app/seal: improve documentation
All checks were successful
Test / Create distribution (push) Successful in 25s
Test / Run NixOS test (push) Successful in 3m22s

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-02-19 01:04:14 +09:00
parent 9a10eeab90
commit aa164081e1
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
2 changed files with 19 additions and 14 deletions

View File

@ -29,30 +29,35 @@ var (
var posixUsername = regexp.MustCompilePOSIX("^[a-z_]([A-Za-z0-9_-]{0,31}|[A-Za-z0-9_-]{0,30}\\$)$") var posixUsername = regexp.MustCompilePOSIX("^[a-z_]([A-Za-z0-9_-]{0,31}|[A-Za-z0-9_-]{0,30}\\$)$")
// appSeal seals the application with child-related information // appSeal stores copies of various parts of [fst.Config]
type appSeal struct { type appSeal struct {
// app unique ID string representation // string representation of [fst.ID]
id string id string
// dump dbus proxy message buffer // dump dbus proxy message buffer
dbusMsg func() dbusMsg func()
// freedesktop application ID // reverse-DNS style arbitrary identifier string from config;
fid string // passed to wayland security-context-v1 as application ID
// argv to start process with in the final confined environment // and used as part of defaults in dbus session proxy
appID string
// final argv, passed to init
command []string command []string
// persistent process state store // state instance initialised during seal and used on process lifecycle events
store state.Store store state.Store
// process-specific share directory path // process-specific share directory path ([os.TempDir])
share string share string
// process-specific share directory path local to XDG_RUNTIME_DIR // process-specific share directory path ([fst.Paths] XDG_RUNTIME_DIR)
shareLocal string shareLocal string
// initial config gob encoding buffer // initial [fst.Config] gob stream for state data;
// this is prepared ahead of time as config is mutated during seal creation
ct io.WriterTo ct io.WriterTo
// wayland socket direct access // passed through from [fst.SandboxConfig];
// when this gets set no attempt is made to attach security-context-v1
// and the bare socket is mounted to the sandbox
directWayland bool directWayland bool
// extra UpdatePerm ops // extra [acl.Update] ops, appended at the end of [system.I]
extraPerms []*sealedExtraPerm extraPerms []*sealedExtraPerm
// prevents sharing from happening twice // prevents sharing from happening twice
@ -102,7 +107,7 @@ func (a *app) Seal(config *fst.Config) error {
// pass through config values // pass through config values
seal.id = a.id.String() seal.id = a.id.String()
seal.fid = config.ID seal.appID = config.ID
seal.command = config.Command seal.command = config.Command
// create seal system component // create seal system component

View File

@ -158,7 +158,7 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os sys.State) error {
socketDir := path.Join(seal.SharePath, "wayland") socketDir := path.Join(seal.SharePath, "wayland")
outerPath := path.Join(socketDir, seal.id) outerPath := path.Join(socketDir, seal.id)
seal.sys.Ensure(socketDir, 0711) seal.sys.Ensure(socketDir, 0711)
appID := seal.fid appID := seal.appID
if appID == "" { if appID == "" {
// use instance ID in case app id is not set // use instance ID in case app id is not set
appID = "uk.gensokyo.fortify." + seal.id appID = "uk.gensokyo.fortify." + seal.id
@ -246,7 +246,7 @@ func (seal *appSeal) setupShares(bus [2]*dbus.Config, os sys.State) error {
if seal.Has(system.EDBus) { if seal.Has(system.EDBus) {
// ensure dbus session bus defaults // ensure dbus session bus defaults
if bus[0] == nil { if bus[0] == nil {
bus[0] = dbus.NewConfig(seal.fid, true, true) bus[0] = dbus.NewConfig(seal.appID, true, true)
} }
// downstream socket paths // downstream socket paths