nix: test direct_wayland behaviour

This should never be used outside tests unless you absolutely know what you're doing or are using GNOME. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-02-15 10:45:27 +09:00 · 2025-02-15 10:45:27 +09:00 · 6ae02e72fa
commit 6ae02e72fa
parent 989fb5395f
3 changed files with 29 additions and 1 deletions
--- a/nixos.nix
+++ b/nixos.nix
@ -118,6 +118,7 @@ in
                        };
                        map_real_uid = app.mapRealUid;
                        no_new_session = app.tty;
+                        direct_wayland = app.insecureWayland;
                        filesystem =
                          let
                            bind = src: { inherit src; };
--- a/options.nix
+++ b/options.nix
@ -146,6 +146,7 @@ in
              mapRealUid = mkEnableOption "mapping to priv-user uid";
              dev = mkEnableOption "access to all devices";
              tty = mkEnableOption "access to the controlling terminal";
+              insecureWayland = mkEnableOption "direct access to the Wayland socket";

              net = mkEnableOption "network access" // {
                default = true;
--- a/test.nix
+++ b/test.nix
@ -81,7 +81,7 @@ nixosTest {
          mkdir -p ~/.config/sway
          (sed s/Mod4/Mod1/ /etc/sway/config &&
          echo 'output * bg ${pkgs.nixos-artwork.wallpapers.simple-light-gray.gnomeFilePath} fill' &&
-          echo 'output Virtual-1 res 1280x768') > ~/.config/sway/config
+          echo 'output Virtual-1 res 1680x1050') > ~/.config/sway/config

          sway --validate
          systemd-cat --identifier=sway sway && touch /tmp/sway-exit-ok
@ -148,6 +148,18 @@ nixosTest {
              pulse = false;
            };
          }
+          {
+            name = "da-foot";
+            verbose = true;
+            insecureWayland = true;
+            share = pkgs.foot;
+            packages = [ pkgs.foot ];
+            command = "foot";
+            capability = {
+              dbus = false;
+              pulse = false;
+            };
+          }
          {
            name = "strace-failure";
            verbose = true;
@ -323,6 +335,20 @@ nixosTest {
    machine.send_chars("exit\n")
    machine.wait_until_fails("pgrep alacritty")

+    # Start app (foot) with direct Wayland access:
+    swaymsg("exec da-foot")
+    wait_for_window("u0_a4@machine")
+    machine.send_chars("clear; wayland-info && touch /tmp/success-direct\n")
+    machine.wait_for_file("/tmp/fortify.1000/tmpdir/4/success-direct")
+    collect_state_ui("foot_direct")
+    check_state("da-foot", 1)
+    # Verify acl on XDG_RUNTIME_DIR:
+    print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000004"))
+    machine.send_chars("exit\n")
+    machine.wait_until_fails("pgrep foot")
+    # Verify acl cleanup on XDG_RUNTIME_DIR:
+    machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000004")
+
    # Test syscall filter:
    print(machine.fail("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 strace-failure"))