From 6ae02e72faa0fb5d7b26ced6d7cad392cfdd0a56 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Sat, 15 Feb 2025 10:45:27 +0900
Subject: [PATCH] nix: test direct_wayland behaviour

This should never be used outside tests unless you absolutely know what you're doing or are using GNOME.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 nixos.nix   |  1 +
 options.nix |  1 +
 test.nix    | 28 +++++++++++++++++++++++++++-
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/nixos.nix b/nixos.nix
index c5729ad..103ff6e 100644
--- a/nixos.nix
+++ b/nixos.nix
@@ -118,6 +118,7 @@ in
                         };
                         map_real_uid = app.mapRealUid;
                         no_new_session = app.tty;
+                        direct_wayland = app.insecureWayland;
                         filesystem =
                           let
                             bind = src: { inherit src; };
diff --git a/options.nix b/options.nix
index 7f44ef4..4da0f34 100644
--- a/options.nix
+++ b/options.nix
@@ -146,6 +146,7 @@ in
               mapRealUid = mkEnableOption "mapping to priv-user uid";
               dev = mkEnableOption "access to all devices";
               tty = mkEnableOption "access to the controlling terminal";
+              insecureWayland = mkEnableOption "direct access to the Wayland socket";
 
               net = mkEnableOption "network access" // {
                 default = true;
diff --git a/test.nix b/test.nix
index 7836159..5f41d40 100644
--- a/test.nix
+++ b/test.nix
@@ -81,7 +81,7 @@ nixosTest {
           mkdir -p ~/.config/sway
           (sed s/Mod4/Mod1/ /etc/sway/config &&
           echo 'output * bg ${pkgs.nixos-artwork.wallpapers.simple-light-gray.gnomeFilePath} fill' &&
-          echo 'output Virtual-1 res 1280x768') > ~/.config/sway/config
+          echo 'output Virtual-1 res 1680x1050') > ~/.config/sway/config
 
           sway --validate
           systemd-cat --identifier=sway sway && touch /tmp/sway-exit-ok
@@ -148,6 +148,18 @@ nixosTest {
               pulse = false;
             };
           }
+          {
+            name = "da-foot";
+            verbose = true;
+            insecureWayland = true;
+            share = pkgs.foot;
+            packages = [ pkgs.foot ];
+            command = "foot";
+            capability = {
+              dbus = false;
+              pulse = false;
+            };
+          }
           {
             name = "strace-failure";
             verbose = true;
@@ -323,6 +335,20 @@ nixosTest {
     machine.send_chars("exit\n")
     machine.wait_until_fails("pgrep alacritty")
 
+    # Start app (foot) with direct Wayland access:
+    swaymsg("exec da-foot")
+    wait_for_window("u0_a4@machine")
+    machine.send_chars("clear; wayland-info && touch /tmp/success-direct\n")
+    machine.wait_for_file("/tmp/fortify.1000/tmpdir/4/success-direct")
+    collect_state_ui("foot_direct")
+    check_state("da-foot", 1)
+    # Verify acl on XDG_RUNTIME_DIR:
+    print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000004"))
+    machine.send_chars("exit\n")
+    machine.wait_until_fails("pgrep foot")
+    # Verify acl cleanup on XDG_RUNTIME_DIR:
+    machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000004")
+
     # Test syscall filter:
     print(machine.fail("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 strace-failure"))