From 2dd49c437c19fcd55ce22e732b544d22b91a6342 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Wed, 26 Mar 2025 02:49:37 +0900
Subject: [PATCH] app: create XDG_RUNTIME_DIR with perm 0700

Many programs complain about this.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 internal/app/app_nixos_test.go | 2 +-
 internal/app/app_pd_test.go    | 4 ++--
 internal/app/seal.go           | 2 +-
 test/sandbox/case/mapuid.nix   | 4 ++--
 test/sandbox/case/preset.nix   | 4 ++--
 test/sandbox/case/tty.nix      | 4 ++--
 6 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/internal/app/app_nixos_test.go b/internal/app/app_nixos_test.go
index 0b5b42c..e6fb370 100644
--- a/internal/app/app_nixos_test.go
+++ b/internal/app/app_nixos_test.go
@@ -203,7 +203,7 @@ var testCasesNixos = []sealTestCase{
 				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
 				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
 				Tmpfs("/run/user", 4096, 0755).
-				Tmpfs("/run/user/1971", 8388608, 0755).
+				Tmpfs("/run/user/1971", 8388608, 0700).
 				Bind("/tmp/fortify.1971/tmpdir/1", "/tmp", sandbox.BindWritable).
 				Bind("/var/lib/persist/module/fortify/0/1", "/var/lib/persist/module/fortify/0/1", sandbox.BindWritable).
 				Place("/etc/passwd", []byte("u0_a1:x:1971:100:Fortify:/var/lib/persist/module/fortify/0/1:/run/current-system/sw/bin/zsh\n")).
diff --git a/internal/app/app_pd_test.go b/internal/app/app_pd_test.go
index 50e1611..d7fbc2b 100644
--- a/internal/app/app_pd_test.go
+++ b/internal/app/app_pd_test.go
@@ -146,7 +146,7 @@ var testCasesPd = []sealTestCase{
 				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
 				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
 				Tmpfs("/run/user", 4096, 0755).
-				Tmpfs("/run/user/65534", 8388608, 0755).
+				Tmpfs("/run/user/65534", 8388608, 0700).
 				Bind("/tmp/fortify.1971/tmpdir/0", "/tmp", sandbox.BindWritable).
 				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
 				Place("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")).
@@ -366,7 +366,7 @@ var testCasesPd = []sealTestCase{
 				Link(fst.Tmp+"/etc/zshenv", "/etc/zshenv").
 				Link(fst.Tmp+"/etc/zshrc", "/etc/zshrc").
 				Tmpfs("/run/user", 4096, 0755).
-				Tmpfs("/run/user/65534", 8388608, 0755).
+				Tmpfs("/run/user/65534", 8388608, 0700).
 				Bind("/tmp/fortify.1971/tmpdir/9", "/tmp", sandbox.BindWritable).
 				Bind("/home/chronos", "/home/chronos", sandbox.BindWritable).
 				Place("/etc/passwd", []byte("chronos:x:65534:65534:Fortify:/home/chronos:/run/current-system/sw/bin/zsh\n")).
diff --git a/internal/app/seal.go b/internal/app/seal.go
index c9ec4bc..80e9537 100644
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@@ -291,7 +291,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 	// inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as post-fsu user
 	innerRuntimeDir := path.Join("/run/user", mapuid.String())
 	seal.container.Tmpfs("/run/user", 1<<12, 0755)
-	seal.container.Tmpfs(innerRuntimeDir, 1<<23, 0755)
+	seal.container.Tmpfs(innerRuntimeDir, 1<<23, 0700)
 	seal.env[xdgRuntimeDir] = innerRuntimeDir
 	seal.env[xdgSessionClass] = "user"
 	seal.env[xdgSessionType] = "tty"
diff --git a/test/sandbox/case/mapuid.nix b/test/sandbox/case/mapuid.nix
index f29f192..eb042e8 100644
--- a/test/sandbox/case/mapuid.nix
+++ b/test/sandbox/case/mapuid.nix
@@ -115,7 +115,7 @@
         current-system = fs "80001ff" null null;
         opengl-driver = fs "80001ff" null null;
         user = fs "800001ed" {
-          "1000" = fs "800001ed" {
+          "1000" = fs "800001c0" {
             bus = fs "10001fd" null null;
             pulse = fs "800001c0" { native = fs "10001b6" null null; } null;
             wayland-0 = fs "1000038" null null;
@@ -203,7 +203,7 @@
       (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
       (ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
-      (ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=755,uid=1000003,gid=1000003")
+      (ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000003,gid=1000003")
       (ent "/tmp/fortify.1000/tmpdir/3" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/var/lib/fortify/u0/a3" "/var/lib/fortify/u0/a3" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000003,gid=1000003")
diff --git a/test/sandbox/case/preset.nix b/test/sandbox/case/preset.nix
index 3f9134f..b31ec3d 100644
--- a/test/sandbox/case/preset.nix
+++ b/test/sandbox/case/preset.nix
@@ -115,7 +115,7 @@
         current-system = fs "80001ff" null null;
         opengl-driver = fs "80001ff" null null;
         user = fs "800001ed" {
-          "65534" = fs "800001ed" {
+          "65534" = fs "800001c0" {
             bus = fs "10001fd" null null;
             pulse = fs "800001c0" { native = fs "10001b6" null null; } null;
             wayland-0 = fs "1000038" null null;
@@ -203,7 +203,7 @@
       (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
       (ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000001,gid=1000001")
-      (ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=755,uid=1000001,gid=1000001")
+      (ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000001,gid=1000001")
       (ent "/tmp/fortify.1000/tmpdir/1" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/var/lib/fortify/u0/a1" "/var/lib/fortify/u0/a1" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000001,gid=1000001")
diff --git a/test/sandbox/case/tty.nix b/test/sandbox/case/tty.nix
index 7e6b551..2a3de55 100644
--- a/test/sandbox/case/tty.nix
+++ b/test/sandbox/case/tty.nix
@@ -116,7 +116,7 @@
         current-system = fs "80001ff" null null;
         opengl-driver = fs "80001ff" null null;
         user = fs "800001ed" {
-          "65534" = fs "800001ed" {
+          "65534" = fs "800001c0" {
             bus = fs "10001fd" null null;
             pulse = fs "800001c0" { native = fs "10001b6" null null; } null;
             wayland-0 = fs "1000038" null null;
@@ -205,7 +205,7 @@
       (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
       (ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
-      (ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=755,uid=1000002,gid=1000002")
+      (ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000002,gid=1000002")
       (ent "/tmp/fortify.1000/tmpdir/2" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/var/lib/fortify/u0/a2" "/var/lib/fortify/u0/a2" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002")