attempt to address the racy nature of
+// querying /proc/, or debuggers attached to the parent process. Instead, this
+// aims to discourage misuse and reduce confusion if the user accidentally
+// stumbles upon this program. It also prevents accidental use of the incorrect
+// installation of hsu in some environments.
+//
+// Since target container environment variables are set up in shim via the
+// [container] infrastructure, the environment is used for parameters from the
+// parent process.
+//
+// HAKUREI_SHIM specifies a single byte between '3' and '9' representing the
+// setup pipe file descriptor. It is passed as is to the shim process and is the
+// only value in the environment of the shim process. Since hsurc is not
+// accessible to the parent process, leaving this unset causes hsu to print the
+// corresponding hakurei user id of the parent and terminate.
+//
+// HAKUREI_IDENTITY specifies the identity of the instance being started and is
+// used to produce the kernel uid alongside hakurei user id looked up from hsurc.
+//
+// HAKUREI_GROUPS specifies supplementary groups to inherit from the credentials
+// of the parent process in a ' ' separated list of decimal string
+// representations of gid. This has the unfortunate consequence of allowing
+// users mapped via hsurc to effectively drop group membership, so special care
+// must be taken to ensure this does not lead to an increase in access. This is
+// not applicable to Rosa OS since unsigned code execution is not permitted
+// outside hakurei containers, and is generally nonapplicable to the security
+// model of hakurei, where all untrusted code runs within containers.
 package main
 
 import (
@@ -5,7 +58,8 @@ import (
 	"fmt"
 	"log"
 	"os"
-	"path"
+	"path/filepath"
+	"runtime"
 	"slices"
 	"strconv"
 	"strings"
@@ -13,47 +67,60 @@ import (
 )
 
 const (
-	hsuConfFile = "/etc/hsurc"
-	envShim     = "HAKUREI_SHIM"
-	envAID      = "HAKUREI_APP_ID"
-	envGroups   = "HAKUREI_GROUPS"
-
-	PR_SET_NO_NEW_PRIVS = 0x26
+	// envShim is the name of the environment variable holding a single byte
+	// representing the shim setup pipe file descriptor.
+	envShim = "HAKUREI_SHIM"
+	// envIdentity is the name of the environment variable holding a decimal
+	// string representation of the current application identity.
+	envIdentity = "HAKUREI_IDENTITY"
+	// envGroups holds a ' ' separated list of decimal string representations of
+	// supplementary group gid. Membership requirements are enforced.
+	envGroups = "HAKUREI_GROUPS"
 )
 
+// hakureiPath is the absolute path to Hakurei.
+//
+// This is set by the linker.
+var hakureiPath string
+
 func main() {
+	const PR_SET_NO_NEW_PRIVS = 0x26
+	runtime.LockOSThread()
+
 	log.SetFlags(0)
 	log.SetPrefix("hsu: ")
-	log.SetOutput(os.Stderr)
 
 	if os.Geteuid() != 0 {
 		log.Fatal("this program must be owned by uid 0 and have the setuid bit set")
 	}
+	if os.Getegid() != os.Getgid() {
+		log.Fatal("this program must not have the setgid bit set")
+	}
 
 	puid := os.Getuid()
 	if puid == 0 {
 		log.Fatal("this program must not be started by root")
 	}
 
+	if !filepath.IsAbs(hakureiPath) {
+		log.Fatal("this program is compiled incorrectly")
+		return
+	}
+
 	var toolPath string
-	pexe := path.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
+	pexe := filepath.Join("/proc", strconv.Itoa(os.Getppid()), "exe")
 	if p, err := os.Readlink(pexe); err != nil {
 		log.Fatalf("cannot read parent executable path: %v", err)
 	} else if strings.HasSuffix(p, " (deleted)") {
 		log.Fatal("hakurei executable has been deleted")
-	} else if p != mustCheckPath(hmain) {
+	} else if p != hakureiPath {
 		log.Fatal("this program must be started by hakurei")
 	} else {
 		toolPath = p
 	}
 
-	// uid = 1000000 +
-	//   fid * 10000 +
-	//           aid
-	uid := 1000000
-
 	// refuse to run if hsurc is not protected correctly
-	if s, err := os.Stat(hsuConfFile); err != nil {
+	if s, err := os.Stat(hsuConfPath); err != nil {
 		log.Fatal(err)
 	} else if s.Mode().Perm() != 0400 {
 		log.Fatal("bad hsurc perm")
@@ -62,29 +129,13 @@ func main() {
 	}
 
 	// authenticate before accepting user input
-	if f, err := os.Open(hsuConfFile); err != nil {
-		log.Fatal(err)
-	} else if fid, ok := mustParseConfig(f, puid); !ok {
-		log.Fatalf("uid %d is not in the hsurc file", puid)
-	} else {
-		uid += fid * 10000
-	}
-
-	// allowed aid range 0 to 9999
-	if as, ok := os.LookupEnv(envAID); !ok {
-		log.Fatal("HAKUREI_APP_ID not set")
-	} else if aid, err := parseUint32Fast(as); err != nil || aid < 0 || aid > 9999 {
-		log.Fatal("invalid aid")
-	} else {
-		uid += aid
-	}
+	userid := mustParseConfig(puid)
 
 	// pass through setup fd to shim
 	var shimSetupFd string
 	if s, ok := os.LookupEnv(envShim); !ok {
-		// hakurei requests target uid
-		// print resolved uid and exit
-		fmt.Print(uid)
+		// hakurei requests hsurc user id
+		fmt.Print(userid)
 		os.Exit(0)
 	} else if len(s) != 1 || s[0] > '9' || s[0] < '3' {
 		log.Fatal("HAKUREI_SHIM holds an invalid value")
@@ -92,6 +143,22 @@ func main() {
 		shimSetupFd = s
 	}
 
+	// start is going ahead at this point
+	identity := mustReadIdentity()
+
+	const (
+		// first possible uid outcome
+		uidStart = 10000
+		// last possible uid outcome
+		uidEnd = 999919999
+	)
+	uid := int(toUser(userid, identity))
+
+	// final bounds check to catch any bugs
+	if uid < uidStart || uid >= uidEnd {
+		panic("uid out of bounds")
+	}
+
 	// supplementary groups
 	var suppGroups, suppCurrent []int
 
@@ -119,13 +186,7 @@ func main() {
 		suppGroups = []int{uid}
 	}
 
-	// final bounds check to catch any bugs
-	if uid < 1000000 || uid >= 2000000 {
-		panic("uid out of bounds")
-	}
-
 	// careful! users in the allowlist is effectively allowed to drop groups via hsu
-
 	if err := syscall.Setresgid(uid, uid, uid); err != nil {
 		log.Fatalf("cannot set gid: %v", err)
 	}
@@ -135,10 +196,21 @@ func main() {
 	if err := syscall.Setresuid(uid, uid, uid); err != nil {
 		log.Fatalf("cannot set uid: %v", err)
 	}
-	if _, _, errno := syscall.AllThreadsSyscall(syscall.SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0); errno != 0 {
+
+	if _, _, errno := syscall.AllThreadsSyscall(
+		syscall.SYS_PRCTL,
+		PR_SET_NO_NEW_PRIVS, 1,
+		0,
+	); errno != 0 {
 		log.Fatalf("cannot set no_new_privs flag: %s", errno.Error())
 	}
-	if err := syscall.Exec(toolPath, []string{"hakurei", "shim"}, []string{envShim + "=" + shimSetupFd}); err != nil {
+
+	if err := syscall.Exec(toolPath, []string{
+		"hakurei",
+		"shim",
+	}, []string{
+		envShim + "=" + shimSetupFd,
+	}); err != nil {
 		log.Fatalf("cannot start shim: %v", err)
 	}
 

cmd/hsu/package.nix

@@ -19,5 +19,5 @@ buildGoModule {
   ldflags = lib.attrsets.foldlAttrs (
     ldflags: name: value:
     ldflags ++ [ "-X main.${name}=${value}" ]
-  ) [ "-s -w" ] { hmain = "${hakurei}/libexec/hakurei"; };
+  ) [ "-s -w" ] { hakureiPath = "${hakurei}/libexec/hakurei"; };
 }

cmd/hsu/parse.go

@@ -6,62 +6,123 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"math"
+	"os"
 	"strings"
 )
 
-func parseUint32Fast(s string) (int, error) {
+const (
+	// useridStart is the first userid.
+	useridStart = 0
+	// useridEnd is the last userid.
+	useridEnd = useridStart + rangeSize - 1
+)
+
+// parseUint32Fast parses a string representation of an unsigned 32-bit integer
+// value using the fast path only. This limits the range of values it is defined
+// in but is perfectly adequate for this use case.
+func parseUint32Fast(s string) (uint32, error) {
 	sLen := len(s)
 	if sLen < 1 {
-		return -1, errors.New("zero length string")
+		return 0, errors.New("zero length string")
 	}
 	if sLen > 10 {
-		return -1, errors.New("string too long")
+		return 0, errors.New("string too long")
 	}
 
-	n := 0
+	var n uint32
 	for i, ch := range []byte(s) {
 		ch -= '0'
 		if ch > 9 {
-			return -1, fmt.Errorf("invalid character '%s' at index %d", string(ch+'0'), i)
+			return 0, fmt.Errorf("invalid character '%s' at index %d", string(ch+'0'), i)
 		}
-		n = n*10 + int(ch)
+		n = n*10 + uint32(ch)
 	}
 	return n, nil
 }
 
-func parseConfig(r io.Reader, puid int) (fid int, ok bool, err error) {
+// parseConfig reads a list of allowed users from r until it encounters puid or
+// [io.EOF].
+//
+// Each line of the file specifies a hakurei userid to kernel uid mapping. A
+// line consists of the string representation of the uid of the user wishing to
+// start hakurei containers, followed by a space, followed by the string
+// representation of its userid. Duplicate uid entries are ignored, with the
+// first occurrence taking effect.
+//
+// All string representations are parsed by calling parseUint32Fast.
+func parseConfig(r io.Reader, puid uint32) (userid uint32, ok bool, err error) {
 	s := bufio.NewScanner(r)
-	var line, puid0 int
+	var (
+		line  uintptr
+		puid0 uint32
+	)
 	for s.Scan() {
 		line++
 
-		// <puid> <fid>
+		// <puid> <userid>
 		lf := strings.SplitN(s.Text(), " ", 2)
 		if len(lf) != 2 {
-			return -1, false, fmt.Errorf("invalid entry on line %d", line)
+			return useridEnd + 1, false, fmt.Errorf("invalid entry on line %d", line)
 		}
 
 		puid0, err = parseUint32Fast(lf[0])
 		if err != nil || puid0 < 1 {
-			return -1, false, fmt.Errorf("invalid parent uid on line %d", line)
+			return useridEnd + 1, false, fmt.Errorf("invalid parent uid on line %d", line)
 		}
 
 		ok = puid0 == puid
 		if ok {
-			// allowed fid range 0 to 99
-			if fid, err = parseUint32Fast(lf[1]); err != nil || fid < 0 || fid > 99 {
-				return -1, false, fmt.Errorf("invalid identity on line %d", line)
+			// userid bound to a range, uint32 size allows this to be increased if needed
+			if userid, err = parseUint32Fast(lf[1]); err != nil ||
+				userid < useridStart || userid > useridEnd {
+				return useridEnd + 1, false, fmt.Errorf("invalid userid on line %d", line)
 			}
 			return
 		}
 	}
-	return -1, false, s.Err()
+	return useridEnd + 1, false, s.Err()
 }
 
-func mustParseConfig(r io.Reader, puid int) (int, bool) {
-	fid, ok, err := parseConfig(r, puid)
-	if err != nil {
+// mustParseConfig calls parseConfig to interpret the contents of hsuConfPath,
+// terminating the program if an error is encountered, the syntax is incorrect,
+// or the current user is not authorised to use hsu because its uid is missing.
+//
+// Therefore, code after this function call can assume an authenticated state.
+//
+// mustParseConfig returns the userid value of the current user.
+func mustParseConfig(puid int) (userid uint32) {
+	if puid > math.MaxUint32 {
+		log.Fatalf("got impossible uid %d", puid)
+	}
+
+	var ok bool
+	if f, err := os.Open(hsuConfPath); err != nil {
+		log.Fatal(err)
+	} else if userid, ok, err = parseConfig(f, uint32(puid)); err != nil {
+		log.Fatal(err)
+	} else if err = f.Close(); err != nil {
 		log.Fatal(err)
 	}
-	return fid, ok
+	if !ok {
+		log.Fatalf("uid %d is not in the hsurc file", puid)
+	}
+
+	return
+}
+
+// mustReadIdentity calls parseUint32Fast to interpret the value stored in envIdentity,
+// terminating the program if the value is not set, malformed, or out of bounds.
+func mustReadIdentity() uint32 {
+	// ranges defined in hst and copied to this package to avoid importing hst
+	if as, ok := os.LookupEnv(envIdentity); !ok {
+		log.Fatal("HAKUREI_IDENTITY not set")
+		panic("unreachable")
+	} else if identity, err := parseUint32Fast(as); err != nil ||
+		identity < identityStart || identity > identityEnd {
+		log.Fatal("invalid identity")
+		panic("unreachable")
+	} else {
+		return identity
+	}
 }

cmd/hsu/parse_test.go

@@ -2,94 +2,105 @@ package main
 
 import (
 	"bytes"
+	"math"
 	"strconv"
 	"testing"
 )
 
-func Test_parseUint32Fast(t *testing.T) {
+func TestParseUint32Fast(t *testing.T) {
+	t.Parallel()
+
 	t.Run("zero-length", func(t *testing.T) {
+		t.Parallel()
+
 		if _, err := parseUint32Fast(""); err == nil || err.Error() != "zero length string" {
 			t.Errorf(`parseUint32Fast(""): error = %v`, err)
 			return
 		}
 	})
+
 	t.Run("overflow", func(t *testing.T) {
+		t.Parallel()
+
 		if _, err := parseUint32Fast("10000000000"); err == nil || err.Error() != "string too long" {
 			t.Errorf("parseUint32Fast: error = %v", err)
 			return
 		}
 	})
+
 	t.Run("invalid byte", func(t *testing.T) {
+		t.Parallel()
+
 		if _, err := parseUint32Fast("meow"); err == nil || err.Error() != "invalid character 'm' at index 0" {
 			t.Errorf(`parseUint32Fast("meow"): error = %v`, err)
 			return
 		}
 	})
-	t.Run("full range", func(t *testing.T) {
-		testRange := func(i, end int) {
+
+	t.Run("range", func(t *testing.T) {
+		t.Parallel()
+
+		testRange := func(i, end uint32) {
 			for ; i < end; i++ {
-				s := strconv.Itoa(i)
+				s := strconv.Itoa(int(i))
 				w := i
 				t.Run("parse "+s, func(t *testing.T) {
 					t.Parallel()
+
 					v, err := parseUint32Fast(s)
 					if err != nil {
-						t.Errorf("parseUint32Fast(%q): error = %v",
-							s, err)
+						t.Errorf("parseUint32Fast(%q): error = %v", s, err)
 						return
 					}
 					if v != w {
-						t.Errorf("parseUint32Fast(%q): got %v",
-							s, v)
+						t.Errorf("parseUint32Fast(%q): got %v", s, v)
 						return
 					}
 				})
 			}
 		}
 
-		testRange(0, 5000)
-		testRange(105000, 110000)
-		testRange(23005000, 23010000)
-		testRange(456005000, 456010000)
-		testRange(7890005000, 7890010000)
+		testRange(0, 2500)
+		testRange(23002500, 23005000)
+		testRange(math.MaxUint32-2500, math.MaxUint32)
 	})
 }
 
-func Test_parseConfig(t *testing.T) {
+func TestParseConfig(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name       string
-		puid, want int
+		puid, want uint32
 		wantErr    string
 		rc         string
 	}{
-		{"empty", 0, -1, "", ``},
-		{"invalid field", 0, -1, "invalid entry on line 1", `9`},
-		{"invalid puid", 0, -1, "invalid parent uid on line 1", `f 9`},
-		{"invalid fid", 1000, -1, "invalid identity on line 1", `1000 f`},
+		{"empty", 0, useridEnd + 1, "", ``},
+		{"invalid field", 0, useridEnd + 1, "invalid entry on line 1", `9`},
+		{"invalid puid", 0, useridEnd + 1, "invalid parent uid on line 1", `f 9`},
+		{"invalid userid", 1000, useridEnd + 1, "invalid userid on line 1", `1000 f`},
 		{"match", 1000, 0, "", `1000 0`},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			fid, ok, err := parseConfig(bytes.NewBufferString(tc.rc), tc.puid)
+			t.Parallel()
+
+			userid, ok, err := parseConfig(bytes.NewBufferString(tc.rc), tc.puid)
 			if err == nil && tc.wantErr != "" {
-				t.Errorf("parseConfig: error = %v; wantErr %q",
-					err, tc.wantErr)
+				t.Errorf("parseConfig: error = %v; want %q", err, tc.wantErr)
 				return
 			}
 			if err != nil && err.Error() != tc.wantErr {
-				t.Errorf("parseConfig: error = %q; wantErr %q",
-					err, tc.wantErr)
+				t.Errorf("parseConfig: error = %q; want %q", err, tc.wantErr)
 				return
 			}
-			if ok == (tc.want == -1) {
-				t.Errorf("parseConfig: ok = %v; want %v",
-					ok, tc.want)
+			if ok == (tc.want == useridEnd+1) {
+				t.Errorf("parseConfig: ok = %v; want %v", ok, tc.want)
 				return
 			}
-			if fid != tc.want {
-				t.Errorf("parseConfig: fid = %v; want %v",
-					fid, tc.want)
+			if userid != tc.want {
+				t.Errorf("parseConfig: %v; want %v", userid, tc.want)
 			}
 		})
 	}

cmd/hsu/path.go

@@ -1,20 +0,0 @@
-package main
-
-import (
-	"log"
-	"path"
-)
-
-const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
-
-var (
-	hmain = compPoison
-)
-
-func mustCheckPath(p string) string {
-	if p != compPoison && p != "" && path.IsAbs(p) {
-		return p
-	}
-	log.Fatal("this program is compiled incorrectly")
-	return compPoison
-}

cmd/mbf/cache.go

@@ -0,0 +1,135 @@
+package main
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"hakurei.app/check"
+	"hakurei.app/container"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/message"
+)
+
+// cache refers to an instance of [pkg.Cache] that might be open.
+type cache struct {
+	ctx context.Context
+	msg message.Msg
+
+	// Should generally not be used directly.
+	c *pkg.Cache
+
+	cures, jobs int
+	// Primarily to work around missing landlock LSM.
+	hostAbstract bool
+	// Set SCHED_IDLE.
+	idle bool
+	// Unset [pkg.CSuppressInit].
+	verboseInit bool
+	// Loaded artifact of [rosa.QEMU].
+	qemu pkg.Artifact
+
+	base string
+}
+
+// open opens the underlying [pkg.Cache].
+func (cache *cache) open() (err error) {
+	if cache.c != nil {
+		return os.ErrInvalid
+	}
+
+	var base *check.Absolute
+	if cache.base, err = filepath.Abs(cache.base); err != nil {
+		return
+	} else if base, err = check.NewAbs(cache.base); err != nil {
+		return
+	}
+
+	var flags int
+	if cache.idle {
+		flags |= pkg.CSchedIdle
+	}
+	if cache.hostAbstract {
+		flags |= pkg.CHostAbstract
+	}
+	if !cache.verboseInit {
+		flags |= pkg.CSuppressInit
+	}
+
+	done := make(chan struct{})
+	defer close(done)
+	go func() {
+		select {
+		case <-cache.ctx.Done():
+			if testing.Testing() {
+				return
+			}
+			os.Exit(2)
+
+		case <-done:
+			return
+		}
+	}()
+
+	cache.msg.Verbosef("opening cache at %s", base)
+	cache.c, err = pkg.Open(
+		cache.ctx,
+		cache.msg,
+		flags,
+		cache.cures,
+		cache.jobs,
+		base,
+	)
+	if err != nil {
+		return
+	}
+	done <- struct{}{}
+
+	if cache.qemu != nil {
+		var pathname *check.Absolute
+		pathname, _, err = cache.c.Cure(cache.qemu)
+		if err != nil {
+			cache.c.Close()
+			return
+		}
+
+		pkg.RegisterArch("riscv64", container.BinfmtEntry{
+			Offset: 0,
+			Magic:  "\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xf3\x00",
+			Mask:   "\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff",
+			Interpreter: pathname.Append(
+				"system/bin",
+				"qemu-riscv64",
+			),
+		})
+		pkg.RegisterArch("arm64", container.BinfmtEntry{
+			Offset: 0,
+			Magic:  "\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00",
+			Mask:   "\xff\xff\xff\xff\xff\xff\xff\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff",
+			Interpreter: pathname.Append(
+				"system/bin",
+				"qemu-aarch64",
+			),
+		})
+	}
+
+	return
+}
+
+// Close closes the underlying [pkg.Cache] if it is open.
+func (cache *cache) Close() {
+	if cache.c != nil {
+		cache.c.Close()
+	}
+}
+
+// Do calls f on the underlying cache and returns its error value.
+func (cache *cache) Do(f func(cache *pkg.Cache) error) error {
+	if cache.c == nil {
+		if err := cache.open(); err != nil {
+			return err
+		}
+	}
+	return f(cache.c)
+}

cmd/mbf/cache_test.go

@@ -0,0 +1,37 @@
+package main
+
+import (
+	"log"
+	"os"
+	"testing"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/message"
+)
+
+func TestCache(t *testing.T) {
+	t.Parallel()
+
+	cm := cache{
+		ctx:  t.Context(),
+		msg:  message.New(log.New(os.Stderr, "check: ", 0)),
+		base: t.TempDir(),
+
+		hostAbstract: true, idle: true,
+	}
+	defer cm.Close()
+	cm.Close()
+
+	if err := cm.open(); err != nil {
+		t.Fatalf("open: error = %v", err)
+	}
+	if err := cm.open(); err != os.ErrInvalid {
+		t.Errorf("(duplicate) open: error = %v", err)
+	}
+
+	if err := cm.Do(func(cache *pkg.Cache) error {
+		return cache.Scrub(0)
+	}); err != nil {
+		t.Errorf("Scrub: error = %v", err)
+	}
+}

cmd/mbf/daemon.go

@@ -0,0 +1,354 @@
+package main
+
+import (
+	"context"
+	"encoding/binary"
+	"errors"
+	"io"
+	"log"
+	"math"
+	"net"
+	"os"
+	"sync"
+	"syscall"
+	"testing"
+	"time"
+	"unique"
+
+	"hakurei.app/check"
+	"hakurei.app/internal/pkg"
+)
+
+// daemonTimeout is the maximum amount of time cureFromIR will wait on I/O.
+const daemonTimeout = 30 * time.Second
+
+// daemonDeadline returns the deadline corresponding to daemonTimeout, or the
+// zero value when running in a test.
+func daemonDeadline() time.Time {
+	if testing.Testing() {
+		return time.Time{}
+	}
+	return time.Now().Add(daemonTimeout)
+}
+
+const (
+	// remoteNoReply notifies that the client will not receive a cure reply.
+	remoteNoReply = 1 << iota
+)
+
+// cureFromIR services an IR curing request.
+func cureFromIR(
+	cache *pkg.Cache,
+	conn net.Conn,
+	flags uint64,
+) (pkg.Artifact, error) {
+	a, decodeErr := cache.NewDecoder(conn).Decode()
+	if decodeErr != nil {
+		_, err := conn.Write([]byte("\x00" + decodeErr.Error()))
+		return nil, errors.Join(decodeErr, err, conn.Close())
+	}
+
+	pathname, _, cureErr := cache.Cure(a)
+	if flags&remoteNoReply != 0 {
+		return a, errors.Join(cureErr, conn.Close())
+	}
+	if err := conn.SetWriteDeadline(daemonDeadline()); err != nil {
+		return a, errors.Join(cureErr, err, conn.Close())
+	}
+	if cureErr != nil {
+		_, err := conn.Write([]byte("\x00" + cureErr.Error()))
+		return a, errors.Join(cureErr, err, conn.Close())
+	}
+	_, err := conn.Write([]byte(pathname.String()))
+	if testing.Testing() && errors.Is(err, io.ErrClosedPipe) {
+		return a, nil
+	}
+	return a, errors.Join(err, conn.Close())
+}
+
+const (
+	// specialCancel is a message consisting of a single identifier referring
+	// to a curing artifact to be cancelled.
+	specialCancel = iota
+	// specialAbort requests for all pending cures to be aborted. It has no
+	// message body.
+	specialAbort
+
+	// remoteSpecial denotes a special message with custom layout.
+	remoteSpecial = math.MaxUint64
+)
+
+// writeSpecialHeader writes the header of a remoteSpecial message.
+func writeSpecialHeader(conn net.Conn, kind uint64) error {
+	var sh [16]byte
+	binary.LittleEndian.PutUint64(sh[:], remoteSpecial)
+	binary.LittleEndian.PutUint64(sh[8:], kind)
+	if n, err := conn.Write(sh[:]); err != nil {
+		return err
+	} else if n != len(sh) {
+		return io.ErrShortWrite
+	}
+	return nil
+}
+
+// cancelIdent reads an identifier from conn and cancels the corresponding cure.
+func cancelIdent(
+	cache *pkg.Cache,
+	conn net.Conn,
+) (*pkg.ID, bool, error) {
+	var ident pkg.ID
+	if _, err := io.ReadFull(conn, ident[:]); err != nil {
+		return nil, false, errors.Join(err, conn.Close())
+	}
+	ok := cache.Cancel(unique.Make(ident))
+	return &ident, ok, conn.Close()
+}
+
+// serve services connections from a [net.UnixListener].
+func serve(
+	ctx context.Context,
+	log *log.Logger,
+	cm *cache,
+	ul *net.UnixListener,
+) error {
+	ul.SetUnlinkOnClose(true)
+	if cm.c == nil {
+		if err := cm.open(); err != nil {
+			return errors.Join(err, ul.Close())
+		}
+	}
+
+	var wg sync.WaitGroup
+	defer wg.Wait()
+
+	wg.Go(func() {
+		for {
+			if ctx.Err() != nil {
+				break
+			}
+
+			conn, err := ul.AcceptUnix()
+			if err != nil {
+				if !errors.Is(err, os.ErrDeadlineExceeded) {
+					log.Println(err)
+				}
+				continue
+			}
+			wg.Go(func() {
+				done := make(chan struct{})
+				defer close(done)
+				go func() {
+					select {
+					case <-ctx.Done():
+						_ = conn.SetDeadline(time.Now())
+
+					case <-done:
+						return
+					}
+				}()
+
+				if _err := conn.SetReadDeadline(daemonDeadline()); _err != nil {
+					log.Println(_err)
+					if _err = conn.Close(); _err != nil {
+						log.Println(_err)
+					}
+					return
+				}
+
+				var word [8]byte
+				if _, _err := io.ReadFull(conn, word[:]); _err != nil {
+					log.Println(_err)
+					if _err = conn.Close(); _err != nil {
+						log.Println(_err)
+					}
+					return
+				}
+				flags := binary.LittleEndian.Uint64(word[:])
+
+				if flags == remoteSpecial {
+					if _, _err := io.ReadFull(conn, word[:]); _err != nil {
+						log.Println(_err)
+						if _err = conn.Close(); _err != nil {
+							log.Println(_err)
+						}
+						return
+					}
+					switch special := binary.LittleEndian.Uint64(word[:]); special {
+					default:
+						log.Printf("invalid special %d", special)
+
+					case specialCancel:
+						if id, ok, _err := cancelIdent(cm.c, conn); _err != nil {
+							log.Println(_err)
+						} else if !ok {
+							log.Println(
+								"attempting to cancel invalid artifact",
+								pkg.Encode(*id),
+							)
+						} else {
+							log.Println(
+								"cancelled artifact",
+								pkg.Encode(*id),
+							)
+						}
+
+					case specialAbort:
+						log.Println("aborting all pending cures")
+						cm.c.Abort()
+						if _err := conn.Close(); _err != nil {
+							log.Println(_err)
+						}
+					}
+
+					return
+				}
+
+				if a, _err := cureFromIR(cm.c, conn, flags); _err != nil {
+					log.Println(_err)
+				} else {
+					log.Printf(
+						"fulfilled artifact %s",
+						pkg.Encode(cm.c.Ident(a).Value()),
+					)
+				}
+			})
+		}
+	})
+
+	<-ctx.Done()
+	if err := ul.SetDeadline(time.Now()); err != nil {
+		return errors.Join(err, ul.Close())
+	}
+	wg.Wait()
+	return ul.Close()
+}
+
+// dial wraps [net.DialUnix] with a context.
+func dial(ctx context.Context, addr *net.UnixAddr) (
+	done chan<- struct{},
+	conn *net.UnixConn,
+	err error,
+) {
+	conn, err = net.DialUnix("unix", nil, addr)
+	if err != nil {
+		return
+	}
+
+	d := make(chan struct{})
+	done = d
+	go func() {
+		select {
+		case <-ctx.Done():
+			_ = conn.SetDeadline(time.Now())
+
+		case <-d:
+			return
+		}
+	}()
+	return
+}
+
+// cureRemote cures a [pkg.Artifact] on a daemon.
+func cureRemote(
+	ctx context.Context,
+	addr *net.UnixAddr,
+	a pkg.Artifact,
+	flags uint64,
+) (*check.Absolute, error) {
+	if flags == remoteSpecial {
+		return nil, syscall.EINVAL
+	}
+
+	done, conn, err := dial(ctx, addr)
+	if err != nil {
+		return nil, err
+	}
+	defer close(done)
+
+	if n, flagErr := conn.Write(binary.LittleEndian.AppendUint64(nil, flags)); flagErr != nil {
+		return nil, errors.Join(flagErr, conn.Close())
+	} else if n != 8 {
+		return nil, errors.Join(io.ErrShortWrite, conn.Close())
+	}
+
+	if err = pkg.NewIR().EncodeAll(conn, a); err != nil {
+		return nil, errors.Join(err, conn.Close())
+	} else if err = conn.CloseWrite(); err != nil {
+		return nil, errors.Join(err, conn.Close())
+	}
+
+	if flags&remoteNoReply != 0 {
+		return nil, conn.Close()
+	}
+
+	payload, recvErr := io.ReadAll(conn)
+	if err = errors.Join(recvErr, conn.Close()); err != nil {
+		if errors.Is(err, os.ErrDeadlineExceeded) {
+			if cancelErr := ctx.Err(); cancelErr != nil {
+				err = cancelErr
+			}
+		}
+		return nil, err
+	}
+
+	if len(payload) > 0 && payload[0] == 0 {
+		return nil, errors.New(string(payload[1:]))
+	}
+
+	var p *check.Absolute
+	p, err = check.NewAbs(string(payload))
+	return p, err
+}
+
+// cancelRemote cancels a [pkg.Artifact] curing on a daemon.
+func cancelRemote(
+	ctx context.Context,
+	addr *net.UnixAddr,
+	a pkg.Artifact,
+	wait bool,
+) error {
+	done, conn, err := dial(ctx, addr)
+	if err != nil {
+		return err
+	}
+	defer close(done)
+
+	if err = writeSpecialHeader(conn, specialCancel); err != nil {
+		return errors.Join(err, conn.Close())
+	}
+
+	var n int
+	id := pkg.NewIR().Ident(a).Value()
+	if n, err = conn.Write(id[:]); err != nil {
+		return errors.Join(err, conn.Close())
+	} else if n != len(id) {
+		return errors.Join(io.ErrShortWrite, conn.Close())
+	}
+	if wait {
+		if _, err = conn.Read(make([]byte, 1)); err == io.EOF {
+			err = nil
+		}
+	}
+	return errors.Join(err, conn.Close())
+}
+
+// abortRemote aborts all [pkg.Artifact] curing on a daemon.
+func abortRemote(
+	ctx context.Context,
+	addr *net.UnixAddr,
+	wait bool,
+) error {
+	done, conn, err := dial(ctx, addr)
+	if err != nil {
+		return err
+	}
+	defer close(done)
+
+	err = writeSpecialHeader(conn, specialAbort)
+	if wait && err == nil {
+		if _, err = conn.Read(make([]byte, 1)); err == io.EOF {
+			err = nil
+		}
+	}
+	return errors.Join(err, conn.Close())
+}

cmd/mbf/daemon_test.go

@@ -0,0 +1,146 @@
+package main
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"io"
+	"log"
+	"net"
+	"os"
+	"path/filepath"
+	"slices"
+	"strings"
+	"testing"
+	"time"
+
+	"hakurei.app/check"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/message"
+)
+
+func TestNoReply(t *testing.T) {
+	t.Parallel()
+	if !daemonDeadline().IsZero() {
+		t.Fatal("daemonDeadline did not return the zero value")
+	}
+
+	c, err := pkg.Open(
+		t.Context(),
+		message.New(log.New(os.Stderr, "cir: ", 0)),
+		0, 0, 0,
+		check.MustAbs(t.TempDir()),
+	)
+	if err != nil {
+		t.Fatalf("Open: error = %v", err)
+	}
+	defer c.Close()
+
+	client, server := net.Pipe()
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		go func() {
+			<-t.Context().Done()
+			if _err := client.SetDeadline(time.Now()); _err != nil && !errors.Is(_err, io.ErrClosedPipe) {
+				panic(_err)
+			}
+		}()
+
+		if _err := c.EncodeAll(
+			client,
+			pkg.NewFile("check", []byte{0}),
+		); _err != nil {
+			panic(_err)
+		} else if _err = client.Close(); _err != nil {
+			panic(_err)
+		}
+	}()
+
+	a, cureErr := cureFromIR(c, server, remoteNoReply)
+	if cureErr != nil {
+		t.Fatalf("cureFromIR: error = %v", cureErr)
+	}
+
+	<-done
+	wantIdent := pkg.MustDecode("fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG")
+	if gotIdent := c.Ident(a).Value(); gotIdent != wantIdent {
+		t.Errorf(
+			"cureFromIR: %s, want %s",
+			pkg.Encode(gotIdent), pkg.Encode(wantIdent),
+		)
+	}
+}
+
+func TestDaemon(t *testing.T) {
+	t.Parallel()
+
+	var buf bytes.Buffer
+	logger := log.New(&buf, "daemon: ", 0)
+
+	addr := net.UnixAddr{
+		Name: filepath.Join(t.TempDir(), "daemon"),
+		Net:  "unix",
+	}
+
+	ctx, cancel := context.WithCancel(t.Context())
+	defer cancel()
+
+	cm := cache{
+		ctx:  ctx,
+		msg:  message.New(logger),
+		base: t.TempDir(),
+	}
+	defer cm.Close()
+
+	ul, err := net.ListenUnix("unix", &addr)
+	if err != nil {
+		t.Fatalf("ListenUnix: error = %v", err)
+	}
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		if _err := serve(ctx, logger, &cm, ul); _err != nil {
+			panic(_err)
+		}
+	}()
+
+	if err = cancelRemote(ctx, &addr, pkg.NewFile("nonexistent", nil), true); err != nil {
+		t.Fatalf("cancelRemote: error = %v", err)
+	}
+
+	if err = abortRemote(ctx, &addr, true); err != nil {
+		t.Fatalf("abortRemote: error = %v", err)
+	}
+
+	// keep this last for synchronisation
+	var p *check.Absolute
+	p, err = cureRemote(ctx, &addr, pkg.NewFile("check", []byte{0}), 0)
+	if err != nil {
+		t.Fatalf("cureRemote: error = %v", err)
+	}
+
+	cancel()
+	<-done
+
+	const want = "fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG"
+	if got := filepath.Base(p.String()); got != want {
+		t.Errorf("cureRemote: %s, want %s", got, want)
+	}
+
+	wantLog := []string{
+		"",
+		"daemon: aborting all pending cures",
+		"daemon: attempting to cancel invalid artifact kQm9fmnCmXST1-MMmxzcau2oKZCXXrlZydo4PkeV5hO_2PKfeC8t98hrbV_ZZx_j",
+		"daemon: fulfilled artifact fiZf-ZY_Yq6qxJNrHbMiIPYCsGkUiKCRsZrcSELXTqZWtCnESlHmzV5ThhWWGGYG",
+	}
+	gotLog := strings.Split(buf.String(), "\n")
+	slices.Sort(gotLog)
+	if !slices.Equal(gotLog, wantLog) {
+		t.Errorf(
+			"serve: logged\n%s\nwant\n%s",
+			strings.Join(gotLog, "\n"), strings.Join(wantLog, "\n"),
+		)
+	}
+}

cmd/mbf/info.go

@@ -0,0 +1,118 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"unique"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+)
+
+// commandInfo implements the info subcommand.
+func commandInfo(
+	cm *cache,
+	args []string,
+	w io.Writer,
+	writeStatus bool,
+	r *rosa.Report,
+) (err error) {
+	if len(args) == 0 {
+		return errors.New("info requires at least 1 argument")
+	}
+
+	// recovered by HandleAccess
+	mustPrintln := func(a ...any) {
+		if _, _err := fmt.Fprintln(w, a...); _err != nil {
+			panic(_err)
+		}
+	}
+	mustPrint := func(a ...any) {
+		if _, _err := fmt.Fprint(w, a...); _err != nil {
+			panic(_err)
+		}
+	}
+
+	t := rosa.Native().Std()
+	for i, name := range args {
+		handle := rosa.ArtifactH(unique.Make(name))
+		if meta, a := t.Load(handle); meta == nil {
+			return fmt.Errorf("unknown artifact %q", name)
+		} else {
+			var suffix string
+
+			if meta.Version != rosa.Unversioned {
+				suffix += "-" + meta.Version
+			}
+			mustPrintln("name        : " + name + suffix)
+
+			mustPrintln("description : " + meta.Description)
+			if meta.Website != "" {
+				mustPrintln("website     : " +
+					strings.TrimSuffix(meta.Website, "/"))
+			}
+			if len(meta.Dependencies) > 0 {
+				mustPrint("depends on  :")
+				for _, d := range meta.Dependencies {
+					_meta, _ := rosa.Native().Std().MustLoad(d)
+					s := _meta.Name
+					if _meta.Version != rosa.Unversioned {
+						s += "-" + _meta.Version
+					}
+					mustPrint(" " + s)
+				}
+				mustPrintln()
+			}
+
+			const statusPrefix = "status      : "
+			if writeStatus {
+				if r == nil {
+					var f io.ReadSeekCloser
+					err = cm.Do(func(cache *pkg.Cache) (err error) {
+						f, err = cache.OpenStatus(a)
+						return
+					})
+					if err != nil {
+						if errors.Is(err, os.ErrNotExist) {
+							mustPrintln(
+								statusPrefix + "not yet cured",
+							)
+						} else {
+							return
+						}
+					} else {
+						mustPrint(statusPrefix)
+						_, err = io.Copy(w, f)
+						if err = errors.Join(err, f.Close()); err != nil {
+							return
+						}
+					}
+				} else if err = cm.Do(func(cache *pkg.Cache) (err error) {
+					status, n := r.ArtifactOf(cache.Ident(a))
+					if status == nil {
+						mustPrintln(
+							statusPrefix + "not in report",
+						)
+					} else {
+						mustPrintln("size        :", n)
+						mustPrint(statusPrefix)
+						if _, err = w.Write(status); err != nil {
+							return
+						}
+					}
+					return
+				}); err != nil {
+					return
+				}
+			}
+
+			if i != len(args)-1 {
+				mustPrintln()
+			}
+		}
+	}
+	return nil
+}

cmd/mbf/info_test.go

@@ -0,0 +1,190 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"syscall"
+	"testing"
+	"unique"
+	"unsafe"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+	"hakurei.app/message"
+)
+
+func TestInfo(t *testing.T) {
+	t.Parallel()
+
+	_t := rosa.Native().Std()
+	qemuMeta, _ := _t.Load(rosa.H("qemu"))
+	glibMeta, _ := _t.Load(rosa.H("glib"))
+	zlibMeta, zlib := _t.Load(rosa.H("zlib"))
+	zstdMeta, _ := _t.Load(rosa.H("zstd"))
+	hakureiMeta, _ := _t.Load(rosa.H("hakurei"))
+	hakureiDistMeta, _ := _t.Load(rosa.H("hakurei-dist"))
+
+	testCases := []struct {
+		name    string
+		args    []string
+		status  map[string]string
+		report  string
+		want    string
+		wantErr any
+	}{
+		{"qemu", []string{"qemu"}, nil, "", `
+name        : qemu-` + qemuMeta.Version + `
+description : a generic and open source machine emulator and virtualizer
+website     : https://www.qemu.org
+depends on  : glib-` + glibMeta.Version + ` zstd-` + zstdMeta.Version + `
+`, nil},
+
+		{"multi", []string{"hakurei", "hakurei-dist"}, nil, "", `
+name        : hakurei-` + hakureiMeta.Version + `
+description : low-level userspace tooling for Rosa OS
+website     : https://hakurei.app
+
+name        : hakurei-dist-` + hakureiDistMeta.Version + `
+description : low-level userspace tooling for Rosa OS (distribution tarball)
+website     : https://hakurei.app
+`, nil},
+
+		{"nonexistent", []string{"zlib", "\x00"}, nil, "", `
+name        : zlib-` + zlibMeta.Version + `
+description : lossless data-compression library
+website     : https://zlib.net
+
+`, fmt.Errorf("unknown artifact %q", "\x00")},
+
+		{"status cache", []string{"zlib", "zstd"}, map[string]string{
+			"zstd":    "internal/pkg (amd64) on satori\n",
+			"hakurei": "internal/pkg (amd64) on satori\n\n",
+		}, "", `
+name        : zlib-` + zlibMeta.Version + `
+description : lossless data-compression library
+website     : https://zlib.net
+status      : not yet cured
+
+name        : zstd-` + zstdMeta.Version + `
+description : a fast compression algorithm
+website     : https://facebook.github.io/zstd
+status      : internal/pkg (amd64) on satori
+`, nil},
+
+		{"status cache perm", []string{"zlib"}, map[string]string{
+			"zlib": "\x00",
+		}, "", `
+name        : zlib-` + zlibMeta.Version + `
+description : lossless data-compression library
+website     : https://zlib.net
+`, func(cm *cache) error {
+			return &os.PathError{
+				Op:   "open",
+				Path: filepath.Join(cm.base, "status", pkg.Encode(cm.c.Ident(zlib).Value())),
+				Err:  syscall.EACCES,
+			}
+		}},
+
+		{"status report", []string{"zlib"}, nil, strings.Repeat("\x00", len(pkg.Checksum{})+8), `
+name        : zlib-` + zlibMeta.Version + `
+description : lossless data-compression library
+website     : https://zlib.net
+status      : not in report
+`, nil},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var (
+				cm  *cache
+				buf strings.Builder
+				r   *rosa.Report
+			)
+
+			if tc.status != nil || tc.report != "" {
+				cm = &cache{
+					ctx:  context.Background(),
+					msg:  message.New(log.New(os.Stderr, "info: ", 0)),
+					base: t.TempDir(),
+				}
+				defer cm.Close()
+			}
+
+			if tc.report != "" {
+				pathname := filepath.Join(t.TempDir(), "report")
+				err := os.WriteFile(
+					pathname,
+					unsafe.Slice(unsafe.StringData(tc.report), len(tc.report)),
+					0400,
+				)
+				if err != nil {
+					t.Fatal(err)
+				}
+
+				r, err = rosa.OpenReport(pathname)
+				if err != nil {
+					t.Fatal(err)
+				}
+				defer func() {
+					if err = r.Close(); err != nil {
+						t.Fatal(err)
+					}
+				}()
+			}
+
+			if tc.status != nil {
+				for name, status := range tc.status {
+					_, a := _t.Load(rosa.ArtifactH(unique.Make(name)))
+					if a == nil {
+						t.Fatalf("invalid name %q", name)
+					}
+					perm := os.FileMode(0400)
+					if status == "\x00" {
+						perm = 0
+					}
+					if err := cm.Do(func(cache *pkg.Cache) error {
+						return os.WriteFile(filepath.Join(
+							cm.base,
+							"status",
+							pkg.Encode(cache.Ident(a).Value()),
+						), unsafe.Slice(unsafe.StringData(status), len(status)), perm)
+					}); err != nil {
+						t.Fatalf("Do: error = %v", err)
+					}
+				}
+			}
+
+			var wantErr error
+			switch c := tc.wantErr.(type) {
+			case error:
+				wantErr = c
+			case func(cm *cache) error:
+				wantErr = c(cm)
+			default:
+				if tc.wantErr != nil {
+					t.Fatalf("invalid wantErr %#v", tc.wantErr)
+				}
+			}
+
+			if err := commandInfo(
+				cm,
+				tc.args,
+				&buf,
+				cm != nil,
+				r,
+			); !reflect.DeepEqual(err, wantErr) {
+				t.Fatalf("commandInfo: error = %v, want %v", err, wantErr)
+			}
+
+			if got := buf.String(); got != strings.TrimPrefix(tc.want, "\n") {
+				t.Errorf("commandInfo:\n%s\nwant\n%s", got, tc.want)
+			}
+		})
+	}
+}

cmd/mbf/internal/pkgserver/api.go

@@ -0,0 +1,202 @@
+// Package pkgserver implements the package metadata service backend.
+package pkgserver
+
+import (
+	"context"
+	"encoding/json"
+	"log"
+	"net/http"
+	"net/url"
+	"path"
+	"strconv"
+	"sync"
+	"time"
+
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/rosa"
+)
+
+// for lazy initialisation of serveInfo
+var (
+	infoPayload struct {
+		// Current package count.
+		Count int `json:"count"`
+		// Hakurei version, set at link time.
+		HakureiVersion string `json:"hakurei_version"`
+	}
+	infoPayloadOnce sync.Once
+)
+
+// handleInfo writes constant system information.
+func handleInfo(w http.ResponseWriter, _ *http.Request) {
+	infoPayloadOnce.Do(func() {
+		infoPayload.Count = len(rosa.Native().Collect())
+		infoPayload.HakureiVersion = info.Version()
+	})
+	// TODO(mae): cache entire response if no additional fields are planned
+	writeAPIPayload(w, infoPayload)
+}
+
+// newStatusHandler returns a [http.HandlerFunc] that offers status files for
+// viewing or download, if available.
+func (index *packageIndex) newStatusHandler(disposition bool) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		m, ok := index.names[path.Base(r.URL.Path)]
+		if !ok || !m.HasReport {
+			http.NotFound(w, r)
+			return
+		}
+
+		contentType := "text/plain; charset=utf-8"
+		if disposition {
+			contentType = "application/octet-stream"
+
+			// quoting like this is unsound, but okay, because metadata is hardcoded
+			contentDisposition := `attachment; filename="`
+			contentDisposition += m.Name + "-"
+			if m.Version != "" {
+				contentDisposition += m.Version + "-"
+			}
+			contentDisposition += m.ids + `.log"`
+			w.Header().Set("Content-Disposition", contentDisposition)
+		}
+		w.Header().Set("Content-Type", contentType)
+		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+		if err := func() (err error) {
+			defer index.handleAccess(&err)()
+			_, err = w.Write(m.status)
+			return
+		}(); err != nil {
+			log.Println(err)
+			http.Error(
+				w, "cannot deliver status, contact maintainers",
+				http.StatusInternalServerError,
+			)
+		}
+	}
+}
+
+// handleGet writes a slice of metadata with specified order.
+func (index *packageIndex) handleGet(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	limit, err := strconv.Atoi(q.Get("limit"))
+	if err != nil || limit > 100 || limit < 1 {
+		http.Error(
+			w, "limit must be an integer between 1 and 100",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	i, err := strconv.Atoi(q.Get("index"))
+	if err != nil || i >= len(index.sorts[0]) || i < 0 {
+		http.Error(
+			w, "index must be an integer between 0 and "+
+				strconv.Itoa(len(index.sorts[0])-1),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	sort, err := strconv.Atoi(q.Get("sort"))
+	if err != nil || sort >= len(index.sorts) || sort < 0 {
+		http.Error(
+			w, "sort must be an integer between 0 and "+
+				strconv.Itoa(sortOrderEnd),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	values := index.sorts[sort][i:min(i+limit, len(index.sorts[sort]))]
+	writeAPIPayload(w, &struct {
+		Values []*metadata `json:"values"`
+	}{values})
+}
+
+func (index *packageIndex) handleSearch(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	limit, err := strconv.Atoi(q.Get("limit"))
+	if err != nil || limit > 100 || limit < 1 {
+		http.Error(
+			w, "limit must be an integer between 1 and 100",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	i, err := strconv.Atoi(q.Get("index"))
+	if err != nil || i >= len(index.sorts[0]) || i < 0 {
+		http.Error(
+			w, "index must be an integer between 0 and "+
+				strconv.Itoa(len(index.sorts[0])-1),
+			http.StatusBadRequest,
+		)
+		return
+	}
+	search, err := url.QueryUnescape(q.Get("search"))
+	if len(search) > 100 || err != nil {
+		http.Error(
+			w, "search must be a string between 0 and 100 characters long",
+			http.StatusBadRequest,
+		)
+		return
+	}
+	desc := q.Get("desc") == "true"
+	n, res, err := index.performSearchQuery(limit, i, search, desc)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+	}
+	writeAPIPayload(w, &struct {
+		Count  int            `json:"count"`
+		Values []searchResult `json:"values"`
+	}{n, res})
+}
+
+// apiVersion is the name of the current API revision, as part of the pattern.
+const apiVersion = "v1"
+
+// registerAPI registers API handler functions.
+func (index *packageIndex) registerAPI(mux *http.ServeMux) {
+	mux.HandleFunc("GET /api/"+apiVersion+"/info", handleInfo)
+	mux.HandleFunc("GET /api/"+apiVersion+"/get", index.handleGet)
+	mux.HandleFunc("GET /api/"+apiVersion+"/search", index.handleSearch)
+	mux.HandleFunc("GET /api/"+apiVersion+"/status/", index.newStatusHandler(false))
+	mux.HandleFunc("GET /status/", index.newStatusHandler(true))
+}
+
+// Register arranges for mux to service API requests.
+func Register(ctx context.Context, mux *http.ServeMux, report *rosa.Report) error {
+	var index packageIndex
+	index.search = make(searchCache)
+	if err := index.populate(report); err != nil {
+		return err
+	}
+	ticker := time.NewTicker(1 * time.Minute)
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				ticker.Stop()
+				return
+			case <-ticker.C:
+				index.search.clean()
+			}
+		}
+	}()
+	index.registerAPI(mux)
+	return nil
+}
+
+// writeAPIPayload sets headers common to API responses and encodes payload as
+// JSON for the response body.
+func writeAPIPayload(w http.ResponseWriter, payload any) {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+	w.Header().Set("Pragma", "no-cache")
+	w.Header().Set("Expires", "0")
+
+	if err := json.NewEncoder(w).Encode(payload); err != nil {
+		log.Println(err)
+		http.Error(
+			w, "cannot encode payload, contact maintainers",
+			http.StatusInternalServerError,
+		)
+	}
+}

cmd/mbf/internal/pkgserver/api_test.go

@@ -0,0 +1,111 @@
+package pkgserver
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"testing"
+
+	"hakurei.app/internal/info"
+	"hakurei.app/internal/rosa"
+)
+
+// prefix is prepended to every API path.
+const prefix = "/api/" + apiVersion + "/"
+
+func TestAPIInfo(t *testing.T) {
+	t.Parallel()
+
+	w := httptest.NewRecorder()
+	handleInfo(w, httptest.NewRequestWithContext(
+		t.Context(),
+		http.MethodGet,
+		prefix+"info",
+		nil,
+	))
+
+	resp := w.Result()
+	checkStatus(t, resp, http.StatusOK)
+	checkAPIHeader(t, w.Header())
+
+	checkPayload(t, resp, struct {
+		Count          int    `json:"count"`
+		HakureiVersion string `json:"hakurei_version"`
+	}{len(rosa.Native().Collect()), info.Version()})
+}
+
+func TestAPIGet(t *testing.T) {
+	t.Parallel()
+	const target = prefix + "get"
+
+	index := newIndex(t)
+	newRequest := func(suffix string) *httptest.ResponseRecorder {
+		w := httptest.NewRecorder()
+		index.handleGet(w, httptest.NewRequestWithContext(
+			t.Context(),
+			http.MethodGet,
+			target+suffix,
+			nil,
+		))
+		return w
+	}
+
+	checkValidate := func(t *testing.T, suffix string, vmin, vmax int, wantErr string) {
+		t.Run("invalid", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=invalid")
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+		})
+
+		t.Run("min", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmin-1))
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+
+			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmin))
+			resp = w.Result()
+			checkStatus(t, resp, http.StatusOK)
+		})
+
+		t.Run("max", func(t *testing.T) {
+			t.Parallel()
+
+			w := newRequest("?" + suffix + "=" + strconv.Itoa(vmax+1))
+			resp := w.Result()
+			checkError(t, resp, wantErr, http.StatusBadRequest)
+
+			w = newRequest("?" + suffix + "=" + strconv.Itoa(vmax))
+			resp = w.Result()
+			checkStatus(t, resp, http.StatusOK)
+		})
+	}
+
+	t.Run("limit", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "index=0&sort=0&limit", 1, 100,
+			"limit must be an integer between 1 and 100",
+		)
+	})
+
+	count := len(rosa.Native().Collect())
+	t.Run("index", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "limit=1&sort=0&index", 0, count-1,
+			"index must be an integer between 0 and "+strconv.Itoa(count-1),
+		)
+	})
+
+	t.Run("sort", func(t *testing.T) {
+		t.Parallel()
+		checkValidate(
+			t, "index=0&limit=1&sort", 0, int(sortOrderEnd),
+			"sort must be an integer between 0 and "+strconv.Itoa(int(sortOrderEnd)),
+		)
+	})
+}

cmd/mbf/internal/pkgserver/index.go

@@ -0,0 +1,108 @@
+package pkgserver
+
+import (
+	"cmp"
+	"errors"
+	"slices"
+	"strings"
+
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+)
+
+const (
+	declarationAscending = iota
+	declarationDescending
+	nameAscending
+	nameDescending
+	sizeAscending
+	sizeDescending
+
+	sortOrderEnd = iota - 1
+)
+
+// packageIndex refers to metadata by name and various sort orders.
+type packageIndex struct {
+	sorts  [sortOrderEnd + 1][]*metadata
+	names  map[string]*metadata
+	search searchCache
+	// Taken from [rosa.Report] if available.
+	handleAccess func(*error) func()
+}
+
+// metadata holds [rosa.Metadata] extended with additional information.
+type metadata struct {
+	handle rosa.ArtifactH
+	*rosa.Metadata
+
+	// Copied from [rosa.Metadata], [rosa.Unversioned] is equivalent to the zero
+	// value. Otherwise, the zero value is invalid.
+	Version string `json:"version,omitempty"`
+	// Output data size, available if present in report.
+	Size int64 `json:"size,omitempty"`
+	// Whether the underlying [pkg.Artifact] is present in the report.
+	HasReport bool `json:"report"`
+
+	// Ident string encoded ahead of time.
+	ids string
+	// Backed by [rosa.Report], access must be prepared by HandleAccess.
+	status []byte
+}
+
+// populate deterministically populates packageIndex, optionally with a report.
+func (index *packageIndex) populate(report *rosa.Report) (err error) {
+	if report != nil {
+		defer report.HandleAccess(&err)()
+		index.handleAccess = report.HandleAccess
+	}
+
+	handles := rosa.Native().Collect()
+	work := make([]*metadata, len(handles))
+	index.names = make(map[string]*metadata)
+	ir := pkg.NewIR()
+	for i, handle := range handles {
+		meta, a := rosa.Native().Std().MustLoad(handle)
+		m := metadata{
+			handle: handle,
+
+			Metadata: meta,
+			Version:  meta.Version,
+		}
+		if m.Version == "" {
+			return errors.New("invalid version from " + m.Name)
+		}
+		if m.Version == rosa.Unversioned {
+			m.Version = ""
+		}
+
+		if report != nil {
+			id := ir.Ident(a)
+			m.ids = pkg.Encode(id.Value())
+			m.status, m.Size = report.ArtifactOf(id)
+			m.HasReport = m.Size >= 0
+		}
+
+		work[i] = &m
+		index.names[m.Name] = &m
+	}
+
+	index.sorts[declarationAscending] = work
+	index.sorts[declarationDescending] = slices.Clone(work)
+	slices.Reverse(index.sorts[declarationDescending][:])
+
+	index.sorts[nameAscending] = slices.Clone(work)
+	slices.SortFunc(index.sorts[nameAscending][:], func(a, b *metadata) int {
+		return strings.Compare(a.Name, b.Name)
+	})
+	index.sorts[nameDescending] = slices.Clone(index.sorts[nameAscending])
+	slices.Reverse(index.sorts[nameDescending][:])
+
+	index.sorts[sizeAscending] = slices.Clone(work)
+	slices.SortFunc(index.sorts[sizeAscending][:], func(a, b *metadata) int {
+		return cmp.Compare(a.Size, b.Size)
+	})
+	index.sorts[sizeDescending] = slices.Clone(index.sorts[sizeAscending])
+	slices.Reverse(index.sorts[sizeDescending][:])
+
+	return
+}

cmd/mbf/internal/pkgserver/index_test.go

@@ -0,0 +1,96 @@
+package pkgserver
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"reflect"
+	"testing"
+)
+
+// newIndex returns the address of a newly populated packageIndex.
+func newIndex(t *testing.T) *packageIndex {
+	t.Helper()
+
+	var index packageIndex
+	if err := index.populate(nil); err != nil {
+		t.Fatalf("populate: error = %v", err)
+	}
+	return &index
+}
+
+// checkStatus checks response status code.
+func checkStatus(t *testing.T, resp *http.Response, want int) {
+	t.Helper()
+
+	if resp.StatusCode != want {
+		t.Errorf(
+			"StatusCode: %s, want %s",
+			http.StatusText(resp.StatusCode),
+			http.StatusText(want),
+		)
+	}
+}
+
+// checkHeader checks the value of a header entry.
+func checkHeader(t *testing.T, h http.Header, key, want string) {
+	t.Helper()
+
+	if got := h.Get(key); got != want {
+		t.Errorf("%s: %q, want %q", key, got, want)
+	}
+}
+
+// checkAPIHeader checks common entries set for API endpoints.
+func checkAPIHeader(t *testing.T, h http.Header) {
+	t.Helper()
+
+	checkHeader(t, h, "Content-Type", "application/json; charset=utf-8")
+	checkHeader(t, h, "Cache-Control", "no-cache, no-store, must-revalidate")
+	checkHeader(t, h, "Pragma", "no-cache")
+	checkHeader(t, h, "Expires", "0")
+}
+
+// checkPayloadFunc checks the JSON response of an API endpoint by passing it to f.
+func checkPayloadFunc[T any](
+	t *testing.T,
+	resp *http.Response,
+	f func(got *T) bool,
+) {
+	t.Helper()
+
+	var got T
+	r := io.Reader(resp.Body)
+	if testing.Verbose() {
+		var buf bytes.Buffer
+		r = io.TeeReader(r, &buf)
+		defer func() { t.Helper(); t.Log(buf.String()) }()
+	}
+	if err := json.NewDecoder(r).Decode(&got); err != nil {
+		t.Fatalf("Decode: error = %v", err)
+	}
+
+	if !f(&got) {
+		t.Errorf("Body: %#v", got)
+	}
+}
+
+// checkPayload checks the JSON response of an API endpoint.
+func checkPayload[T any](t *testing.T, resp *http.Response, want T) {
+	t.Helper()
+
+	checkPayloadFunc(t, resp, func(got *T) bool {
+		return reflect.DeepEqual(got, &want)
+	})
+}
+
+func checkError(t *testing.T, resp *http.Response, error string, code int) {
+	t.Helper()
+
+	checkStatus(t, resp, code)
+	if got, _ := io.ReadAll(resp.Body); string(got) != fmt.Sprintln(error) {
+		t.Errorf("Body: %q, want %q", string(got), error)
+	}
+}

cmd/mbf/internal/pkgserver/search.go

@@ -0,0 +1,81 @@
+package pkgserver
+
+import (
+	"cmp"
+	"maps"
+	"regexp"
+	"slices"
+	"time"
+)
+
+type searchCache map[string]searchCacheEntry
+type searchResult struct {
+	NameIndices [][]int `json:"name_matches"`
+	DescIndices [][]int `json:"desc_matches,omitempty"`
+	Score       float64 `json:"score"`
+	*metadata
+}
+type searchCacheEntry struct {
+	query   string
+	results []searchResult
+	expiry  time.Time
+}
+
+func (index *packageIndex) performSearchQuery(limit int, i int, search string, desc bool) (int, []searchResult, error) {
+	query := search
+	if desc {
+		query += ";withDesc"
+	}
+	entry, ok := index.search[query]
+	if ok && len(entry.results) > 0 {
+		return len(entry.results), entry.results[min(i, len(entry.results)-1):min(i+limit, len(entry.results))], nil
+	}
+
+	regex, err := regexp.Compile(search)
+	if err != nil {
+		return 0, make([]searchResult, 0), err
+	}
+	res := make([]searchResult, 0)
+	for p := range maps.Values(index.names) {
+		nameIndices := regex.FindAllIndex([]byte(p.Name), -1)
+		var descIndices [][]int = nil
+		if desc {
+			descIndices = regex.FindAllIndex([]byte(p.Description), -1)
+		}
+		if nameIndices == nil && descIndices == nil {
+			continue
+		}
+		score := float64(indexsum(nameIndices)) / (float64(len(nameIndices)) + 1)
+		if desc {
+			score += float64(indexsum(descIndices)) / (float64(len(descIndices)) + 1) / 10.0
+		}
+		res = append(res, searchResult{
+			NameIndices: nameIndices,
+			DescIndices: descIndices,
+			Score:       score,
+			metadata:    p,
+		})
+	}
+	slices.SortFunc(res[:], func(a, b searchResult) int { return -cmp.Compare(a.Score, b.Score) })
+	expiry := time.Now().Add(1 * time.Minute)
+	entry = searchCacheEntry{
+		query:   search,
+		results: res,
+		expiry:  expiry,
+	}
+	index.search[query] = entry
+
+	return len(res), res[i:min(i+limit, len(entry.results))], nil
+}
+func (s *searchCache) clean() {
+	maps.DeleteFunc(*s, func(_ string, v searchCacheEntry) bool {
+		return v.expiry.Before(time.Now())
+	})
+}
+func indexsum(in [][]int) int {
+	sum := 0
+	for i := 0; i < len(in); i++ {
+		sum += in[i][1] - in[i][0]
+	}
+	return sum
+}

cmd/mbf/internal/pkgserver/ui/index.html

@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="stylesheet" href="style.css">
+    <link rel="icon" href="https://hakurei.app/favicon.ico"/>
+    <title>Rosa OS Packages</title>
+    <script src="index.js"></script>
+</head>
+<body>
+<h1>Rosa OS Packages</h1>
+<div class="top-controls" id="top-controls-regular">
+    <p>Showing entries <span id="entry-counter"></span>.</p>
+    <span id="search-bar">
+        <label for="search">Search: </label>
+        <input type="text" name="search" id="search"/>
+        <button onclick="doSearch()">Find</button>
+        <label for="include-desc">Include descriptions: </label>
+        <input type="checkbox" name="include-desc" id="include-desc" checked/>
+    </span>
+    <div><label for="count">Entries per page: </label><select name="count" id="count">
+        <option value="10">10</option>
+        <option value="20">20</option>
+        <option value="30">30</option>
+        <option value="50">50</option>
+    </select></div>
+    <div><label for="sort">Sort by: </label><select name="sort" id="sort">
+        <option value="0">Definition (ascending)</option>
+        <option value="1">Definition (descending)</option>
+        <option value="2">Name (ascending)</option>
+        <option value="3">Name (descending)</option>
+        <option value="4">Size (ascending)</option>
+        <option value="5">Size (descending)</option>
+    </select></div>
+</div>
+<div class="top-controls" id="search-top-controls" hidden>
+    <p>Showing search results <span id="search-entry-counter"></span> for query "<span id="search-query"></span>".</p>
+    <button onclick="exitSearch()">Back</button>
+    <div><label for="search-count">Entries per page: </label><select name="search-count" id="search-count">
+        <option value="10">10</option>
+        <option value="20">20</option>
+        <option value="30">30</option>
+        <option value="50">50</option>
+    </select></div>
+    <p>Sorted by best match</p>
+</div>
+<div class="page-controls"><a href="javascript:prevPage()">&laquo; Previous</a> <input type="text" class="page-number" value="1"/> <a href="javascript:nextPage()">Next &raquo;</a></div>
+<table id="pkg-list">
+    <tr><td>Loading...</td></tr>
+</table>
+<div class="page-controls"><a href="javascript:prevPage()">&laquo; Previous</a> <input type="text" class="page-number" value="1"/> <a href="javascript:nextPage()">Next &raquo;</a></div>
+<footer>
+    <p>&copy;<a href="https://hakurei.app/">Hakurei</a> (<span id="hakurei-version">unknown</span>). Licensed under the MIT license.</p>
+</footer>
+<script>main();</script>
+</body>
+</html>

cmd/mbf/internal/pkgserver/ui/index.ts

@@ -0,0 +1,331 @@
+interface PackageIndexEntry {
+    name: string
+    size?: number
+    description?: string
+    website?: string
+    version?: string
+    report?: boolean
+}
+
+function entryToHTML(entry: PackageIndexEntry | SearchResult): HTMLTableRowElement {
+    let v = entry.version != null ? `<span>${escapeHtml(entry.version)}</span>` : ""
+    let s = entry.size != null && entry.size > 0 ? `<p>Size: ${toByteSizeString(entry.size)} (${entry.size})</p>` : ""
+    let n: string
+    let d: string
+    if ('name_matches' in entry) {
+        n = `<h2>${nameMatches(entry as SearchResult)} ${v}</h2>`
+    } else {
+        n = `<h2>${escapeHtml(entry.name)} ${v}</h2>`
+    }
+    if ('desc_matches' in entry && STATE.getIncludeDescriptions()) {
+        d = descMatches(entry as SearchResult)
+    } else {
+        d = (entry as PackageIndexEntry).description != null ? `<p>${escapeHtml((entry as PackageIndexEntry).description)}</p>` : ""
+    }
+    let w = entry.website != null ? `<a href="${encodeURI(entry.website)}">Website</a>` : ""
+    let r = entry.report ? `Log (<a href=\"${encodeURI('/api/v1/status/' + entry.name)}\">View</a> | <a href=\"${encodeURI('/status/' + entry.name)}\">Download</a>)` : ""
+    let row = <HTMLTableRowElement>(document.createElement('tr'))
+    row.innerHTML = `<td>
+            ${n}
+            ${d}
+            ${s}
+            ${w}
+            ${r}
+        </td>`
+    return row
+}
+
+function nameMatches(sr: SearchResult): string {
+    return markMatches(sr.name, sr.name_matches)
+}
+
+function descMatches(sr: SearchResult): string {
+    return markMatches(sr.description!, sr.desc_matches)
+}
+
+function markMatches(str: string, indices: [number, number][]): string {
+    if (indices == null) {
+        return str
+    }
+    let out: string = ""
+    let j = 0
+    for (let i = 0; i < str.length; i++) {
+        if (j < indices.length) {
+            if (i === indices[j][0]) {
+                out += `<mark>${escapeHtmlChar(str[i])}`
+                continue
+            }
+            if (i === indices[j][1]) {
+                out += `</mark>${escapeHtmlChar(str[i])}`
+                j++
+                continue
+            }
+        }
+        out += escapeHtmlChar(str[i])
+    }
+    if (indices[j] !== undefined) {
+        out += "</mark>"
+    }
+    return out
+}
+
+function toByteSizeString(bytes: number): string {
+    if (bytes == null) return `unspecified`
+    if (bytes < 1024) return `${bytes}B`
+    if (bytes < Math.pow(1024, 2)) return `${(bytes / 1024).toFixed(2)}kiB`
+    if (bytes < Math.pow(1024, 3)) return `${(bytes / Math.pow(1024, 2)).toFixed(2)}MiB`
+    if (bytes < Math.pow(1024, 4)) return `${(bytes / Math.pow(1024, 3)).toFixed(2)}GiB`
+    if (bytes < Math.pow(1024, 5)) return `${(bytes / Math.pow(1024, 4)).toFixed(2)}TiB`
+    return "not only is it big, it's large"
+}
+
+const API_VERSION = 1
+const ENDPOINT = `/api/v${API_VERSION}`
+
+interface InfoPayload {
+    count?: number
+    hakurei_version?: string
+}
+
+async function infoRequest(): Promise<InfoPayload> {
+    const res = await fetch(`${ENDPOINT}/info`)
+    const payload = await res.json()
+    return payload as InfoPayload
+}
+
+interface GetPayload {
+    values?: PackageIndexEntry[]
+}
+
+enum SortOrders {
+    DeclarationAscending,
+    DeclarationDescending,
+    NameAscending,
+    NameDescending
+}
+
+async function getRequest(limit: number, index: number, sort: SortOrders): Promise<GetPayload> {
+    const res = await fetch(`${ENDPOINT}/get?limit=${limit}&index=${index}&sort=${sort.valueOf()}`)
+    const payload = await res.json()
+    return payload as GetPayload
+}
+
+interface SearchResult extends PackageIndexEntry {
+    name_matches: [number, number][]
+    desc_matches: [number, number][]
+    score: number
+}
+
+interface SearchPayload {
+    count?: number
+    values?: SearchResult[]
+}
+
+async function searchRequest(limit: number, index: number, search: string, desc: boolean): Promise<SearchPayload> {
+    const res = await fetch(`${ENDPOINT}/search?limit=${limit}&index=${index}&search=${encodeURIComponent(search)}&desc=${desc}`)
+    if (!res.ok) {
+        exitSearch()
+        alert("invalid search query!")
+        return Promise.reject(res.statusText)
+    }
+    const payload = await res.json()
+    return payload as SearchPayload
+}
+
+class State {
+    entriesPerPage: number = 10
+    entryIndex: number = 0
+    maxTotal: number = 0
+    maxEntries: number = 0
+    sort: SortOrders = SortOrders.DeclarationAscending
+    search: boolean = false
+
+    getEntriesPerPage(): number {
+        return this.entriesPerPage
+    }
+
+    setEntriesPerPage(entriesPerPage: number) {
+        this.entriesPerPage = entriesPerPage
+        this.setEntryIndex(Math.floor(this.getEntryIndex() / entriesPerPage) * entriesPerPage)
+    }
+
+    getEntryIndex(): number {
+        return this.entryIndex
+    }
+
+    setEntryIndex(entryIndex: number) {
+        this.entryIndex = entryIndex
+        this.updatePage()
+        this.updateRange()
+        this.updateListings()
+    }
+
+    getMaxTotal(): number {
+        return this.maxTotal
+    }
+
+    setMaxTotal(max: number) {
+        this.maxTotal = max
+    }
+
+    getSortOrder(): SortOrders {
+        return this.sort
+    }
+
+    setSortOrder(sortOrder: SortOrders) {
+        this.sort = sortOrder
+        this.setEntryIndex(0)
+    }
+
+    updatePage() {
+        let page = Math.ceil(((this.getEntryIndex() + this.getEntriesPerPage()) - 1) / this.getEntriesPerPage())
+        for (let e of document.getElementsByClassName("page-number")) {
+            (e as HTMLInputElement).value = String(page)
+        }
+    }
+
+    updateRange() {
+        let max = Math.min(this.getEntryIndex() + this.getEntriesPerPage(), this.getMaxTotal())
+        document.getElementById("entry-counter")!.textContent = `${this.getEntryIndex() + 1}-${max} of ${this.getMaxTotal()}`
+        if (this.search) {
+            document.getElementById("search-entry-counter")!.textContent = `${this.getEntryIndex() + 1}-${max} of ${this.maxTotal}/${this.maxEntries}`
+            document.getElementById("search-query")!.innerHTML = `<code>${escapeHtml(this.getSearchQuery())}</code>`
+        }
+    }
+
+    getSearchQuery(): string {
+        let queryString = document.getElementById("search")!;
+        return (queryString as HTMLInputElement).value
+    }
+
+    getIncludeDescriptions(): boolean {
+        let includeDesc = document.getElementById("include-desc")!;
+        return (includeDesc as HTMLInputElement).checked
+    }
+
+    updateListings() {
+        if (this.search) {
+            searchRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSearchQuery(), this.getIncludeDescriptions())
+                .then(res => {
+                    let table = document.getElementById("pkg-list")!
+                    table.innerHTML = ''
+                    for (let row of res.values!) {
+                        table.appendChild(entryToHTML(row))
+                    }
+                    STATE.maxTotal = res.count!
+                    STATE.updateRange()
+                    if(res.count! < 1) {
+                        exitSearch()
+                        alert("no results found!")
+                    }
+                })
+        } else {
+            getRequest(this.getEntriesPerPage(), this.getEntryIndex(), this.getSortOrder())
+                .then(res => {
+                    let table = document.getElementById("pkg-list")!
+                    table.innerHTML = ''
+                    for (let row of res.values!) {
+                        table.appendChild(entryToHTML(row))
+                    }
+                })
+        }
+    }
+}
+
+let STATE: State
+
+
+function lastPageIndex(): number {
+    return Math.floor(STATE.getMaxTotal() / STATE.getEntriesPerPage()) * STATE.getEntriesPerPage()
+}
+
+function setPage(page: number) {
+    STATE.setEntryIndex(Math.max(0, Math.min(STATE.getEntriesPerPage() * (page - 1), lastPageIndex())))
+}
+
+
+function escapeHtml(str?: string): string {
+    let out: string = ''
+    if (str == undefined) return ""
+    for (let i = 0; i < str.length; i++) {
+        out += escapeHtmlChar(str[i])
+    }
+    return out
+}
+
+function escapeHtmlChar(char: string): string {
+    if (char.length != 1) return char
+    switch (char[0]) {
+        case '&':
+            return "&amp;"
+        case '<':
+            return "&lt;"
+        case '>':
+            return "&gt;"
+        case '"':
+            return "&quot;"
+        case "'":
+            return "&apos;"
+        default:
+            return char
+    }
+}
+
+function firstPage() {
+    STATE.setEntryIndex(0)
+}
+
+function prevPage() {
+    let index = STATE.getEntryIndex()
+    STATE.setEntryIndex(Math.max(0, index - STATE.getEntriesPerPage()))
+}
+
+function lastPage() {
+    STATE.setEntryIndex(lastPageIndex())
+}
+
+function nextPage() {
+    let index = STATE.getEntryIndex()
+    STATE.setEntryIndex(Math.min(lastPageIndex(), index + STATE.getEntriesPerPage()))
+}
+
+function doSearch() {
+    document.getElementById("top-controls-regular")!.toggleAttribute("hidden");
+    document.getElementById("search-top-controls")!.toggleAttribute("hidden");
+    STATE.search = true;
+    STATE.setEntryIndex(0);
+}
+
+function exitSearch() {
+    document.getElementById("top-controls-regular")!.toggleAttribute("hidden");
+    document.getElementById("search-top-controls")!.toggleAttribute("hidden");
+    STATE.search = false;
+    STATE.setMaxTotal(STATE.maxEntries)
+    STATE.setEntryIndex(0)
+}
+
+function main() {
+    STATE = new State()
+    infoRequest()
+        .then(res => {
+            STATE.maxEntries = res.count!
+            STATE.setMaxTotal(STATE.maxEntries)
+            document.getElementById("hakurei-version")!.textContent = res.hakurei_version!
+            STATE.updateRange()
+            STATE.updateListings()
+        })
+    for (let e of document.getElementsByClassName("page-number")) {
+        e.addEventListener("change", (_) => {
+            setPage(parseInt((e as HTMLInputElement).value))
+        })
+    }
+    document.getElementById("count")?.addEventListener("change", (event) => {
+        STATE.setEntriesPerPage(parseInt((event.target as HTMLSelectElement).value))
+    })
+    document.getElementById("sort")?.addEventListener("change", (event) => {
+        STATE.setSortOrder(parseInt((event.target as HTMLSelectElement).value))
+    })
+    document.getElementById("search")?.addEventListener("keyup", (event) => {
+        if (event.key === 'Enter') doSearch()
+    })
+}

cmd/mbf/internal/pkgserver/ui/style.css

@@ -0,0 +1,21 @@
+.page-number {
+  width: 2em;
+  text-align: center;
+}
+.page-number {
+  width: 2em;
+  text-align: center;
+}
+
+@media (prefers-color-scheme: dark) {
+  html {
+    background-color: #2c2c2c;
+    color: ghostwhite;
+  }
+}
+@media (prefers-color-scheme: light) {
+  html {
+    background-color: #d3d3d3;
+    color: black;
+  }
+}

cmd/mbf/internal/pkgserver/ui/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "compilerOptions": {
+    "target": "ES2024",
+    "strict": true,
+    "alwaysStrict": true,
+    "outDir": "static"
+  }
+}

cmd/mbf/internal/pkgserver/ui/ui.go

@@ -0,0 +1,9 @@
+// Package ui holds the static web UI.
+package ui
+
+import "net/http"
+
+// Register arranges for mux to serve the embedded frontend.
+func Register(mux *http.ServeMux) {
+	mux.Handle("GET /", http.FileServer(http.FS(static)))
+}

cmd/mbf/internal/pkgserver/ui/ui_full.go

@@ -0,0 +1,21 @@
+//go:build frontend
+
+package ui
+
+import (
+	"embed"
+	"io/fs"
+)
+
+//go:generate tsc
+//go:generate cp index.html style.css static
+//go:embed static
+var _static embed.FS
+
+var static = func() fs.FS {
+	if f, err := fs.Sub(_static, "static"); err != nil {
+		panic(err)
+	} else {
+		return f
+	}
+}()

cmd/mbf/internal/pkgserver/ui/ui_stub.go

@@ -0,0 +1,7 @@
+//go:build !frontend
+
+package ui
+
+import "testing/fstest"
+
+var static fstest.MapFS

cmd/mbf/main.go

@@ -0,0 +1,919 @@
+// The mbf program is a frontend for [hakurei.app/internal/rosa].
+//
+// This program is not covered by the compatibility promise. The command line
+// interface, available packages and their behaviour, and even the on-disk
+// format, may change at any time.
+//
+// # Name
+//
+// The name mbf stands for maiden's best friend, as a tribute to the DOOM source
+// port of [the same name]. This name is a placeholder and is subject to change.
+//
+// [the same name]: https://www.doomwiki.org/wiki/MBF
+package main
+
+import (
+	"context"
+	"crypto/sha512"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"sync"
+	"sync/atomic"
+	"syscall"
+	"time"
+	"unique"
+
+	"hakurei.app/check"
+	"hakurei.app/command"
+	"hakurei.app/container"
+	"hakurei.app/container/seccomp"
+	"hakurei.app/container/std"
+	"hakurei.app/ext"
+	"hakurei.app/fhs"
+	"hakurei.app/internal/pkg"
+	"hakurei.app/internal/rosa"
+	"hakurei.app/message"
+
+	"hakurei.app/cmd/mbf/internal/pkgserver"
+	"hakurei.app/cmd/mbf/internal/pkgserver/ui"
+)
+
+func main() {
+	container.TryArgv0(nil)
+
+	log.SetFlags(0)
+	log.SetPrefix("mbf: ")
+	msg := message.New(log.Default())
+
+	if os.Geteuid() == 0 {
+		log.Fatal("this program must not run as root")
+	}
+
+	defer func() {
+		r := recover()
+		if r == nil {
+			return
+		}
+
+		switch r.(type) {
+		case rosa.LoadError, pkg.IRStringError:
+			log.Fatal(r)
+		default:
+			panic(r)
+		}
+	}()
+
+	ctx, stop := signal.NotifyContext(context.Background(),
+		syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)
+	defer stop()
+
+	var cm cache
+	defer func() { cm.Close() }()
+
+	var (
+		flagQuiet bool
+		flagQEMU  bool
+		flagArch  string
+		flagCheck bool
+		flagLTO   bool
+		flagPT    bool
+
+		flagSourcePath    string
+		flagCrossOverride int
+
+		addr net.UnixAddr
+	)
+	c := command.New(os.Stderr, log.Printf, "mbf", func([]string) error {
+		if !rosa.Native().HasStageEarly() {
+			return pkg.UnsupportedArchError(runtime.GOARCH)
+		}
+
+		if flagPT {
+			log.Println("parsed in", rosa.ParseTime())
+		}
+
+		msg.SwapVerbose(!flagQuiet)
+		cm.ctx, cm.msg = ctx, msg
+		cm.base = os.ExpandEnv(cm.base)
+		if cm.base == "" {
+			cm.base = "cache"
+		}
+
+		addr.Net = "unix"
+		addr.Name = os.ExpandEnv(addr.Name)
+		if addr.Name == "" {
+			addr.Name = filepath.Join(cm.base, "daemon")
+		}
+
+		var flags int
+		if !flagCheck {
+			flags |= rosa.OptSkipCheck
+		}
+		if !flagLTO {
+			flags |= rosa.OptLLVMNoLTO
+		}
+		rosa.Native().DropCaches("", flags)
+		cross := flagArch != "" && flagArch != runtime.GOARCH
+		if flagQEMU || cross {
+			_, cm.qemu = rosa.Native().Std().MustLoad(rosa.H("qemu"))
+		}
+
+		if cross {
+			if flagCrossOverride != -1 {
+				flags = flagCrossOverride
+			}
+
+			rosa.Native().DropCaches(flagArch, flags)
+			if !rosa.Native().HasStageEarly() {
+				return pkg.UnsupportedArchError(flagArch)
+			}
+		}
+
+		if flagSourcePath != "" {
+			if err := rosa.Native().SetSource(os.DirFS(flagSourcePath)); err != nil {
+				return err
+			}
+		}
+
+		return nil
+	}).Flag(
+		&flagQuiet,
+		"q", command.BoolFlag(false),
+		"Do not print cure messages",
+	).Flag(
+		&flagQEMU,
+		"register", command.BoolFlag(false),
+		"Enable additional target architectures",
+	).Flag(
+		&flagArch,
+		"arch", command.StringFlag(runtime.GOARCH),
+		"Target architecture",
+	).Flag(
+		&flagLTO,
+		"lto", command.BoolFlag(false),
+		"Enable LTO in stage2 and stage3 LLVM toolchains",
+	).Flag(
+		&flagCheck,
+		"check", command.BoolFlag(true),
+		"Run test suites",
+	).Flag(
+		&flagCrossOverride,
+		"cross-flags", command.IntFlag(-1),
+		"Override non-native target preset flags",
+	).Flag(
+		&cm.verboseInit,
+		"v", command.BoolFlag(false),
+		"Do not suppress verbose output from init",
+	).Flag(
+		&cm.cures,
+		"cures", command.IntFlag(0),
+		"Maximum number of dependencies to cure at any given time",
+	).Flag(
+		&cm.jobs,
+		"jobs", command.IntFlag(0),
+		"Preferred number of jobs to run, when applicable",
+	).Flag(
+		&cm.base,
+		"d", command.StringFlag("$MBF_CACHE_DIR"),
+		"Directory to store cured artifacts",
+	).Flag(
+		&cm.idle,
+		"sched-idle", command.BoolFlag(false),
+		"Set SCHED_IDLE scheduling policy",
+	).Flag(
+		&cm.hostAbstract,
+		"host-abstract", command.BoolFlag(
+			os.Getenv("MBF_HOST_ABSTRACT") != "",
+		),
+		"Do not restrict networked cure containers from connecting to host "+
+			"abstract UNIX sockets",
+	).Flag(
+		&addr.Name,
+		"socket", command.StringFlag("$MBF_DAEMON_SOCKET"),
+		"Pathname of socket to bind to",
+	).Flag(
+		&flagPT,
+		"parse-time", command.BoolFlag(false),
+		"Print duration of the initial azalea parse",
+	).Flag(
+		&flagSourcePath,
+		"source", command.StringFlag(""),
+		"Override hakurei source tree",
+	)
+
+	c.NewCommand(
+		"checksum", "Compute checksum of data read from standard input",
+		func([]string) error {
+			done := make(chan struct{})
+			defer close(done)
+			go func() {
+				select {
+				case <-ctx.Done():
+					os.Exit(1)
+				case <-done:
+					return
+				}
+			}()
+
+			h := sha512.New384()
+			if _, err := io.Copy(h, os.Stdin); err != nil {
+				return err
+			}
+			log.Println(pkg.Encode(pkg.Checksum(h.Sum(nil))))
+			return nil
+		},
+	)
+
+	{
+		var flagShifts int
+		c.NewCommand(
+			"scrub", "Examine the on-disk cache for errors",
+			func(args []string) error {
+				if len(args) > 0 {
+					return errors.New("scrub expects no arguments")
+				}
+				if flagShifts < 0 || flagShifts > 31 {
+					flagShifts = 12
+				}
+				return cm.Do(func(cache *pkg.Cache) error {
+					return cache.Scrub(runtime.NumCPU() << flagShifts)
+				})
+			},
+		).Flag(
+			&flagShifts,
+			"shift", command.IntFlag(12),
+			"Scrub parallelism size exponent, to the power of 2",
+		)
+	}
+
+	{
+		var (
+			flagBind   string
+			flagStatus bool
+			flagReport string
+		)
+		c.NewCommand(
+			"info",
+			"Display out-of-band metadata of an artifact",
+			func(args []string) (err error) {
+				const shutdownTimeout = 15 * time.Second
+
+				var r *rosa.Report
+				if flagReport != "" {
+					if r, err = rosa.OpenReport(flagReport); err != nil {
+						return err
+					}
+					defer func() {
+						if closeErr := r.Close(); err == nil {
+							err = closeErr
+						}
+					}()
+					defer r.HandleAccess(&err)()
+				}
+
+				if flagBind == "" {
+					return commandInfo(&cm, args, os.Stdout, flagStatus, r)
+				}
+
+				var mux http.ServeMux
+				ui.Register(&mux)
+				if err = pkgserver.Register(ctx, &mux, r); err != nil {
+					return
+				}
+
+				server := http.Server{Addr: flagBind, Handler: &mux}
+				go func() {
+					<-ctx.Done()
+					cc, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
+					defer cancel()
+					if _err := server.Shutdown(cc); _err != nil {
+						log.Fatal(_err)
+					}
+				}()
+
+				msg.Verbosef("listening on %q", flagBind)
+				err = server.ListenAndServe()
+				if errors.Is(err, http.ErrServerClosed) {
+					err = nil
+				}
+				return
+			},
+		).Flag(
+			&flagBind,
+			"bind", command.StringFlag(""),
+			"TCP address for the server to listen on",
+		).Flag(
+			&flagStatus,
+			"status", command.BoolFlag(false),
+			"Display cure status if available",
+		).Flag(
+			&flagReport,
+			"report", command.StringFlag(""),
+			"Load cure status from this report file instead of cache",
+		)
+	}
+
+	c.NewCommand(
+		"report",
+		"Generate an artifact cure report for the current cache",
+		func(args []string) (err error) {
+			var w *os.File
+			switch len(args) {
+			case 0:
+				w = os.Stdout
+
+			case 1:
+				if w, err = os.OpenFile(
+					args[0],
+					os.O_CREATE|os.O_EXCL|syscall.O_WRONLY,
+					0400,
+				); err != nil {
+					return
+				}
+				defer func() {
+					closeErr := w.Close()
+					if err == nil {
+						err = closeErr
+					}
+				}()
+
+			default:
+				return errors.New("report requires 1 argument")
+			}
+
+			if ext.Isatty(int(w.Fd())) {
+				return errors.New("output appears to be a terminal")
+			}
+			return cm.Do(func(cache *pkg.Cache) error {
+				return rosa.WriteReport(msg, w, cache)
+			})
+		},
+	)
+
+	{
+		var flagJobs int
+		c.NewCommand("updates", command.UsageInternal, func([]string) error {
+			var (
+				errsMu sync.Mutex
+				errs   []error
+
+				n atomic.Uint64
+			)
+
+			w := make(chan rosa.ArtifactH)
+			var wg sync.WaitGroup
+			for range max(flagJobs, 1) {
+				wg.Go(func() {
+					for p := range w {
+						meta, _ := rosa.Native().Std().MustLoad(p)
+						if meta.ID == 0 {
+							continue
+						}
+
+						v, err := meta.GetVersions(ctx)
+						if err != nil {
+							errsMu.Lock()
+							errs = append(errs, err)
+							errsMu.Unlock()
+							continue
+						}
+
+						if latest := meta.GetLatest(v); meta.Version != latest {
+							n.Add(1)
+							log.Printf("%s %s < %s", meta.Name, meta.Version, latest)
+							continue
+						}
+
+						msg.Verbosef("%s is up to date", meta.Name)
+					}
+				})
+			}
+
+		done:
+			for _, p := range rosa.Native().CollectAll() {
+				select {
+				case w <- p:
+					break
+				case <-ctx.Done():
+					break done
+				}
+			}
+			close(w)
+			wg.Wait()
+
+			if v := n.Load(); v > 0 {
+				errs = append(errs, errors.New(strconv.Itoa(int(v))+
+					" package(s) are out of date"))
+			}
+			return errors.Join(errs...)
+		}).Flag(
+			&flagJobs,
+			"j", command.IntFlag(32),
+			"Maximum number of simultaneous connections",
+		)
+	}
+
+	c.NewCommand(
+		"daemon",
+		"Service artifact IR with Rosa OS extensions",
+		func(args []string) error {
+			ul, err := net.ListenUnix("unix", &addr)
+			if err != nil {
+				return err
+			}
+			log.Printf("listening on pathname socket at %s", addr.Name)
+			return serve(ctx, log.Default(), &cm, ul)
+		},
+	)
+
+	{
+		var (
+			flagGentoo   string
+			flagChecksum string
+		)
+		c.NewCommand(
+			"stage3",
+			"Check for toolchain 3-stage non-determinism",
+			func(args []string) (err error) {
+				s := rosa.Std
+				if flagGentoo != "" {
+					s -= 3 // magic number to discourage misuse
+
+					var checksum pkg.Checksum
+					if len(flagChecksum) != 0 {
+						if err = pkg.Decode(&checksum, flagChecksum); err != nil {
+							return
+						}
+					}
+					rosa.Native().SetGentooStage3(flagGentoo, checksum)
+				}
+
+				var (
+					pathname *check.Absolute
+					checksum [2]unique.Handle[pkg.Checksum]
+				)
+
+				_llvm := rosa.H("llvm")
+				if err = cm.Do(func(cache *pkg.Cache) (err error) {
+					_, llvm := rosa.Native().New(s - 2).Load(_llvm)
+					pathname, _, err = cache.Cure(llvm)
+					return
+				}); err != nil {
+					return
+				}
+				log.Println("stage1:", pathname)
+
+				if err = cm.Do(func(cache *pkg.Cache) (err error) {
+					_, llvm := rosa.Native().New(s - 1).Load(_llvm)
+					pathname, checksum[0], err = cache.Cure(llvm)
+					return
+				}); err != nil {
+					return
+				}
+				log.Println("stage2:", pathname)
+				if err = cm.Do(func(cache *pkg.Cache) (err error) {
+					_, llvm := rosa.Native().New(s).Load(_llvm)
+					pathname, checksum[1], err = cache.Cure(llvm)
+					return
+				}); err != nil {
+					return
+				}
+				log.Println("stage3:", pathname)
+
+				if checksum[0] != checksum[1] {
+					err = &pkg.ChecksumMismatchError{
+						Got:  checksum[0].Value(),
+						Want: checksum[1].Value(),
+					}
+				} else {
+					log.Println(
+						"stage2 is identical to stage3",
+						"("+pkg.Encode(checksum[0].Value())+")",
+					)
+				}
+				return
+			},
+		).Flag(
+			&flagGentoo,
+			"gentoo", command.StringFlag(""),
+			"Bootstrap from a Gentoo stage3 tarball",
+		).Flag(
+			&flagChecksum,
+			"checksum", command.StringFlag(""),
+			"Checksum of Gentoo stage3 tarball",
+		)
+	}
+
+	{
+		var (
+			flagDump    string
+			flagEnter   bool
+			flagExport  string
+			flagRemote  bool
+			flagNoReply bool
+			flagFaults  bool
+			flagPop     bool
+
+			flagBoot bool
+			flagStd  bool
+		)
+		c.NewCommand(
+			"cure",
+			"Cure the named artifact and show its path",
+			func(args []string) error {
+				if len(args) != 1 {
+					return errors.New("cure requires 1 argument")
+				}
+
+				t := rosa.Std
+				if flagBoot {
+					t -= 2
+				} else if flagStd {
+					t -= 1
+				}
+
+				_, a := rosa.Native().New(t).Load(rosa.ArtifactH(unique.Make(args[0])))
+				if a == nil {
+					return fmt.Errorf("unknown artifact %q", args[0])
+				}
+
+				switch {
+				default:
+					var pathname *check.Absolute
+					err := cm.Do(func(cache *pkg.Cache) (err error) {
+						pathname, _, err = cache.Cure(a)
+						return
+					})
+					if err != nil {
+						return err
+					}
+					log.Println(pathname)
+
+					if flagExport != "" {
+						msg.Verbosef("exporting %s to %s...", args[0], flagExport)
+
+						var f *os.File
+						if f, err = os.OpenFile(
+							flagExport,
+							os.O_WRONLY|os.O_CREATE|os.O_EXCL,
+							0400,
+						); err != nil {
+							return err
+						} else if _, err = pkg.Flatten(
+							os.DirFS(pathname.String()),
+							".",
+							f,
+						); err != nil {
+							_ = f.Close()
+							return err
+						} else if err = f.Close(); err != nil {
+							return err
+						}
+					}
+
+					return nil
+
+				case flagDump != "":
+					f, err := os.OpenFile(
+						flagDump,
+						os.O_WRONLY|os.O_CREATE|os.O_EXCL,
+						0644,
+					)
+					if err != nil {
+						return err
+					}
+
+					if err = pkg.NewIR().EncodeAll(f, a); err != nil {
+						_ = f.Close()
+						return err
+					}
+
+					return f.Close()
+
+				case flagEnter:
+					return cm.Do(func(cache *pkg.Cache) error {
+						return cache.EnterExec(
+							ctx,
+							a,
+							true, os.Stdin, os.Stdout, os.Stderr,
+							rosa.AbsSystem.Append("bin", "mksh"),
+							"sh",
+						)
+					})
+
+				case flagRemote:
+					var flags uint64
+					if flagNoReply {
+						flags |= remoteNoReply
+					}
+					pathname, err := cureRemote(ctx, &addr, a, flags)
+					if !flagNoReply && err == nil {
+						log.Println(pathname)
+					}
+
+					if errors.Is(err, context.Canceled) {
+						cc, cancel := context.WithDeadline(context.Background(), daemonDeadline())
+						defer cancel()
+
+						if _err := cancelRemote(cc, &addr, a, false); _err != nil {
+							log.Println(err)
+						}
+					}
+
+					return err
+
+				case flagFaults:
+					var faults []pkg.Fault
+					if err := cm.Do(func(cache *pkg.Cache) (err error) {
+						faults, err = cache.ReadFaults(a)
+						return
+					}); err != nil {
+						return err
+					}
+
+					for _, fault := range faults {
+						log.Printf("%s: %s ago", fault.String(), time.Since(fault.Time()))
+					}
+					return nil
+
+				case flagPop:
+					var faults []pkg.Fault
+					if err := cm.Do(func(cache *pkg.Cache) (err error) {
+						faults, err = cache.ReadFaults(a)
+						return
+					}); err != nil {
+						return err
+					}
+
+					if len(faults) == 0 {
+						return errors.New("no fault entries found")
+					}
+					fault := faults[len(faults)-1]
+					r, err := fault.Open()
+					if err != nil {
+						return err
+					}
+					if _, err = io.Copy(os.Stdout, r); err != nil {
+						_ = r.Close()
+						return err
+					}
+					fmt.Println()
+					if err = r.Close(); err != nil {
+						return err
+					}
+
+					log.Printf("faulting cure terminated %s ago", time.Since(fault.Time()))
+					return fault.Destroy()
+				}
+			},
+		).Flag(
+			&flagDump,
+			"dump", command.StringFlag(""),
+			"Write IR to specified pathname and terminate",
+		).Flag(
+			&flagExport,
+			"export", command.StringFlag(""),
+			"Export cured artifact to specified pathname",
+		).Flag(
+			&flagEnter,
+			"enter", command.BoolFlag(false),
+			"Enter cure container with an interactive shell",
+		).Flag(
+			&flagRemote,
+			"daemon", command.BoolFlag(false),
+			"Cure artifact on the daemon",
+		).Flag(
+			&flagNoReply,
+			"no-reply", command.BoolFlag(false),
+			"Do not receive a reply from the daemon",
+		).Flag(
+			&flagBoot,
+			"boot", command.BoolFlag(false),
+			"Build on the stage0 toolchain",
+		).Flag(
+			&flagStd,
+			"std", command.BoolFlag(false),
+			"Build on the intermediate toolchain",
+		).Flag(
+			&flagFaults,
+			"faults", command.BoolFlag(false),
+			"Display fault entries of the specified artifact",
+		).Flag(
+			&flagPop,
+			"pop", command.BoolFlag(false),
+			"Display and destroy the most recent fault entry",
+		)
+	}
+
+	c.NewCommand(
+		"clear",
+		"Remove all fault entries from the cache",
+		func([]string) error {
+			return cm.Do(func(*pkg.Cache) error {
+				pathname := filepath.Join(cm.base, "fault")
+				dents, err := os.ReadDir(pathname)
+				if err != nil {
+					return err
+				}
+
+				for _, dent := range dents {
+					msg.Verbosef("destroying entry %s", dent.Name())
+					if err = os.Remove(filepath.Join(pathname, dent.Name())); err != nil {
+						return err
+					}
+				}
+				log.Printf("destroyed %d fault entries", len(dents))
+				return nil
+			})
+		},
+	)
+
+	c.NewCommand(
+		"abort",
+		"Abort all pending cures on the daemon",
+		func([]string) error { return abortRemote(ctx, &addr, false) },
+	)
+
+	{
+		var (
+			flagNet     bool
+			flagSession bool
+
+			flagWithToolchain bool
+		)
+		c.NewCommand(
+			"shell",
+			"Interactive shell in the specified Rosa OS environment",
+			func(args []string) error {
+				handles := make([]rosa.ArtifactH, len(args), len(args)+3)
+				for i, arg := range args {
+					handles[i] = rosa.ArtifactH(unique.Make(arg))
+					if meta, _ := rosa.Native().Std().Load(handles[i]); meta == nil {
+						return fmt.Errorf("unknown artifact %q", arg)
+					}
+				}
+
+				base := rosa.H("llvm")
+				if !flagWithToolchain {
+					base = rosa.H("musl")
+				}
+				handles = append(handles,
+					base,
+					rosa.H("mksh"),
+					rosa.H("toybox"),
+				)
+
+				root := make(pkg.Collect, 0, 6+len(args))
+				root = rosa.Native().Std().Append(root, handles...)
+
+				if err := cm.Do(func(cache *pkg.Cache) error {
+					_, _, err := cache.Cure(&root)
+					return err
+				}); err == nil {
+					return errors.New("unreachable")
+				} else if !pkg.IsCollected(err) {
+					return err
+				}
+
+				type cureRes struct {
+					pathname *check.Absolute
+					checksum unique.Handle[pkg.Checksum]
+				}
+				cured := make(map[pkg.Artifact]cureRes)
+				for _, a := range root {
+					if err := cm.Do(func(cache *pkg.Cache) error {
+						pathname, checksum, err := cache.Cure(a)
+						if err == nil {
+							cured[a] = cureRes{pathname, checksum}
+						}
+						return err
+					}); err != nil {
+						return err
+					}
+				}
+
+				// explicitly open for direct error-free use from this point
+				if cm.c == nil {
+					if err := cm.open(); err != nil {
+						return err
+					}
+				}
+
+				layers := pkg.PromoteLayers(root, func(a pkg.Artifact) (
+					*check.Absolute,
+					unique.Handle[pkg.Checksum],
+				) {
+					res := cured[a]
+					return res.pathname, res.checksum
+				}, func(i int, d pkg.Artifact) {
+					r := pkg.Encode(cm.c.Ident(d).Value())
+					if s, ok := d.(fmt.Stringer); ok {
+						if name := s.String(); name != "" {
+							r += "-" + name
+						}
+					}
+					msg.Verbosef("promoted layer %d as %s", i, r)
+				})
+
+				z := container.New(ctx, msg)
+				z.WaitDelay = 3 * time.Second
+				z.SeccompPresets = pkg.SeccompPresets
+				z.SeccompFlags |= seccomp.AllowMultiarch
+				z.ParentPerm = 0700
+				z.HostNet = flagNet
+				z.RetainSession = flagSession
+				z.Hostname = "localhost"
+				z.Uid, z.Gid = (1<<10)-1, (1<<10)-1
+				z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
+				z.Quiet = !cm.verboseInit
+				if s, ok := os.LookupEnv("TERM"); ok {
+					z.Env = append(z.Env, "TERM="+s)
+				}
+
+				var tempdir *check.Absolute
+				if s, err := filepath.Abs(os.TempDir()); err != nil {
+					return err
+				} else if tempdir, err = check.NewAbs(s); err != nil {
+					return err
+				}
+
+				z.Dir = fhs.AbsRoot
+				z.Env = []string{
+					"SHELL=/system/bin/mksh",
+					"PATH=/system/bin",
+					"HOME=/",
+				}
+				z.Path = rosa.AbsSystem.Append("bin", "mksh")
+				z.Args = []string{"mksh"}
+				z.
+					OverlayEphemeral(fhs.AbsRoot, layers...).
+					Place(
+						fhs.AbsEtc.Append("hosts"),
+						[]byte("127.0.0.1 localhost\n"),
+					).
+					Place(
+						fhs.AbsEtc.Append("passwd"),
+						[]byte("media_rw:x:1023:1023::/:/system/bin/sh\n"+
+							"nobody:x:65534:65534::/proc/nonexistent:/system/bin/false\n"),
+					).
+					Place(
+						fhs.AbsEtc.Append("group"),
+						[]byte("media_rw:x:1023:\nnobody:x:65534:\n"),
+					).
+					Bind(tempdir, fhs.AbsTmp, std.BindWritable).
+					Proc(fhs.AbsProc).Dev(fhs.AbsDev, true)
+
+				if err := z.Start(); err != nil {
+					return err
+				}
+				if err := z.Serve(); err != nil {
+					return err
+				}
+				return z.Wait()
+			},
+		).Flag(
+			&flagNet,
+			"net", command.BoolFlag(false),
+			"Share host net namespace",
+		).Flag(
+			&flagSession,
+			"session", command.BoolFlag(true),
+			"Retain session",
+		).Flag(
+			&flagWithToolchain,
+			"with-toolchain", command.BoolFlag(false),
+			"Include the stage2 LLVM toolchain",
+		)
+
+	}
+
+	c.Command(
+		"help",
+		"Show this help message",
+		func([]string) error { c.PrintHelp(); return nil },
+	)
+
+	c.MustParse(os.Args[1:], func(err error) {
+		cm.Close()
+		if w, ok := err.(interface{ Unwrap() []error }); !ok {
+			log.Fatal(err)
+		} else {
+			errs := w.Unwrap()
+			for i, e := range errs {
+				if i == len(errs)-1 {
+					log.Fatal(e)
+				}
+				log.Println(e)
+			}
+		}
+	})
+}

cmd/mbf/main_test.go

@@ -0,0 +1,47 @@
+package main
+
+import (
+	"net"
+	"os"
+	"testing"
+
+	"hakurei.app/internal/rosa"
+)
+
+func TestMain(m *testing.M) {
+	rosa.Native().DropCaches("", rosa.OptLLVMNoLTO)
+	os.Exit(m.Run())
+}
+
+func TestCureAll(t *testing.T) {
+	t.Parallel()
+	const env = "ROSA_TEST_DAEMON"
+
+	if !testing.Verbose() {
+		t.Skip("verbose flag not set")
+	}
+
+	pathname, ok := os.LookupEnv(env)
+	if !ok {
+		t.Skip(env + " not set")
+	}
+
+	addr := net.UnixAddr{Net: "unix", Name: pathname}
+	t.Cleanup(func() {
+		if t.Failed() {
+			if err := abortRemote(t.Context(), &addr, false); err != nil {
+				t.Fatal(err)
+			}
+		}
+	})
+
+	for _, handle := range rosa.Native().Collect() {
+		_, a := rosa.Native().Std().MustLoad(handle)
+		t.Run(handle.String(), func(t *testing.T) {
+			_, err := cureRemote(t.Context(), &addr, a, 0)
+			if err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}

cmd/planterette/app.go

@@ -1,154 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"log"
-	"os"
-	"path"
-
-	"hakurei.app/container/seccomp"
-	"hakurei.app/hst"
-	"hakurei.app/system"
-	"hakurei.app/system/dbus"
-)
-
-type appInfo struct {
-	Name    string `json:"name"`
-	Version string `json:"version"`
-
-	// passed through to [hst.Config]
-	ID string `json:"id"`
-	// passed through to [hst.Config]
-	Identity int `json:"identity"`
-	// passed through to [hst.Config]
-	Groups []string `json:"groups,omitempty"`
-	// passed through to [hst.Config]
-	Devel bool `json:"devel,omitempty"`
-	// passed through to [hst.Config]
-	Userns bool `json:"userns,omitempty"`
-	// passed through to [hst.Config]
-	Net bool `json:"net,omitempty"`
-	// passed through to [hst.Config]
-	Device bool `json:"dev,omitempty"`
-	// passed through to [hst.Config]
-	Tty bool `json:"tty,omitempty"`
-	// passed through to [hst.Config]
-	MapRealUID bool `json:"map_real_uid,omitempty"`
-	// passed through to [hst.Config]
-	DirectWayland bool `json:"direct_wayland,omitempty"`
-	// passed through to [hst.Config]
-	SystemBus *dbus.Config `json:"system_bus,omitempty"`
-	// passed through to [hst.Config]
-	SessionBus *dbus.Config `json:"session_bus,omitempty"`
-	// passed through to [hst.Config]
-	Enablements system.Enablement `json:"enablements"`
-
-	// passed through to [hst.Config]
-	Multiarch bool `json:"multiarch,omitempty"`
-	// passed through to [hst.Config]
-	Bluetooth bool `json:"bluetooth,omitempty"`
-
-	// allow gpu access within sandbox
-	GPU bool `json:"gpu"`
-	// store path to nixGL mesa wrappers
-	Mesa string `json:"mesa,omitempty"`
-	// store path to nixGL source
-	NixGL string `json:"nix_gl,omitempty"`
-	// store path to activate-and-exec script
-	Launcher string `json:"launcher"`
-	// store path to /run/current-system
-	CurrentSystem string `json:"current_system"`
-	// store path to home-manager activation package
-	ActivationPackage string `json:"activation_package"`
-}
-
-func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool) *hst.Config {
-	config := &hst.Config{
-		ID: app.ID,
-
-		Path: argv[0],
-		Args: argv,
-
-		Enablements: app.Enablements,
-
-		SystemBus:     app.SystemBus,
-		SessionBus:    app.SessionBus,
-		DirectWayland: app.DirectWayland,
-
-		Username: "hakurei",
-		Shell:    shellPath,
-		Data:     pathSet.homeDir,
-		Dir:      path.Join("/data/data", app.ID),
-
-		Identity: app.Identity,
-		Groups:   app.Groups,
-
-		Container: &hst.ContainerConfig{
-			Hostname:   formatHostname(app.Name),
-			Devel:      app.Devel,
-			Userns:     app.Userns,
-			Net:        app.Net,
-			Device:     app.Device,
-			Tty:        app.Tty || flagDropShell,
-			MapRealUID: app.MapRealUID,
-			Filesystem: []*hst.FilesystemConfig{
-				{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},
-				{Src: pathSet.metaPath, Dst: path.Join(hst.Tmp, "app"), Must: true},
-				{Src: "/etc/resolv.conf"},
-				{Src: "/sys/block"},
-				{Src: "/sys/bus"},
-				{Src: "/sys/class"},
-				{Src: "/sys/dev"},
-				{Src: "/sys/devices"},
-			},
-			Link: [][2]string{
-				{app.CurrentSystem, "/run/current-system"},
-				{"/run/current-system/sw/bin", "/bin"},
-				{"/run/current-system/sw/bin", "/usr/bin"},
-			},
-			Etc:     path.Join(pathSet.cacheDir, "etc"),
-			AutoEtc: true,
-		},
-		ExtraPerms: []*hst.ExtraPermConfig{
-			{Path: dataHome, Execute: true},
-			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-		},
-	}
-	if app.Multiarch {
-		config.Container.SeccompFlags |= seccomp.AllowMultiarch
-	}
-	if app.Bluetooth {
-		config.Container.SeccompFlags |= seccomp.AllowBluetooth
-	}
-	return config
-}
-
-func loadAppInfo(name string, beforeFail func()) *appInfo {
-	bundle := new(appInfo)
-	if f, err := os.Open(name); err != nil {
-		beforeFail()
-		log.Fatalf("cannot open bundle: %v", err)
-	} else if err = json.NewDecoder(f).Decode(&bundle); err != nil {
-		beforeFail()
-		log.Fatalf("cannot parse bundle metadata: %v", err)
-	} else if err = f.Close(); err != nil {
-		log.Printf("cannot close bundle metadata: %v", err)
-		// not fatal
-	}
-
-	if bundle.ID == "" {
-		beforeFail()
-		log.Fatal("application identifier must not be empty")
-	}
-
-	return bundle
-}
-
-func formatHostname(name string) string {
-	if h, err := os.Hostname(); err != nil {
-		log.Printf("cannot get hostname: %v", err)
-		return "hakurei-" + name
-	} else {
-		return h + "-" + name
-	}
-}

cmd/planterette/build.nix

@@ -1,252 +0,0 @@
-{
-  nixpkgsFor,
-  system,
-  nixpkgs,
-  home-manager,
-}:
-
-{
-  lib,
-  stdenv,
-  closureInfo,
-  writeScript,
-  runtimeShell,
-  writeText,
-  symlinkJoin,
-  vmTools,
-  runCommand,
-  fetchFromGitHub,
-
-  zstd,
-  nix,
-  sqlite,
-
-  name ? throw "name is required",
-  version ? throw "version is required",
-  pname ? "${name}-${version}",
-  modules ? [ ],
-  nixosModules ? [ ],
-  script ? ''
-    exec "$SHELL" "$@"
-  '',
-
-  id ? name,
-  identity ? throw "identity is required",
-  groups ? [ ],
-  userns ? false,
-  net ? true,
-  dev ? false,
-  no_new_session ? false,
-  map_real_uid ? false,
-  direct_wayland ? false,
-  system_bus ? null,
-  session_bus ? null,
-
-  allow_wayland ? true,
-  allow_x11 ? false,
-  allow_dbus ? true,
-  allow_pulse ? true,
-  gpu ? allow_wayland || allow_x11,
-}:
-
-let
-  inherit (lib) optionals;
-
-  homeManagerConfiguration = home-manager.lib.homeManagerConfiguration {
-    pkgs = nixpkgsFor.${system};
-    modules = modules ++ [
-      {
-        home = {
-          username = "hakurei";
-          homeDirectory = "/data/data/${id}";
-          stateVersion = "22.11";
-        };
-      }
-    ];
-  };
-
-  launcher = writeScript "hakurei-${pname}" ''
-    #!${runtimeShell} -el
-    ${script}
-  '';
-
-  extraNixOSConfig =
-    { pkgs, ... }:
-    {
-      environment = {
-        etc.nixpkgs.source = nixpkgs.outPath;
-        systemPackages = [ pkgs.nix ];
-      };
-
-      imports = nixosModules;
-    };
-  nixos = nixpkgs.lib.nixosSystem {
-    inherit system;
-    modules = [
-      extraNixOSConfig
-      { nix.settings.experimental-features = [ "flakes" ]; }
-      { nix.settings.experimental-features = [ "nix-command" ]; }
-      { boot.isContainer = true; }
-      { system.stateVersion = "22.11"; }
-    ];
-  };
-
-  etc = vmTools.runInLinuxVM (
-    runCommand "etc" { } ''
-      mkdir -p /etc
-      ${nixos.config.system.build.etcActivationCommands}
-
-      # remove unused files
-      rm -rf /etc/sudoers
-
-      mkdir -p $out
-      tar -C /etc -cf "$out/etc.tar" .
-    ''
-  );
-
-  extendSessionDefault = id: ext: {
-    filter = true;
-
-    talk = [ "org.freedesktop.Notifications" ] ++ ext.talk;
-    own =
-      (optionals (id != null) [
-        "${id}.*"
-        "org.mpris.MediaPlayer2.${id}.*"
-      ])
-      ++ ext.own;
-
-    inherit (ext) call broadcast;
-  };
-
-  nixGL = fetchFromGitHub {
-    owner = "nix-community";
-    repo = "nixGL";
-    rev = "310f8e49a149e4c9ea52f1adf70cdc768ec53f8a";
-    hash = "sha256-lnzZQYG0+EXl/6NkGpyIz+FEOc/DSEG57AP1VsdeNrM=";
-  };
-
-  mesaWrappers =
-    let
-      isIntelX86Platform = system == "x86_64-linux";
-      nixGLPackages = import (nixGL + "/default.nix") {
-        pkgs = nixpkgs.legacyPackages.${system};
-        enable32bits = isIntelX86Platform;
-        enableIntelX86Extensions = isIntelX86Platform;
-      };
-    in
-    symlinkJoin {
-      name = "nixGL-mesa";
-      paths = with nixGLPackages; [
-        nixGLIntel
-        nixVulkanIntel
-      ];
-    };
-
-  info = builtins.toJSON {
-    inherit
-      name
-      version
-      id
-      identity
-      launcher
-      groups
-      userns
-      net
-      dev
-      no_new_session
-      map_real_uid
-      direct_wayland
-      system_bus
-      gpu
-      ;
-
-    session_bus =
-      if session_bus != null then
-        (session_bus (extendSessionDefault id))
-      else
-        (extendSessionDefault id {
-          talk = [ ];
-          own = [ ];
-          call = { };
-          broadcast = { };
-        });
-
-    enablements = (if allow_wayland then 1 else 0) + (if allow_x11 then 2 else 0) + (if allow_dbus then 4 else 0) + (if allow_pulse then 8 else 0);
-
-    mesa = if gpu then mesaWrappers else null;
-    nix_gl = if gpu then nixGL else null;
-    current_system = nixos.config.system.build.toplevel;
-    activation_package = homeManagerConfiguration.activationPackage;
-  };
-in
-
-stdenv.mkDerivation {
-  name = "${pname}.pkg";
-  inherit version;
-  __structuredAttrs = true;
-
-  nativeBuildInputs = [
-    zstd
-    nix
-    sqlite
-  ];
-
-  buildCommand = ''
-    NIX_ROOT="$(mktemp -d)"
-    export USER="nobody"
-
-    # create bootstrap store
-    bootstrapClosureInfo="${
-      closureInfo {
-        rootPaths = [
-          nix
-          nixos.config.system.build.toplevel
-        ];
-      }
-    }"
-    echo "copying bootstrap store paths..."
-    mkdir -p "$NIX_ROOT/nix/store"
-    xargs -n 1 -a "$bootstrapClosureInfo/store-paths" cp -at "$NIX_ROOT/nix/store/"
-    NIX_REMOTE="local?root=$NIX_ROOT" nix-store --load-db < "$bootstrapClosureInfo/registration"
-    NIX_REMOTE="local?root=$NIX_ROOT" nix-store --optimise
-    sqlite3 "$NIX_ROOT/nix/var/nix/db/db.sqlite" "UPDATE ValidPaths SET registrationTime = ''${SOURCE_DATE_EPOCH}"
-    chmod -R +r "$NIX_ROOT/nix/var"
-
-    # create binary cache
-    closureInfo="${
-      closureInfo {
-        rootPaths =
-          [
-            homeManagerConfiguration.activationPackage
-            launcher
-          ]
-          ++ optionals gpu [
-            mesaWrappers
-            nixGL
-          ];
-      }
-    }"
-    echo "copying application paths..."
-    TMP_STORE="$(mktemp -d)"
-    mkdir -p "$TMP_STORE/nix/store"
-    xargs -n 1 -a "$closureInfo/store-paths" cp -at "$TMP_STORE/nix/store/"
-    NIX_REMOTE="local?root=$TMP_STORE" nix-store --load-db < "$closureInfo/registration"
-    sqlite3 "$TMP_STORE/nix/var/nix/db/db.sqlite" "UPDATE ValidPaths SET registrationTime = ''${SOURCE_DATE_EPOCH}"
-    NIX_REMOTE="local?root=$TMP_STORE" nix --offline --extra-experimental-features nix-command \
-        --verbose --log-format raw-with-logs \
-        copy --all --no-check-sigs --to \
-        "file://$NIX_ROOT/res?compression=zstd&compression-level=19&parallel-compression=true"
-
-    # package /etc
-    mkdir -p "$NIX_ROOT/etc"
-    tar -C "$NIX_ROOT/etc" -xf "${etc}/etc.tar"
-
-    # write metadata
-    cp "${writeText "bundle.json" info}" "$NIX_ROOT/bundle.json"
-
-    # create an intermediate file to improve zstd performance
-    INTER="$(mktemp)"
-    tar -C "$NIX_ROOT" -cf "$INTER" .
-    zstd -T0 -19 -fo "$out" "$INTER"
-  '';
-}

cmd/planterette/main.go

@@ -1,333 +0,0 @@
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"log"
-	"os"
-	"os/signal"
-	"path"
-	"syscall"
-
-	"hakurei.app/command"
-	"hakurei.app/hst"
-	"hakurei.app/internal"
-	"hakurei.app/internal/hlog"
-)
-
-const shellPath = "/run/current-system/sw/bin/bash"
-
-var (
-	errSuccess = errors.New("success")
-)
-
-func init() {
-	hlog.Prepare("planterette")
-	if err := os.Setenv("SHELL", shellPath); err != nil {
-		log.Fatalf("cannot set $SHELL: %v", err)
-	}
-}
-
-func main() {
-	if os.Geteuid() == 0 {
-		log.Fatal("this program must not run as root")
-	}
-
-	ctx, stop := signal.NotifyContext(context.Background(),
-		syscall.SIGINT, syscall.SIGTERM)
-	defer stop() // unreachable
-
-	var (
-		flagVerbose   bool
-		flagDropShell bool
-	)
-	c := command.New(os.Stderr, log.Printf, "planterette", func([]string) error { internal.InstallOutput(flagVerbose); return nil }).
-		Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console").
-		Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next hakurei action")
-
-	{
-		var (
-			flagDropShellActivate bool
-		)
-		c.NewCommand("install", "Install an application from its package", func(args []string) error {
-			if len(args) != 1 {
-				log.Println("invalid argument")
-				return syscall.EINVAL
-			}
-			pkgPath := args[0]
-			if !path.IsAbs(pkgPath) {
-				if dir, err := os.Getwd(); err != nil {
-					log.Printf("cannot get current directory: %v", err)
-					return err
-				} else {
-					pkgPath = path.Join(dir, pkgPath)
-				}
-			}
-
-			/*
-				Look up paths to programs started by planterette.
-				This is done here to ease error handling as cleanup is not yet required.
-			*/
-
-			var (
-				_     = lookPath("zstd")
-				tar   = lookPath("tar")
-				chmod = lookPath("chmod")
-				rm    = lookPath("rm")
-			)
-
-			/*
-				Extract package and set up for cleanup.
-			*/
-
-			var workDir string
-			if p, err := os.MkdirTemp("", "planterette.*"); err != nil {
-				log.Printf("cannot create temporary directory: %v", err)
-				return err
-			} else {
-				workDir = p
-			}
-			cleanup := func() {
-				// should be faster than a native implementation
-				mustRun(chmod, "-R", "+w", workDir)
-				mustRun(rm, "-rf", workDir)
-			}
-			beforeRunFail.Store(&cleanup)
-
-			mustRun(tar, "-C", workDir, "-xf", pkgPath)
-
-			/*
-				Parse bundle and app metadata, do pre-install checks.
-			*/
-
-			bundle := loadAppInfo(path.Join(workDir, "bundle.json"), cleanup)
-			pathSet := pathSetByApp(bundle.ID)
-
-			a := bundle
-			if s, err := os.Stat(pathSet.metaPath); err != nil {
-				if !os.IsNotExist(err) {
-					cleanup()
-					log.Printf("cannot access %q: %v", pathSet.metaPath, err)
-					return err
-				}
-				// did not modify app, clean installation condition met later
-			} else if s.IsDir() {
-				cleanup()
-				log.Printf("metadata path %q is not a file", pathSet.metaPath)
-				return syscall.EBADMSG
-			} else {
-				a = loadAppInfo(pathSet.metaPath, cleanup)
-				if a.ID != bundle.ID {
-					cleanup()
-					log.Printf("app %q claims to have identifier %q",
-						bundle.ID, a.ID)
-					return syscall.EBADE
-				}
-				// sec: should verify credentials
-			}
-
-			if a != bundle {
-				// do not try to re-install
-				if a.NixGL == bundle.NixGL &&
-					a.CurrentSystem == bundle.CurrentSystem &&
-					a.Launcher == bundle.Launcher &&
-					a.ActivationPackage == bundle.ActivationPackage {
-					cleanup()
-					log.Printf("package %q is identical to local application %q",
-						pkgPath, a.ID)
-					return errSuccess
-				}
-
-				// identity determines uid
-				if a.Identity != bundle.Identity {
-					cleanup()
-					log.Printf("package %q identity %d differs from installed %d",
-						pkgPath, bundle.Identity, a.Identity)
-					return syscall.EBADE
-				}
-
-				// sec: should compare version string
-				hlog.Verbosef("installing application %q version %q over local %q",
-					bundle.ID, bundle.Version, a.Version)
-			} else {
-				hlog.Verbosef("application %q clean installation", bundle.ID)
-				// sec: should install credentials
-			}
-
-			/*
-				Setup steps for files owned by the target user.
-			*/
-
-			withCacheDir(ctx, "install", []string{
-				// export inner bundle path in the environment
-				"export BUNDLE=" + hst.Tmp + "/bundle",
-				// replace inner /etc
-				"mkdir -p etc",
-				"chmod -R +w etc",
-				"rm -rf etc",
-				"cp -dRf $BUNDLE/etc etc",
-				// replace inner /nix
-				"mkdir -p nix",
-				"chmod -R +w nix",
-				"rm -rf nix",
-				"cp -dRf /nix nix",
-				// copy from binary cache
-				"nix copy --offline --no-check-sigs --all --from file://$BUNDLE/res --to $PWD",
-				// deduplicate nix store
-				"nix store --offline --store $PWD optimise",
-				// make cache directory world-readable for autoetc
-				"chmod 0755 .",
-			}, workDir, bundle, pathSet, flagDropShell, cleanup)
-
-			if bundle.GPU {
-				withCacheDir(ctx, "mesa-wrappers", []string{
-					// link nixGL mesa wrappers
-					"mkdir -p nix/.nixGL",
-					"ln -s " + bundle.Mesa + "/bin/nixGLIntel nix/.nixGL/nixGL",
-					"ln -s " + bundle.Mesa + "/bin/nixVulkanIntel nix/.nixGL/nixVulkan",
-				}, workDir, bundle, pathSet, false, cleanup)
-			}
-
-			/*
-				Activate home-manager generation.
-			*/
-
-			withNixDaemon(ctx, "activate", []string{
-				// clean up broken links
-				"mkdir -p .local/state/{nix,home-manager}",
-				"chmod -R +w .local/state/{nix,home-manager}",
-				"rm -rf .local/state/{nix,home-manager}",
-				// run activation script
-				bundle.ActivationPackage + "/activate",
-			}, false, func(config *hst.Config) *hst.Config { return config },
-				bundle, pathSet, flagDropShellActivate, cleanup)
-
-			/*
-				Installation complete. Write metadata to block re-installs or downgrades.
-			*/
-
-			// serialise metadata to ensure consistency
-			if f, err := os.OpenFile(pathSet.metaPath+"~", os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644); err != nil {
-				cleanup()
-				log.Printf("cannot create metadata file: %v", err)
-				return err
-			} else if err = json.NewEncoder(f).Encode(bundle); err != nil {
-				cleanup()
-				log.Printf("cannot write metadata: %v", err)
-				return err
-			} else if err = f.Close(); err != nil {
-				log.Printf("cannot close metadata file: %v", err)
-				// not fatal
-			}
-
-			if err := os.Rename(pathSet.metaPath+"~", pathSet.metaPath); err != nil {
-				cleanup()
-				log.Printf("cannot rename metadata file: %v", err)
-				return err
-			}
-
-			cleanup()
-			return errSuccess
-		}).
-			Flag(&flagDropShellActivate, "s", command.BoolFlag(false), "Drop to a shell on activation")
-	}
-
-	{
-		var (
-			flagDropShellNixGL bool
-			flagAutoDrivers    bool
-		)
-		c.NewCommand("start", "Start an application", func(args []string) error {
-			if len(args) < 1 {
-				log.Println("invalid argument")
-				return syscall.EINVAL
-			}
-
-			/*
-				Parse app metadata.
-			*/
-
-			id := args[0]
-			pathSet := pathSetByApp(id)
-			a := loadAppInfo(pathSet.metaPath, func() {})
-			if a.ID != id {
-				log.Printf("app %q claims to have identifier %q", id, a.ID)
-				return syscall.EBADE
-			}
-
-			/*
-				Prepare nixGL.
-			*/
-
-			if a.GPU && flagAutoDrivers {
-				withNixDaemon(ctx, "nix-gl", []string{
-					"mkdir -p /nix/.nixGL/auto",
-					"rm -rf /nix/.nixGL/auto",
-					"export NIXPKGS_ALLOW_UNFREE=1",
-					"nix build --impure " +
-						"--out-link /nix/.nixGL/auto/opengl " +
-						"--override-input nixpkgs path:/etc/nixpkgs " +
-						"path:" + a.NixGL,
-					"nix build --impure " +
-						"--out-link /nix/.nixGL/auto/vulkan " +
-						"--override-input nixpkgs path:/etc/nixpkgs " +
-						"path:" + a.NixGL + "#nixVulkanNvidia",
-				}, true, func(config *hst.Config) *hst.Config {
-					config.Container.Filesystem = append(config.Container.Filesystem, []*hst.FilesystemConfig{
-						{Src: "/etc/resolv.conf"},
-						{Src: "/sys/block"},
-						{Src: "/sys/bus"},
-						{Src: "/sys/class"},
-						{Src: "/sys/dev"},
-						{Src: "/sys/devices"},
-					}...)
-					appendGPUFilesystem(config)
-					return config
-				}, a, pathSet, flagDropShellNixGL, func() {})
-			}
-
-			/*
-				Create app configuration.
-			*/
-
-			argv := make([]string, 1, len(args))
-			if !flagDropShell {
-				argv[0] = a.Launcher
-			} else {
-				argv[0] = shellPath
-			}
-			argv = append(argv, args[1:]...)
-
-			config := a.toFst(pathSet, argv, flagDropShell)
-
-			/*
-				Expose GPU devices.
-			*/
-
-			if a.GPU {
-				config.Container.Filesystem = append(config.Container.Filesystem,
-					&hst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(hst.Tmp, "nixGL")})
-				appendGPUFilesystem(config)
-			}
-
-			/*
-				Spawn app.
-			*/
-
-			mustRunApp(ctx, config, func() {})
-			return errSuccess
-		}).
-			Flag(&flagDropShellNixGL, "s", command.BoolFlag(false), "Drop to a shell on nixGL build").
-			Flag(&flagAutoDrivers, "auto-drivers", command.BoolFlag(false), "Attempt automatic opengl driver detection")
-	}
-
-	c.MustParse(os.Args[1:], func(err error) {
-		hlog.Verbosef("command returned %v", err)
-		if errors.Is(err, errSuccess) {
-			hlog.BeforeExit()
-			os.Exit(0)
-		}
-	})
-	log.Fatal("unreachable")
-}

cmd/planterette/paths.go

@@ -1,101 +0,0 @@
-package main
-
-import (
-	"log"
-	"os"
-	"os/exec"
-	"path"
-	"strconv"
-	"sync/atomic"
-
-	"hakurei.app/hst"
-	"hakurei.app/internal/hlog"
-)
-
-var (
-	dataHome string
-)
-
-func init() {
-	// dataHome
-	if p, ok := os.LookupEnv("HAKUREI_DATA_HOME"); ok {
-		dataHome = p
-	} else {
-		dataHome = "/var/lib/hakurei/" + strconv.Itoa(os.Getuid())
-	}
-}
-
-func lookPath(file string) string {
-	if p, err := exec.LookPath(file); err != nil {
-		log.Fatalf("%s: command not found", file)
-		return ""
-	} else {
-		return p
-	}
-}
-
-var beforeRunFail = new(atomic.Pointer[func()])
-
-func mustRun(name string, arg ...string) {
-	hlog.Verbosef("spawning process: %q %q", name, arg)
-	cmd := exec.Command(name, arg...)
-	cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-	if err := cmd.Run(); err != nil {
-		if f := beforeRunFail.Swap(nil); f != nil {
-			(*f)()
-		}
-		log.Fatalf("%s: %v", name, err)
-	}
-}
-
-type appPathSet struct {
-	// ${dataHome}/${id}
-	baseDir string
-	// ${baseDir}/app
-	metaPath string
-	// ${baseDir}/files
-	homeDir string
-	// ${baseDir}/cache
-	cacheDir string
-	// ${baseDir}/cache/nix
-	nixPath string
-}
-
-func pathSetByApp(id string) *appPathSet {
-	pathSet := new(appPathSet)
-	pathSet.baseDir = path.Join(dataHome, id)
-	pathSet.metaPath = path.Join(pathSet.baseDir, "app")
-	pathSet.homeDir = path.Join(pathSet.baseDir, "files")
-	pathSet.cacheDir = path.Join(pathSet.baseDir, "cache")
-	pathSet.nixPath = path.Join(pathSet.cacheDir, "nix")
-	return pathSet
-}
-
-func appendGPUFilesystem(config *hst.Config) {
-	config.Container.Filesystem = append(config.Container.Filesystem, []*hst.FilesystemConfig{
-		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
-		{Src: "/dev/dri", Device: true},
-		// mali
-		{Src: "/dev/mali", Device: true},
-		{Src: "/dev/mali0", Device: true},
-		{Src: "/dev/umplock", Device: true},
-		// nvidia
-		{Src: "/dev/nvidiactl", Device: true},
-		{Src: "/dev/nvidia-modeset", Device: true},
-		// nvidia OpenCL/CUDA
-		{Src: "/dev/nvidia-uvm", Device: true},
-		{Src: "/dev/nvidia-uvm-tools", Device: true},
-
-		// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
-		{Src: "/dev/nvidia0", Device: true}, {Src: "/dev/nvidia1", Device: true},
-		{Src: "/dev/nvidia2", Device: true}, {Src: "/dev/nvidia3", Device: true},
-		{Src: "/dev/nvidia4", Device: true}, {Src: "/dev/nvidia5", Device: true},
-		{Src: "/dev/nvidia6", Device: true}, {Src: "/dev/nvidia7", Device: true},
-		{Src: "/dev/nvidia8", Device: true}, {Src: "/dev/nvidia9", Device: true},
-		{Src: "/dev/nvidia10", Device: true}, {Src: "/dev/nvidia11", Device: true},
-		{Src: "/dev/nvidia12", Device: true}, {Src: "/dev/nvidia13", Device: true},
-		{Src: "/dev/nvidia14", Device: true}, {Src: "/dev/nvidia15", Device: true},
-		{Src: "/dev/nvidia16", Device: true}, {Src: "/dev/nvidia17", Device: true},
-		{Src: "/dev/nvidia18", Device: true}, {Src: "/dev/nvidia19", Device: true},
-	}...)
-}

cmd/planterette/proc.go

@@ -1,60 +0,0 @@
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"io"
-	"log"
-	"os"
-	"os/exec"
-
-	"hakurei.app/hst"
-	"hakurei.app/internal"
-	"hakurei.app/internal/hlog"
-)
-
-var hakureiPath = internal.MustHakureiPath()
-
-func mustRunApp(ctx context.Context, config *hst.Config, beforeFail func()) {
-	var (
-		cmd *exec.Cmd
-		st  io.WriteCloser
-	)
-
-	if r, w, err := os.Pipe(); err != nil {
-		beforeFail()
-		log.Fatalf("cannot pipe: %v", err)
-	} else {
-		if hlog.Load() {
-			cmd = exec.CommandContext(ctx, hakureiPath, "-v", "app", "3")
-		} else {
-			cmd = exec.CommandContext(ctx, hakureiPath, "app", "3")
-		}
-		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
-		cmd.ExtraFiles = []*os.File{r}
-		st = w
-	}
-
-	go func() {
-		if err := json.NewEncoder(st).Encode(config); err != nil {
-			beforeFail()
-			log.Fatalf("cannot send configuration: %v", err)
-		}
-	}()
-
-	if err := cmd.Start(); err != nil {
-		beforeFail()
-		log.Fatalf("cannot start hakurei: %v", err)
-	}
-	if err := cmd.Wait(); err != nil {
-		var exitError *exec.ExitError
-		if errors.As(err, &exitError) {
-			beforeFail()
-			internal.Exit(exitError.ExitCode())
-		} else {
-			beforeFail()
-			log.Fatalf("cannot wait: %v", err)
-		}
-	}
-}

cmd/planterette/test/configuration.nix

@@ -1,62 +0,0 @@
-{ pkgs, ... }:
-{
-  users.users = {
-    alice = {
-      isNormalUser = true;
-      description = "Alice Foobar";
-      password = "foobar";
-      uid = 1000;
-    };
-  };
-
-  home-manager.users.alice.home.stateVersion = "24.11";
-
-  # Automatically login on tty1 as a normal user:
-  services.getty.autologinUser = "alice";
-
-  environment = {
-    variables = {
-      SWAYSOCK = "/tmp/sway-ipc.sock";
-      WLR_RENDERER = "pixman";
-    };
-  };
-
-  # Automatically configure and start Sway when logging in on tty1:
-  programs.bash.loginShellInit = ''
-    if [ "$(tty)" = "/dev/tty1" ]; then
-      set -e
-
-      mkdir -p ~/.config/sway
-      (sed s/Mod4/Mod1/ /etc/sway/config &&
-      echo 'output * bg ${pkgs.nixos-artwork.wallpapers.simple-light-gray.gnomeFilePath} fill' &&
-      echo 'output Virtual-1 res 1680x1050') > ~/.config/sway/config
-
-      sway --validate
-      systemd-cat --identifier=session sway && touch /tmp/sway-exit-ok
-    fi
-  '';
-
-  programs.sway.enable = true;
-
-  virtualisation = {
-    diskSize = 6 * 1024;
-
-    qemu.options = [
-      # Need to switch to a different GPU driver than the default one (-vga std) so that Sway can launch:
-      "-vga none -device virtio-gpu-pci"
-
-      # Increase zstd performance:
-      "-smp 8"
-    ];
-  };
-
-  environment.hakurei = {
-    enable = true;
-    stateDir = "/var/lib/hakurei";
-    users.alice = 0;
-
-    extraHomeConfig = {
-      home.stateVersion = "23.05";
-    };
-  };
-}

cmd/planterette/test/default.nix

@@ -1,34 +0,0 @@
-{
-  nixosTest,
-  callPackage,
-
-  system,
-  self,
-}:
-let
-  buildPackage = self.buildPackage.${system};
-in
-nixosTest {
-  name = "planterette";
-  nodes.machine = {
-    environment.etc = {
-      "foot.pkg".source = callPackage ./foot.nix { inherit buildPackage; };
-    };
-
-    imports = [
-      ./configuration.nix
-
-      self.nixosModules.hakurei
-      self.inputs.home-manager.nixosModules.home-manager
-    ];
-  };
-
-  # adapted from nixos sway integration tests
-
-  # testScriptWithTypes:49: error: Cannot call function of unknown type
-  #           (machine.succeed if succeed else machine.execute)(
-  #           ^
-  # Found 1 error in 1 file (checked 1 source file)
-  skipTypeCheck = true;
-  testScript = builtins.readFile ./test.py;
-}

cmd/planterette/test/foot.nix

@@ -1,48 +0,0 @@
-{
-  lib,
-  buildPackage,
-  foot,
-  wayland-utils,
-  inconsolata,
-}:
-
-buildPackage {
-  name = "foot";
-  inherit (foot) version;
-
-  identity = 2;
-  id = "org.codeberg.dnkl.foot";
-
-  modules = [
-    {
-      home.packages = [
-        foot
-
-        # For wayland-info:
-        wayland-utils
-      ];
-    }
-  ];
-
-  nixosModules = [
-    {
-      # To help with OCR:
-      environment.etc."xdg/foot/foot.ini".text = lib.generators.toINI { } {
-        main = {
-          font = "inconsolata:size=14";
-        };
-        colors = rec {
-          foreground = "000000";
-          background = "ffffff";
-          regular2 = foreground;
-        };
-      };
-
-      fonts.packages = [ inconsolata ];
-    }
-  ];
-
-  script = ''
-    exec foot "$@"
-  '';
-}

cmd/planterette/test/test.py

@@ -1,108 +0,0 @@
-import json
-import shlex
-
-q = shlex.quote
-NODE_GROUPS = ["nodes", "floating_nodes"]
-
-
-def swaymsg(command: str = "", succeed=True, type="command"):
-    assert command != "" or type != "command", "Must specify command or type"
-    shell = q(f"swaymsg -t {q(type)} -- {q(command)}")
-    with machine.nested(
-            f"sending swaymsg {shell!r}" + " (allowed to fail)" * (not succeed)
-    ):
-        ret = (machine.succeed if succeed else machine.execute)(
-            f"su - alice -c {shell}"
-        )
-
-    # execute also returns a status code, but disregard.
-    if not succeed:
-        _, ret = ret
-
-    if not succeed and not ret:
-        return None
-
-    parsed = json.loads(ret)
-    return parsed
-
-
-def walk(tree):
-    yield tree
-    for group in NODE_GROUPS:
-        for node in tree.get(group, []):
-            yield from walk(node)
-
-
-def wait_for_window(pattern):
-    def func(last_chance):
-        nodes = (node["name"] for node in walk(swaymsg(type="get_tree")))
-
-        if last_chance:
-            nodes = list(nodes)
-            machine.log(f"Last call! Current list of windows: {nodes}")
-
-        return any(pattern in name for name in nodes)
-
-    retry(func)
-
-
-def collect_state_ui(name):
-    swaymsg(f"exec hakurei ps > '/tmp/{name}.ps'")
-    machine.copy_from_vm(f"/tmp/{name}.ps", "")
-    swaymsg(f"exec hakurei --json ps > '/tmp/{name}.json'")
-    machine.copy_from_vm(f"/tmp/{name}.json", "")
-    machine.screenshot(name)
-
-
-def check_state(name, enablements):
-    instances = json.loads(machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 hakurei --json ps"))
-    if len(instances) != 1:
-        raise Exception(f"unexpected state length {len(instances)}")
-    instance = next(iter(instances.values()))
-
-    config = instance['config']
-
-    if len(config['args']) != 1 or not (config['args'][0].startswith("/nix/store/")) or f"hakurei-{name}-" not in (config['args'][0]):
-        raise Exception(f"unexpected args {instance['config']['args']}")
-
-    if config['enablements'] != enablements:
-        raise Exception(f"unexpected enablements {instance['config']['enablements']}")
-
-
-start_all()
-machine.wait_for_unit("multi-user.target")
-
-# To check hakurei's version:
-print(machine.succeed("sudo -u alice -i hakurei version"))
-
-# Wait for Sway to complete startup:
-machine.wait_for_file("/run/user/1000/wayland-1")
-machine.wait_for_file("/tmp/sway-ipc.sock")
-
-# Prepare planterette directory:
-machine.succeed("install -dm 0700 -o alice -g users /var/lib/hakurei/1000")
-
-# Install planterette app:
-swaymsg("exec planterette -v install /etc/foot.pkg && touch /tmp/planterette-install-ok")
-machine.wait_for_file("/tmp/planterette-install-ok")
-
-# Start app (foot) with Wayland enablement:
-swaymsg("exec planterette -v start org.codeberg.dnkl.foot")
-wait_for_window("hakurei@machine-foot")
-machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
-machine.wait_for_file("/tmp/hakurei.1000/tmpdir/2/success-client")
-collect_state_ui("app_wayland")
-check_state("foot", 13)
-# Verify acl on XDG_RUNTIME_DIR:
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002"))
-machine.send_chars("exit\n")
-machine.wait_until_fails("pgrep foot")
-# Verify acl cleanup on XDG_RUNTIME_DIR:
-machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000002")
-
-# Exit Sway and verify process exit status 0:
-swaymsg("exit", succeed=False)
-machine.wait_for_file("/tmp/sway-exit-ok")
-
-# Print hakurei runDir contents:
-print(machine.succeed("find /run/user/1000/hakurei"))

cmd/planterette/with.go

@@ -1,114 +0,0 @@
-package main
-
-import (
-	"context"
-	"path"
-	"strings"
-
-	"hakurei.app/container/seccomp"
-	"hakurei.app/hst"
-	"hakurei.app/internal"
-)
-
-func withNixDaemon(
-	ctx context.Context,
-	action string, command []string, net bool, updateConfig func(config *hst.Config) *hst.Config,
-	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
-) {
-	mustRunAppDropShell(ctx, updateConfig(&hst.Config{
-		ID: app.ID,
-
-		Path: shellPath,
-		Args: []string{shellPath, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
-			// start nix-daemon
-			"nix-daemon --store / & " +
-			// wait for socket to appear
-			"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " +
-			// create directory so nix stops complaining
-			"mkdir -p /nix/var/nix/profiles/per-user/root/channels && " +
-			strings.Join(command, " && ") +
-			// terminate nix-daemon
-			" && pkill nix-daemon",
-		},
-
-		Username: "hakurei",
-		Shell:    shellPath,
-		Data:     pathSet.homeDir,
-		Dir:      path.Join("/data/data", app.ID),
-		ExtraPerms: []*hst.ExtraPermConfig{
-			{Path: dataHome, Execute: true},
-			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-		},
-
-		Identity: app.Identity,
-
-		Container: &hst.ContainerConfig{
-			Hostname:     formatHostname(app.Name) + "-" + action,
-			Userns:       true, // nix sandbox requires userns
-			Net:          net,
-			SeccompFlags: seccomp.AllowMultiarch,
-			Tty:          dropShell,
-			Filesystem: []*hst.FilesystemConfig{
-				{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
-			},
-			Link: [][2]string{
-				{app.CurrentSystem, "/run/current-system"},
-				{"/run/current-system/sw/bin", "/bin"},
-				{"/run/current-system/sw/bin", "/usr/bin"},
-			},
-			Etc:     path.Join(pathSet.cacheDir, "etc"),
-			AutoEtc: true,
-		},
-	}), dropShell, beforeFail)
-}
-
-func withCacheDir(
-	ctx context.Context,
-	action string, command []string, workDir string,
-	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
-	mustRunAppDropShell(ctx, &hst.Config{
-		ID: app.ID,
-
-		Path: shellPath,
-		Args: []string{shellPath, "-lc", strings.Join(command, " && ")},
-
-		Username: "nixos",
-		Shell:    shellPath,
-		Data:     pathSet.cacheDir, // this also ensures cacheDir via shim
-		Dir:      path.Join("/data/data", app.ID, "cache"),
-		ExtraPerms: []*hst.ExtraPermConfig{
-			{Path: dataHome, Execute: true},
-			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-			{Path: workDir, Execute: true},
-		},
-
-		Identity: app.Identity,
-
-		Container: &hst.ContainerConfig{
-			Hostname:     formatHostname(app.Name) + "-" + action,
-			SeccompFlags: seccomp.AllowMultiarch,
-			Tty:          dropShell,
-			Filesystem: []*hst.FilesystemConfig{
-				{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
-				{Src: workDir, Dst: path.Join(hst.Tmp, "bundle"), Must: true},
-			},
-			Link: [][2]string{
-				{app.CurrentSystem, "/run/current-system"},
-				{"/run/current-system/sw/bin", "/bin"},
-				{"/run/current-system/sw/bin", "/usr/bin"},
-			},
-			Etc:     path.Join(workDir, "etc"),
-			AutoEtc: true,
-		},
-	}, dropShell, beforeFail)
-}
-
-func mustRunAppDropShell(ctx context.Context, config *hst.Config, dropShell bool, beforeFail func()) {
-	if dropShell {
-		config.Args = []string{shellPath, "-l"}
-		mustRunApp(ctx, config, beforeFail)
-		beforeFail()
-		internal.Exit(0)
-	}
-	mustRunApp(ctx, config, beforeFail)
-}

cmd/sharefs/fuse-operations.c

@@ -0,0 +1,282 @@
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE /* O_DIRECT */
+#endif
+
+#include <dirent.h>
+#include <errno.h>
+#include <unistd.h>
+
+/* TODO(ophestra): remove after 05ce67fea99ca09cd4b6625cff7aec9cc222dd5a reaches a release */
+#include <sys/syscall.h>
+
+#include "fuse-operations.h"
+
+/* MUST_TRANSLATE_PATHNAME translates a userspace pathname to a relative pathname;
+ * the resulting address points to a constant string or part of pathname, it is never heap allocated. */
+#define MUST_TRANSLATE_PATHNAME(pathname) \
+    do {                                  \
+        if (pathname == NULL)             \
+            return -EINVAL;               \
+        while (*pathname == '/')          \
+            pathname++;                   \
+        if (*pathname == '\0')            \
+            pathname = ".";               \
+    } while (0)
+
+/* GET_CONTEXT_PRIV obtains fuse context and private data for the calling thread. */
+#define GET_CONTEXT_PRIV(ctx, priv) \
+    do {                            \
+        ctx = fuse_get_context();   \
+        priv = ctx->private_data;   \
+    } while (0)
+
+/* impl_getattr modifies a struct stat from the kernel to present to userspace;
+ * impl_getattr returns a negative errno style error code. */
+static int impl_getattr(struct fuse_context *ctx, struct stat *statbuf) {
+    /* allowlist of permitted types */
+    if (!S_ISDIR(statbuf->st_mode) && !S_ISREG(statbuf->st_mode) && !S_ISLNK(statbuf->st_mode)) {
+        return -ENOTRECOVERABLE; /* returning an errno causes all operations on the file to return EIO */
+    }
+
+#define OVERRIDE_PERM(v) (statbuf->st_mode & ~0777) | (v & 0777)
+    if (S_ISDIR(statbuf->st_mode))
+        statbuf->st_mode = OVERRIDE_PERM(SHAREFS_PERM_DIR);
+    else if (S_ISREG(statbuf->st_mode))
+        statbuf->st_mode = OVERRIDE_PERM(SHAREFS_PERM_REG);
+    else
+        statbuf->st_mode = 0; /* should always be symlink in this case */
+
+    statbuf->st_uid = ctx->uid;
+    statbuf->st_gid = SHAREFS_MEDIA_RW_ID;
+    statbuf->st_ctim = statbuf->st_mtim;
+    statbuf->st_nlink = 1;
+    return 0;
+}
+
+/* fuse_operations implementation */
+
+int sharefs_getattr(const char *pathname, struct stat *statbuf, struct fuse_file_info *fi) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)fi;
+
+    if (fstatat(priv->dirfd, pathname, statbuf, AT_SYMLINK_NOFOLLOW) == -1)
+        return -errno;
+    return impl_getattr(ctx, statbuf);
+}
+
+int sharefs_readdir(const char *pathname, void *buf, fuse_fill_dir_t filler, off_t offset, struct fuse_file_info *fi, enum fuse_readdir_flags flags) {
+    int fd;
+    DIR *dp;
+    struct stat st;
+    int ret = 0;
+    struct dirent *de;
+
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)offset;
+    (void)fi;
+
+    if ((fd = openat(priv->dirfd, pathname, O_RDONLY | O_DIRECTORY | O_CLOEXEC)) == -1)
+        return -errno;
+    if ((dp = fdopendir(fd)) == NULL) {
+        close(fd);
+        return -errno;
+    }
+
+    errno = 0; /* for the next readdir call */
+    while ((de = readdir(dp)) != NULL) {
+        if (flags & FUSE_READDIR_PLUS) {
+            if (fstatat(dirfd(dp), de->d_name, &st, AT_SYMLINK_NOFOLLOW) == -1) {
+                ret = -errno;
+                break;
+            }
+
+            if ((ret = impl_getattr(ctx, &st)) < 0)
+                break;
+
+            errno = 0;
+            ret = filler(buf, de->d_name, &st, 0, FUSE_FILL_DIR_PLUS);
+        } else
+            ret = filler(buf, de->d_name, NULL, 0, 0);
+
+        if (ret != 0) {
+            ret = errno != 0 ? -errno : -EIO; /* filler */
+            break;
+        }
+
+        errno = 0; /* for the next readdir call */
+    }
+    if (ret == 0 && errno != 0)
+        ret = -errno; /* readdir */
+
+    closedir(dp);
+    return ret;
+}
+
+int sharefs_mkdir(const char *pathname, mode_t mode) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)mode;
+
+    if (mkdirat(priv->dirfd, pathname, SHAREFS_PERM_DIR) == -1)
+        return -errno;
+    return 0;
+}
+
+int sharefs_unlink(const char *pathname) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    if (unlinkat(priv->dirfd, pathname, 0) == -1)
+        return -errno;
+    return 0;
+}
+
+int sharefs_rmdir(const char *pathname) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    if (unlinkat(priv->dirfd, pathname, AT_REMOVEDIR) == -1)
+        return -errno;
+    return 0;
+}
+
+int sharefs_rename(const char *oldpath, const char *newpath, unsigned int flags) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(oldpath);
+    MUST_TRANSLATE_PATHNAME(newpath);
+
+    /* TODO(ophestra): replace with wrapper after 05ce67fea99ca09cd4b6625cff7aec9cc222dd5a reaches a release */
+    if (syscall(__NR_renameat2, priv->dirfd, oldpath, priv->dirfd, newpath, flags) == -1)
+        return -errno;
+    return 0;
+}
+
+int sharefs_truncate(const char *pathname, off_t length, struct fuse_file_info *fi) {
+    int fd;
+    int ret;
+
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)fi;
+
+    if ((fd = openat(priv->dirfd, pathname, O_WRONLY | O_CLOEXEC)) == -1)
+        return -errno;
+    if ((ret = ftruncate(fd, length)) == -1)
+        ret = -errno;
+    close(fd);
+    return ret;
+}
+
+int sharefs_utimens(const char *pathname, const struct timespec times[2], struct fuse_file_info *fi) {
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)fi;
+
+    if (utimensat(priv->dirfd, pathname, times, AT_SYMLINK_NOFOLLOW) == -1)
+        return -errno;
+    return 0;
+}
+
+int sharefs_create(const char *pathname, mode_t mode, struct fuse_file_info *fi) {
+    int fd;
+
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    (void)mode;
+
+    if ((fd = openat(priv->dirfd, pathname, fi->flags & ~SHAREFS_FORBIDDEN_FLAGS, SHAREFS_PERM_REG)) == -1)
+        return -errno;
+    fi->fh = fd;
+    return 0;
+}
+
+int sharefs_open(const char *pathname, struct fuse_file_info *fi) {
+    int fd;
+
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    if ((fd = openat(priv->dirfd, pathname, fi->flags & ~SHAREFS_FORBIDDEN_FLAGS)) == -1)
+        return -errno;
+    fi->fh = fd;
+    return 0;
+}
+
+int sharefs_read(const char *pathname, char *buf, size_t count, off_t offset, struct fuse_file_info *fi) {
+    int ret;
+
+    (void)pathname;
+
+    if ((ret = pread(fi->fh, buf, count, offset)) == -1)
+        return -errno;
+    return ret;
+}
+
+int sharefs_write(const char *pathname, const char *buf, size_t count, off_t offset, struct fuse_file_info *fi) {
+    int ret;
+
+    (void)pathname;
+
+    if ((ret = pwrite(fi->fh, buf, count, offset)) == -1)
+        return -errno;
+    return ret;
+}
+
+int sharefs_statfs(const char *pathname, struct statvfs *statbuf) {
+    int fd;
+    int ret;
+
+    struct fuse_context *ctx;
+    struct sharefs_private *priv;
+    GET_CONTEXT_PRIV(ctx, priv);
+    MUST_TRANSLATE_PATHNAME(pathname);
+
+    if ((fd = openat(priv->dirfd, pathname, O_RDONLY | O_CLOEXEC)) == -1)
+        return -errno;
+    if ((ret = fstatvfs(fd, statbuf)) == -1)
+        ret = -errno;
+    close(fd);
+    return ret;
+}
+
+int sharefs_release(const char *pathname, struct fuse_file_info *fi) {
+    (void)pathname;
+
+    return close(fi->fh);
+}
+
+int sharefs_fsync(const char *pathname, int datasync, struct fuse_file_info *fi) {
+    (void)pathname;
+
+    if (datasync ? fdatasync(fi->fh) : fsync(fi->fh) == -1)
+        return -errno;
+    return 0;
+}

cmd/sharefs/fuse-operations.h

@@ -0,0 +1,34 @@
+#define FUSE_USE_VERSION FUSE_MAKE_VERSION(3, 12)
+#include <fuse.h>
+#include <fuse_lowlevel.h> /* for fuse_cmdline_help */
+
+#if (FUSE_VERSION < FUSE_MAKE_VERSION(3, 12))
+#error This package requires libfuse >= v3.12
+#endif
+
+#define SHAREFS_MEDIA_RW_ID (1 << 10) - 1 /* owning gid presented to userspace */
+#define SHAREFS_PERM_DIR 0770             /* permission bits for directories presented to userspace */
+#define SHAREFS_PERM_REG 0660             /* permission bits for regular files presented to userspace */
+#define SHAREFS_FORBIDDEN_FLAGS O_DIRECT  /* these open flags are cleared unconditionally */
+
+/* sharefs_private is populated by sharefs_init and contains process-wide context */
+struct sharefs_private {
+    int dirfd;       /* source dirfd opened during sharefs_init */
+    uintptr_t setup; /* cgo handle of opaque setup state */
+};
+
+int sharefs_getattr(const char *pathname, struct stat *statbuf, struct fuse_file_info *fi);
+int sharefs_readdir(const char *pathname, void *buf, fuse_fill_dir_t filler, off_t offset, struct fuse_file_info *fi, enum fuse_readdir_flags flags);
+int sharefs_mkdir(const char *pathname, mode_t mode);
+int sharefs_unlink(const char *pathname);
+int sharefs_rmdir(const char *pathname);
+int sharefs_rename(const char *oldpath, const char *newpath, unsigned int flags);
+int sharefs_truncate(const char *pathname, off_t length, struct fuse_file_info *fi);
+int sharefs_utimens(const char *pathname, const struct timespec times[2], struct fuse_file_info *fi);
+int sharefs_create(const char *pathname, mode_t mode, struct fuse_file_info *fi);
+int sharefs_open(const char *pathname, struct fuse_file_info *fi);
+int sharefs_read(const char *pathname, char *buf, size_t count, off_t offset, struct fuse_file_info *fi);
+int sharefs_write(const char *pathname, const char *buf, size_t count, off_t offset, struct fuse_file_info *fi);
+int sharefs_statfs(const char *pathname, struct statvfs *statbuf);
+int sharefs_release(const char *pathname, struct fuse_file_info *fi);
+int sharefs_fsync(const char *pathname, int datasync, struct fuse_file_info *fi);

cmd/sharefs/fuse.go

@@ -0,0 +1,570 @@
+package main
+
+/*
+#cgo pkg-config: --static fuse3
+
+#include "fuse-operations.h"
+#include <stdlib.h>
+#include <string.h>
+
+extern void *sharefs_init(struct fuse_conn_info *conn, struct fuse_config *cfg);
+extern void sharefs_destroy(void *private_data);
+
+typedef void (*closure)();
+static inline struct fuse_opt _FUSE_OPT_END() { return (struct fuse_opt)FUSE_OPT_END; };
+*/
+import "C"
+import (
+	"context"
+	"encoding/gob"
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path/filepath"
+	"runtime"
+	"runtime/cgo"
+	"strconv"
+	"syscall"
+	"unsafe"
+
+	"hakurei.app/check"
+	"hakurei.app/container"
+	"hakurei.app/container/std"
+	"hakurei.app/fhs"
+	"hakurei.app/hst"
+	"hakurei.app/internal/helper/proc"
+	"hakurei.app/internal/info"
+	"hakurei.app/message"
+)
+
+type (
+	// closure represents a C function pointer.
+	closure = C.closure
+
+	// fuseArgs represents the fuse_args structure.
+	fuseArgs = C.struct_fuse_args
+
+	// setupState holds state used for setup. Its cgo handle is included in
+	// sharefs_private and considered opaque to non-setup callbacks.
+	setupState struct {
+		// Whether sharefs_init failed.
+		initFailed bool
+
+		// Whether to create source directory as root.
+		mkdir bool
+
+		// Open file descriptor to fuse.
+		Fuse int
+
+		// Pathname to open for dirfd.
+		Source *check.Absolute
+		// New uid and gid to set by sharefs_init when starting as root.
+		Setuid, Setgid int
+	}
+)
+
+func init() { gob.Register(new(setupState)) }
+
+// destroySetup invalidates the setup [cgo.Handle] in a sharefs_private structure.
+func destroySetup(private_data unsafe.Pointer) (ok bool) {
+	if private_data == nil {
+		return false
+	}
+	priv := (*C.struct_sharefs_private)(private_data)
+
+	if h := cgo.Handle(priv.setup); h != 0 {
+		priv.setup = 0
+		h.Delete()
+		ok = true
+	}
+	return
+}
+
+//export sharefs_init
+func sharefs_init(
+	_ *C.struct_fuse_conn_info,
+	cfg *C.struct_fuse_config,
+) unsafe.Pointer {
+	ctx := C.fuse_get_context()
+	priv := (*C.struct_sharefs_private)(ctx.private_data)
+	setup := cgo.Handle(priv.setup).Value().(*setupState)
+
+	if os.Geteuid() == 0 {
+		log.Println("filesystem daemon must not run as root")
+		goto fail
+	}
+
+	cfg.use_ino = C.true
+	cfg.direct_io = C.false
+	// getattr is context-dependent
+	cfg.attr_timeout = 0
+	cfg.entry_timeout = 0
+	cfg.negative_timeout = 0
+
+	// all future filesystem operations happen through this dirfd
+	if fd, err := syscall.Open(
+		setup.Source.String(),
+		syscall.O_DIRECTORY|syscall.O_RDONLY|syscall.O_CLOEXEC,
+		0,
+	); err != nil {
+		log.Printf("cannot open %q: %v", setup.Source, err)
+		goto fail
+	} else if err = syscall.Fchdir(fd); err != nil {
+		_ = syscall.Close(fd)
+		log.Printf("cannot enter %q: %s", setup.Source, err)
+		goto fail
+	} else {
+		priv.dirfd = C.int(fd)
+	}
+
+	return ctx.private_data
+
+fail:
+	setup.initFailed = true
+	C.fuse_exit(ctx.fuse)
+	return nil
+}
+
+//export sharefs_destroy
+func sharefs_destroy(private_data unsafe.Pointer) {
+	if private_data != nil {
+		destroySetup(private_data)
+		priv := (*C.struct_sharefs_private)(private_data)
+
+		if err := syscall.Close(int(priv.dirfd)); err != nil {
+			log.Printf("cannot close source directory: %v", err)
+		}
+	}
+}
+
+// showHelp prints the help message.
+func showHelp(args *fuseArgs) {
+	executableName := sharefsName
+	if args.argc > 0 {
+		executableName = filepath.Base(C.GoString(*args.argv))
+	} else if name, err := os.Executable(); err == nil {
+		executableName = filepath.Base(name)
+	}
+
+	fmt.Printf("usage: %s [options] <mountpoint>\n\n", executableName)
+
+	fmt.Println("Filesystem options:")
+	fmt.Println("    -o source=/data/media  source directory to be mounted")
+	fmt.Println("    -o setuid=1023         uid to run as when starting as root")
+	fmt.Println("    -o setgid=1023         gid to run as when starting as root")
+
+	fmt.Println("\nFUSE options:")
+	C.fuse_cmdline_help()
+	C.fuse_lib_help(args)
+}
+
+// parseOpts parses fuse options via fuse_opt_parse.
+func parseOpts(args *fuseArgs, setup *setupState, log *log.Logger) (ok bool) {
+	var unsafeOpts struct {
+		// Pathname to writable source directory.
+		source *C.char
+
+		// Whether to create source directory as root.
+		mkdir C.int
+
+		// Decimal string representation of uid to set when running as root.
+		setuid *C.char
+		// Decimal string representation of gid to set when running as root.
+		setgid *C.char
+
+		// Decimal string representation of open file descriptor to read
+		// setupState from.
+		//
+		// This is an internal detail for containerisation and must not be
+		// specified directly.
+		setup *C.char
+	}
+
+	if C.fuse_opt_parse(args, unsafe.Pointer(&unsafeOpts), &[]C.struct_fuse_opt{
+		{templ: C.CString("source=%s"), offset: C.ulong(unsafe.Offsetof(unsafeOpts.source)), value: 0},
+		{templ: C.CString("mkdir"), offset: C.ulong(unsafe.Offsetof(unsafeOpts.mkdir)), value: 1},
+		{templ: C.CString("setuid=%s"), offset: C.ulong(unsafe.Offsetof(unsafeOpts.setuid)), value: 0},
+		{templ: C.CString("setgid=%s"), offset: C.ulong(unsafe.Offsetof(unsafeOpts.setgid)), value: 0},
+
+		{templ: C.CString("setup=%s"), offset: C.ulong(unsafe.Offsetof(unsafeOpts.setup)), value: 0},
+
+		C._FUSE_OPT_END(),
+	}[0], nil) == -1 {
+		return false
+	}
+
+	if unsafeOpts.source != nil {
+		defer C.free(unsafe.Pointer(unsafeOpts.source))
+	}
+	if unsafeOpts.setuid != nil {
+		defer C.free(unsafe.Pointer(unsafeOpts.setuid))
+	}
+	if unsafeOpts.setgid != nil {
+		defer C.free(unsafe.Pointer(unsafeOpts.setgid))
+	}
+
+	if unsafeOpts.setup != nil {
+		defer C.free(unsafe.Pointer(unsafeOpts.setup))
+
+		if v, err := strconv.Atoi(C.GoString(unsafeOpts.setup)); err != nil || v < 3 {
+			log.Println("invalid value for option setup")
+			return false
+		} else {
+			r := os.NewFile(uintptr(v), "setup")
+			defer func() {
+				if err = r.Close(); err != nil {
+					log.Println(err)
+				}
+			}()
+			if err = gob.NewDecoder(r).Decode(setup); err != nil {
+				log.Println(err)
+				return false
+			}
+		}
+		if setup.Fuse < 3 {
+			log.Println("invalid file descriptor", setup.Fuse)
+			return false
+		}
+		return true
+	}
+
+	if unsafeOpts.source == nil {
+		showHelp(args)
+		return false
+	} else if a, err := check.NewAbs(C.GoString(unsafeOpts.source)); err != nil {
+		log.Println(err)
+		return false
+	} else {
+		setup.Source = a
+	}
+	setup.mkdir = unsafeOpts.mkdir != 0
+
+	if unsafeOpts.setuid == nil {
+		setup.Setuid = -1
+	} else if v, err := strconv.Atoi(C.GoString(unsafeOpts.setuid)); err != nil || v <= 0 {
+		log.Println("invalid value for option setuid")
+		return false
+	} else {
+		setup.Setuid = v
+	}
+	if unsafeOpts.setgid == nil {
+		setup.Setgid = -1
+	} else if v, err := strconv.Atoi(C.GoString(unsafeOpts.setgid)); err != nil || v <= 0 {
+		log.Println("invalid value for option setgid")
+		return false
+	} else {
+		setup.Setgid = v
+	}
+
+	return true
+}
+
+// copyArgs returns a heap allocated copy of an argument slice in fuse_args
+// representation.
+func copyArgs(s ...string) fuseArgs {
+	if len(s) == 0 {
+		return fuseArgs{argc: 0, argv: nil, allocated: 0}
+	}
+	args := unsafe.Slice((**C.char)(C.malloc(C.size_t(uintptr(len(s))*unsafe.Sizeof(s[0])))), len(s))
+	for i, arg := range s {
+		args[i] = C.CString(arg)
+	}
+	return fuseArgs{argc: C.int(len(s)), argv: &args[0], allocated: 1}
+}
+
+// freeArgs frees the contents of argument list.
+func freeArgs(args *fuseArgs) { C.fuse_opt_free_args(args) }
+
+// unsafeAddArgument adds an argument to fuseArgs via fuse_opt_add_arg.
+//
+// The last byte of arg must be 0.
+func unsafeAddArgument(args *fuseArgs, arg string) {
+	C.fuse_opt_add_arg(args, (*C.char)(unsafe.Pointer(unsafe.StringData(arg))))
+}
+
+func _main(s ...string) (exitCode int) {
+	msg := message.New(log.Default())
+	container.TryArgv0(msg)
+	runtime.LockOSThread()
+
+	// don't mask creation mode, kernel already did that
+	syscall.Umask(0)
+
+	var pinner runtime.Pinner
+	defer pinner.Unpin()
+
+	args := copyArgs(s...)
+	defer freeArgs(&args)
+
+	// this causes the kernel to enforce access control based on struct stat
+	// populated by sharefs_getattr
+	unsafeAddArgument(&args, "-odefault_permissions\x00")
+
+	var priv C.struct_sharefs_private
+	pinner.Pin(&priv)
+	var setup setupState
+	priv.setup = C.uintptr_t(cgo.NewHandle(&setup))
+	defer destroySetup(unsafe.Pointer(&priv))
+
+	var opts C.struct_fuse_cmdline_opts
+	if C.fuse_parse_cmdline(&args, &opts) != 0 {
+		return 1
+	}
+	if opts.mountpoint != nil {
+		defer C.free(unsafe.Pointer(opts.mountpoint))
+	}
+
+	if opts.show_version != 0 {
+		fmt.Println("hakurei version", info.Version())
+		fmt.Println("FUSE library version", C.GoString(C.fuse_pkgversion()))
+		C.fuse_lowlevel_version()
+		return 0
+	}
+
+	if opts.show_help != 0 {
+		showHelp(&args)
+		return 0
+	} else if opts.mountpoint == nil {
+		log.Println("no mountpoint specified")
+		return 2
+	} else {
+		// hack to keep fuse_parse_cmdline happy in the container
+		mountpoint := C.GoString(opts.mountpoint)
+		pathnameArg := -1
+		for i, arg := range s {
+			if arg == mountpoint {
+				pathnameArg = i
+				break
+			}
+		}
+		if pathnameArg < 0 {
+			log.Println("mountpoint must be absolute")
+			return 2
+		}
+		s[pathnameArg] = container.Nonexistent
+	}
+
+	if !parseOpts(&args, &setup, msg.GetLogger()) {
+		return 1
+	}
+	asRoot := os.Geteuid() == 0
+
+	if asRoot {
+		if setup.Setuid <= 0 || setup.Setgid <= 0 {
+			log.Println("setuid and setgid must not be 0")
+			return 1
+		}
+
+		if setup.Fuse >= 3 {
+			log.Println("filesystem daemon must not run as root")
+			return 1
+		}
+
+		if setup.mkdir {
+			if err := os.MkdirAll(setup.Source.String(), 0700); err != nil {
+				if !errors.Is(err, os.ErrExist) {
+					log.Println(err)
+					return 1
+				}
+				// skip setup for existing source directory
+			} else if err = os.Chown(setup.Source.String(), setup.Setuid, setup.Setgid); err != nil {
+				log.Println(err)
+				return 1
+			}
+		}
+	} else if setup.Fuse < 3 && (setup.Setuid > 0 || setup.Setgid > 0) {
+		log.Println("setuid and setgid has no effect when not starting as root")
+		return 1
+	} else if setup.mkdir {
+		log.Println("mkdir has no effect when not starting as root")
+		return 1
+	}
+
+	op := C.struct_fuse_operations{
+		init:    closure(C.sharefs_init),
+		destroy: closure(C.sharefs_destroy),
+
+		// implemented in fuse-helper.c
+		getattr:  closure(C.sharefs_getattr),
+		readdir:  closure(C.sharefs_readdir),
+		mkdir:    closure(C.sharefs_mkdir),
+		unlink:   closure(C.sharefs_unlink),
+		rmdir:    closure(C.sharefs_rmdir),
+		rename:   closure(C.sharefs_rename),
+		truncate: closure(C.sharefs_truncate),
+		utimens:  closure(C.sharefs_utimens),
+		create:   closure(C.sharefs_create),
+		open:     closure(C.sharefs_open),
+		read:     closure(C.sharefs_read),
+		write:    closure(C.sharefs_write),
+		statfs:   closure(C.sharefs_statfs),
+		release:  closure(C.sharefs_release),
+		fsync:    closure(C.sharefs_fsync),
+	}
+
+	fuse := C.fuse_new_fn(&args, &op, C.size_t(unsafe.Sizeof(op)), unsafe.Pointer(&priv))
+	if fuse == nil {
+		return 3
+	}
+	defer C.fuse_destroy(fuse)
+	se := C.fuse_get_session(fuse)
+
+	if setup.Fuse < 3 {
+		// unconfined, set up mount point and container
+		if C.fuse_mount(fuse, opts.mountpoint) != 0 {
+			return 4
+		}
+		// unmounted by initial process
+		defer func() {
+			if exitCode == 5 {
+				C.fuse_unmount(fuse)
+			}
+		}()
+
+		if asRoot {
+			if err := syscall.Setresgid(setup.Setgid, setup.Setgid, setup.Setgid); err != nil {
+				log.Printf("cannot set gid: %v", err)
+				return 5
+			}
+			if err := syscall.Setgroups(nil); err != nil {
+				log.Printf("cannot set supplementary groups: %v", err)
+				return 5
+			}
+			if err := syscall.Setresuid(setup.Setuid, setup.Setuid, setup.Setuid); err != nil {
+				log.Printf("cannot set uid: %v", err)
+				return 5
+			}
+		}
+
+		msg.SwapVerbose(opts.debug != 0)
+		ctx := context.Background()
+		if opts.foreground != 0 {
+			c, cancel := signal.NotifyContext(ctx, syscall.SIGINT, syscall.SIGTERM)
+			defer cancel()
+			ctx = c
+		}
+		z := container.New(ctx, msg)
+		z.AllowOrphan = opts.foreground == 0
+		z.Env = os.Environ()
+
+		// keep fuse_parse_cmdline happy in the container
+		z.Tmpfs(check.MustAbs(container.Nonexistent), 1<<10, 0755)
+
+		z.Path = fhs.AbsProcSelfExe
+		z.Args = s
+		z.ForwardCancel = true
+		z.SeccompPresets |= std.PresetStrict
+		z.ParentPerm = 0700
+		z.Bind(setup.Source, setup.Source, std.BindWritable)
+		if !z.AllowOrphan {
+			z.WaitDelay = hst.WaitDelayMax
+			z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
+		}
+		z.Bind(z.Path, z.Path, 0)
+		setup.Fuse = int(proc.ExtraFileSlice(
+			&z.ExtraFiles,
+			os.NewFile(uintptr(C.fuse_session_fd(se)), "fuse"),
+		))
+
+		var setupPipe [2]*os.File
+		if r, w, err := os.Pipe(); err != nil {
+			log.Println(err)
+			return 5
+		} else {
+			z.Args = append(z.Args, "-osetup="+strconv.Itoa(3+len(z.ExtraFiles)))
+			z.ExtraFiles = append(z.ExtraFiles, r)
+			setupPipe[0], setupPipe[1] = r, w
+		}
+
+		if err := z.Start(); err != nil {
+			if m, ok := message.GetMessage(err); ok {
+				log.Println(m)
+			} else {
+				log.Println(err)
+			}
+			return 5
+		}
+		if err := setupPipe[0].Close(); err != nil {
+			log.Println(err)
+		}
+		if err := z.Serve(); err != nil {
+			if m, ok := message.GetMessage(err); ok {
+				log.Println(m)
+			} else {
+				log.Println(err)
+			}
+			return 5
+		}
+
+		if err := gob.NewEncoder(setupPipe[1]).Encode(&setup); err != nil {
+			log.Println(err)
+			return 5
+		} else if err = setupPipe[1].Close(); err != nil {
+			log.Println(err)
+		}
+
+		if !z.AllowOrphan {
+			if err := z.Wait(); err != nil {
+				var exitError *exec.ExitError
+				if !errors.As(err, &exitError) || exitError == nil {
+					log.Println(err)
+					return 5
+				}
+				switch code := exitError.ExitCode(); syscall.Signal(code & 0x7f) {
+				case syscall.SIGINT:
+				case syscall.SIGTERM:
+
+				default:
+					return code
+				}
+			}
+		}
+		return 0
+	} else { // confined
+		C.free(unsafe.Pointer(opts.mountpoint))
+		// must be heap allocated
+		opts.mountpoint = C.CString("/dev/fd/" + strconv.Itoa(setup.Fuse))
+
+		if err := os.Chdir("/"); err != nil {
+			log.Println(err)
+		}
+	}
+
+	if C.fuse_mount(fuse, opts.mountpoint) != 0 {
+		return 4
+	}
+	defer C.fuse_unmount(fuse)
+
+	if C.fuse_set_signal_handlers(se) != 0 {
+		return 6
+	}
+	defer C.fuse_remove_signal_handlers(se)
+
+	if opts.singlethread != 0 {
+		if C.fuse_loop(fuse) != 0 {
+			return 8
+		}
+	} else {
+		loopConfig := C.fuse_loop_cfg_create()
+		if loopConfig == nil {
+			return 7
+		}
+		defer C.fuse_loop_cfg_destroy(loopConfig)
+
+		C.fuse_loop_cfg_set_clone_fd(loopConfig, C.uint(opts.clone_fd))
+
+		C.fuse_loop_cfg_set_idle_threads(loopConfig, opts.max_idle_threads)
+		C.fuse_loop_cfg_set_max_threads(loopConfig, opts.max_threads)
+		if C.fuse_loop_mt(fuse, loopConfig) != 0 {
+			return 8
+		}
+	}
+
+	if setup.initFailed {
+		return 1
+	}
+	return 0
+}

cmd/sharefs/fuse_test.go

@@ -0,0 +1,113 @@
+package main
+
+import (
+	"bytes"
+	"log"
+	"reflect"
+	"testing"
+
+	"hakurei.app/check"
+)
+
+func TestParseOpts(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name    string
+		args    []string
+		want    setupState
+		wantLog string
+		wantOk  bool
+	}{
+		{"zero length", []string{}, setupState{}, "", false},
+
+		{"not absolute", []string{"sharefs",
+			"-o", "source=nonexistent",
+			"-o", "setuid=1023",
+			"-o", "setgid=1023",
+		}, setupState{}, "sharefs: path \"nonexistent\" is not absolute\n", false},
+
+		{"not specified", []string{"sharefs",
+			"-o", "setuid=1023",
+			"-o", "setgid=1023",
+		}, setupState{}, "", false},
+
+		{"invalid setuid", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+			"-o", "setuid=ff",
+			"-o", "setgid=1023",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+		}, "sharefs: invalid value for option setuid\n", false},
+
+		{"invalid setgid", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+			"-o", "setuid=1023",
+			"-o", "setgid=ff",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+			Setuid: 1023,
+		}, "sharefs: invalid value for option setgid\n", false},
+
+		{"simple", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+			Setuid: -1,
+			Setgid: -1,
+		}, "", true},
+
+		{"root", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+			"-o", "setuid=1023",
+			"-o", "setgid=1023",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+			Setuid: 1023,
+			Setgid: 1023,
+		}, "", true},
+
+		{"setuid", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+			"-o", "setuid=1023",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+			Setuid: 1023,
+			Setgid: -1,
+		}, "", true},
+
+		{"setgid", []string{"sharefs",
+			"-o", "source=/proc/nonexistent",
+			"-o", "setgid=1023",
+		}, setupState{
+			Source: check.MustAbs("/proc/nonexistent"),
+			Setuid: -1,
+			Setgid: 1023,
+		}, "", true},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			var (
+				got setupState
+				buf bytes.Buffer
+			)
+			args := copyArgs(tc.args...)
+			defer freeArgs(&args)
+			unsafeAddArgument(&args, "-odefault_permissions\x00")
+
+			if ok := parseOpts(&args, &got, log.New(&buf, "sharefs: ", 0)); ok != tc.wantOk {
+				t.Errorf("parseOpts: ok = %v, want %v", ok, tc.wantOk)
+			}
+
+			if !reflect.DeepEqual(&got, &tc.want) {
+				t.Errorf("parseOpts: setup = %#v, want %#v", got, tc.want)
+			}
+
+			if buf.String() != tc.wantLog {
+				t.Errorf("parseOpts: log =\n%s\nwant\n%s", buf.String(), tc.wantLog)
+			}
+		})
+	}
+}

cmd/sharefs/main.go

@@ -0,0 +1,38 @@
+// The sharefs FUSE filesystem is a permissionless shared filesystem.
+//
+// This filesystem is the primary means of file sharing between hakurei
+// application containers. It serves the same purpose in Rosa OS as /sdcard
+// does in AOSP.
+//
+// See help message for all available options.
+package main
+
+import (
+	"log"
+	"os"
+	"slices"
+)
+
+// sharefsName is the prefix used by log.std in the sharefs process.
+const sharefsName = "sharefs"
+
+// handleMountArgs returns an alternative, libfuse-compatible args slice for
+// args passed by mount -t fuse.sharefs [options] sharefs <mountpoint>.
+//
+// In this case, args always has a length of 5 with index 0 being what comes
+// after "fuse." in the filesystem type, 1 is the uninterpreted string passed
+// to mount (sharefsName is used as the magic string to enable this hack),
+// 2 is passed through to libfuse as mountpoint, and 3 is always "-o".
+func handleMountArgs(args []string) []string {
+	if len(args) == 5 && args[1] == sharefsName && args[3] == "-o" {
+		return []string{sharefsName, args[2], "-o", args[4]}
+	}
+	return slices.Clone(args)
+}
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix(sharefsName + ": ")
+
+	os.Exit(_main(handleMountArgs(os.Args)...))
+}

cmd/sharefs/main_test.go

@@ -0,0 +1,29 @@
+package main
+
+import (
+	"slices"
+	"testing"
+)
+
+func TestHandleMountArgs(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		args []string
+		want []string
+	}{
+		{"nil", nil, nil},
+		{"passthrough", []string{"sharefs", "-V"}, []string{"sharefs", "-V"}},
+		{"replace", []string{"/sbin/sharefs", "sharefs", "/sdcard", "-o", "rw"}, []string{"sharefs", "/sdcard", "-o", "rw"}},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := handleMountArgs(tc.args); !slices.Equal(got, tc.want) {
+				t.Errorf("handleMountArgs: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}

cmd/sharefs/test/configuration.nix

@@ -0,0 +1,44 @@
+{ pkgs, ... }:
+{
+  users.users = {
+    alice = {
+      isNormalUser = true;
+      description = "Alice Foobar";
+      password = "foobar";
+      uid = 1000;
+    };
+  };
+
+  home-manager.users.alice.home.stateVersion = "24.11";
+
+  # Automatically login on tty1 as a normal user:
+  services.getty.autologinUser = "alice";
+
+  environment = {
+    # For benchmarking sharefs:
+    systemPackages = [ pkgs.fsmark ];
+  };
+
+  virtualisation = {
+    # Hopefully reduces spurious test failures:
+    memorySize = if pkgs.stdenv.hostPlatform.is32bit then 2046 else 8192;
+
+    diskSize = 6 * 1024;
+
+    qemu.options = [
+      # Increase test performance:
+      "-smp 16"
+    ];
+  };
+
+  environment.hakurei = rec {
+    enable = true;
+    stateDir = "/var/lib/hakurei";
+    sharefs.source = "${stateDir}/sdcard";
+    users.alice = 0;
+
+    extraHomeConfig = {
+      home.stateVersion = "23.05";
+    };
+  };
+}

cmd/sharefs/test/default.nix

@@ -0,0 +1,44 @@
+{
+  testers,
+
+  system,
+  self,
+}:
+testers.nixosTest {
+  name = "sharefs";
+  nodes.machine =
+    { options, pkgs, ... }:
+    let
+      fhs =
+        let
+          hakurei = options.environment.hakurei.package.default;
+        in
+        pkgs.buildFHSEnv {
+          pname = "hakurei-fhs";
+          inherit (hakurei) version;
+          targetPkgs = _: hakurei.targetPkgs;
+          extraOutputsToInstall = [ "dev" ];
+          profile = ''
+            export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
+          '';
+        };
+    in
+    {
+      environment.systemPackages = [
+        # For go tests:
+        (pkgs.writeShellScriptBin "sharefs-workload-hakurei-tests" ''
+          cp -r "${self.packages.${system}.hakurei.src}" "/sdcard/hakurei" && cd "/sdcard/hakurei"
+          ${fhs}/bin/hakurei-fhs -c 'ROSA_SKIP_BINFMT=1 CC="clang -O3 -Werror" go test ./...'
+        '')
+      ];
+
+      imports = [
+        ./configuration.nix
+
+        self.nixosModules.hakurei
+        self.inputs.home-manager.nixosModules.home-manager
+      ];
+    };
+
+  testScript = builtins.readFile ./test.py;
+}

cmd/sharefs/test/raceattr.go

@@ -0,0 +1,122 @@
+//go:build raceattr
+
+// The raceattr program reproduces vfs inode file attribute race.
+//
+// Even though libfuse high-level API presents the address of a struct stat
+// alongside struct fuse_context, file attributes are actually inherent to the
+// inode, instead of the specific call from userspace. The kernel implementation
+// in fs/fuse/xattr.c appears to make stale data in the inode (set by a previous
+// call) impossible or very unlikely to reach userspace via the stat family of
+// syscalls. However, when using default_permissions to have the VFS check
+// permissions, this race still happens, despite the resulting struct stat being
+// correct when overriding the check via capabilities otherwise.
+//
+// This program reproduces the failure, but because of its continuous nature, it
+// is provided independent of the vm integration test suite.
+package main
+
+import (
+	"context"
+	"flag"
+	"log"
+	"os"
+	"os/signal"
+	"runtime"
+	"sync"
+	"sync/atomic"
+	"syscall"
+)
+
+func newStatAs(
+	ctx context.Context, cancel context.CancelFunc,
+	n *atomic.Uint64, ok *atomic.Bool,
+	uid uint32, pathname string,
+	continuous bool,
+) func() {
+	return func() {
+		runtime.LockOSThread()
+		defer cancel()
+
+		if _, _, errno := syscall.Syscall(
+			syscall.SYS_SETUID, uintptr(uid),
+			0, 0,
+		); errno != 0 {
+			cancel()
+			log.Printf("cannot set uid to %d: %s", uid, errno)
+		}
+
+		var stat syscall.Stat_t
+		for {
+			if ctx.Err() != nil {
+				return
+			}
+
+			if err := syscall.Lstat(pathname, &stat); err != nil {
+				// SHAREFS_PERM_DIR not world executable, or
+				// SHAREFS_PERM_REG not world readable
+				if !continuous {
+					cancel()
+				}
+				ok.Store(true)
+				log.Printf("uid %d: %v", uid, err)
+			} else if stat.Uid != uid {
+				// appears to be unreachable
+				if !continuous {
+					cancel()
+				}
+				ok.Store(true)
+				log.Printf("got uid %d instead of %d", stat.Uid, uid)
+			}
+			n.Add(1)
+		}
+	}
+}
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("raceattr: ")
+
+	p := flag.String("target", "/sdcard/raceattr", "pathname of test file")
+	u0 := flag.Int("uid0", 1<<10-1, "first uid")
+	u1 := flag.Int("uid1", 1<<10-2, "second uid")
+	count := flag.Int("count", 1, "threads per uid")
+	continuous := flag.Bool("continuous", false, "keep running even after reproduce")
+	flag.Parse()
+
+	if os.Geteuid() != 0 {
+		log.Fatal("this program must run as root")
+	}
+
+	ctx, cancel := signal.NotifyContext(
+		context.Background(),
+		syscall.SIGINT,
+		syscall.SIGTERM,
+		syscall.SIGHUP,
+	)
+
+	if err := os.WriteFile(*p, nil, 0); err != nil {
+		log.Fatal(err)
+	}
+
+	var (
+		wg sync.WaitGroup
+
+		n  atomic.Uint64
+		ok atomic.Bool
+	)
+
+	if *count < 1 {
+		*count = 1
+	}
+	for range *count {
+		wg.Go(newStatAs(ctx, cancel, &n, &ok, uint32(*u0), *p, *continuous))
+		if *u1 >= 0 {
+			wg.Go(newStatAs(ctx, cancel, &n, &ok, uint32(*u1), *p, *continuous))
+		}
+	}
+
+	wg.Wait()
+	if !*continuous && ok.Load() {
+		log.Printf("reproduced after %d calls", n.Load())
+	}
+}

cmd/sharefs/test/test.py

@@ -0,0 +1,60 @@
+start_all()
+machine.wait_for_unit("multi-user.target")
+
+# To check sharefs version:
+print(machine.succeed("sharefs -V"))
+
+# Make sure sharefs started:
+machine.wait_for_unit("sdcard.mount")
+
+machine.succeed("mkdir /mnt")
+def check_bad_opts_output(opts, want, source="/etc", privileged=False):
+    output = machine.fail(("" if privileged else "sudo -u alice -i ") + f"sharefs -f -o source={source},{opts} /mnt 2>&1")
+    if output != want:
+        raise Exception(f"unexpected output: {output}")
+
+# Malformed setuid/setgid representation:
+check_bad_opts_output("setuid=ff", "sharefs: invalid value for option setuid\n")
+check_bad_opts_output("setgid=ff", "sharefs: invalid value for option setgid\n")
+
+# Bounds check for setuid/setgid:
+check_bad_opts_output("setuid=0", "sharefs: invalid value for option setuid\n")
+check_bad_opts_output("setgid=0", "sharefs: invalid value for option setgid\n")
+check_bad_opts_output("setuid=-1", "sharefs: invalid value for option setuid\n")
+check_bad_opts_output("setgid=-1", "sharefs: invalid value for option setgid\n")
+
+# Non-root setuid/setgid:
+check_bad_opts_output("setuid=1023", "sharefs: setuid and setgid has no effect when not starting as root\n")
+check_bad_opts_output("setgid=1023", "sharefs: setuid and setgid has no effect when not starting as root\n")
+check_bad_opts_output("setuid=1023,setgid=1023", "sharefs: setuid and setgid has no effect when not starting as root\n")
+check_bad_opts_output("mkdir", "sharefs: mkdir has no effect when not starting as root\n")
+
+# Starting as root without setuid/setgid:
+check_bad_opts_output("allow_other", "sharefs: setuid and setgid must not be 0\n", privileged=True)
+check_bad_opts_output("setuid=1023", "sharefs: setuid and setgid must not be 0\n", privileged=True)
+check_bad_opts_output("setgid=1023", "sharefs: setuid and setgid must not be 0\n", privileged=True)
+
+# Make sure nothing actually got mounted:
+machine.fail("umount /mnt")
+machine.succeed("rmdir /mnt")
+
+# Unprivileged mount/unmount:
+machine.succeed("sudo -u alice -i mkdir /home/alice/{sdcard,persistent}")
+machine.succeed("sudo -u alice -i sharefs -o source=/home/alice/persistent /home/alice/sdcard")
+machine.succeed("sudo -u alice -i touch /home/alice/sdcard/check")
+machine.succeed("sudo -u alice -i umount /home/alice/sdcard")
+machine.succeed("sudo -u alice -i rm /home/alice/persistent/check")
+machine.succeed("sudo -u alice -i rmdir /home/alice/{sdcard,persistent}")
+
+# Benchmark sharefs:
+machine.succeed("fs_mark -v -d /sdcard/fs_mark -l /tmp/fs_log.txt")
+machine.copy_from_vm("/tmp/fs_log.txt", "")
+
+# Check permissions:
+machine.succeed("sudo -u sharefs touch /var/lib/hakurei/sdcard/fs_mark/.check")
+machine.succeed("sudo -u sharefs rm /var/lib/hakurei/sdcard/fs_mark/.check")
+machine.succeed("sudo -u alice rm -rf /sdcard/fs_mark")
+machine.fail("ls /var/lib/hakurei/sdcard/fs_mark")
+
+# Run hakurei tests on sharefs:
+machine.succeed("sudo -u alice -i sharefs-workload-hakurei-tests")

command/builder_test.go

@@ -7,6 +7,7 @@ import (
 )
 
 func TestBuild(t *testing.T) {
+	t.Parallel()
 	c := command.New(nil, nil, "test", nil)
 	stubHandler := func([]string) error { panic("unreachable") }
 

command/parse_test.go

@@ -14,6 +14,8 @@ import (
 )
 
 func TestParse(t *testing.T) {
+	t.Parallel()
+
 	testCases := []struct {
 		name      string
 		buildTree func(wout, wlog io.Writer) command.Command
@@ -251,6 +253,7 @@ Commands:
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
 			wout, wlog := new(bytes.Buffer), new(bytes.Buffer)
 			c := tc.buildTree(wout, wlog)