nix: update flake lock

Signed-off-by: Ophestra <cat@gensokyo.uk>

cmd/fpkg/install.go

@@ -5,6 +5,7 @@ import (
 	"flag"
 	"os"
 	"path"
+	"strings"
 
 	"git.gensokyo.uk/security/fortify/fst"
 	"git.gensokyo.uk/security/fortify/internal/fmsg"
@@ -123,98 +124,37 @@ func actionInstall(args []string) {
 		Setup steps for files owned by the target user.
 	*/
 
-	installConfig := &fst.Config{
+	withCacheDir("install", []string{
-		ID: bundle.ID,
+		// export inner bundle path in the environment
-		Command: []string{shell, "-lc", "export BUNDLE=" + fst.Tmp + "/bundle && " + // export inner bundle path in the environment
+		"export BUNDLE=" + fst.Tmp + "/bundle",
-			"mkdir -p etc && chmod -R +w etc && rm -rf etc && cp -dRf $BUNDLE/etc etc && " + // replace inner /etc
+		// replace inner /etc
-			"mkdir -p nix && chmod -R +w nix && rm -rf nix && cp -dRf /nix nix && " + // replace inner /nix
+		"mkdir -p etc",
-			"nix copy --offline --no-check-sigs --all --from file://$BUNDLE/res --to $PWD && " + // copy from binary cache
+		"chmod -R +w etc",
-			"chmod 0755 .", // make cache directory world-readable for autoetc
+		"rm -rf etc",
-		},
+		"cp -dRf $BUNDLE/etc etc",
-		Confinement: fst.ConfinementConfig{
+		// replace inner /nix
-			AppID:    bundle.AppID,
+		"mkdir -p nix",
-			Username: "nixos",
+		"chmod -R +w nix",
-			Inner:    path.Join("/data/data", bundle.ID, "cache"),
+		"rm -rf nix",
-			Outer:    pathSet.cacheDir, // this also ensures cacheDir via fshim
+		"cp -dRf /nix nix",
-			Sandbox: &fst.SandboxConfig{
+		// copy from binary cache
-				Hostname:     formatHostname(bundle.Name) + "-install",
+		"nix copy --offline --no-check-sigs --all --from file://$BUNDLE/res --to $PWD",
-				NoNewSession: dropShellInstall, // nix copy should not need job control
+		// make cache directory world-readable for autoetc
-				Filesystem: []*fst.FilesystemConfig{
+		"chmod 0755 .",
-					{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
+	}, workDir, bundle, pathSet, dropShellInstall, cleanup)
-					{Src: workDir, Dst: path.Join(fst.Tmp, "bundle"), Must: true},
-				},
-				Link: [][2]string{
-					{bundle.CurrentSystem, "/run/current-system"},
-					{"/run/current-system/sw/bin", "/bin"},
-					{"/run/current-system/sw/bin", "/usr/bin"},
-				},
-				Etc:     path.Join(workDir, "etc"),
-				AutoEtc: true,
-			},
-			ExtraPerms: []*fst.ExtraPermConfig{
-				{Path: dataHome, Execute: true},
-				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-				{Path: workDir, Execute: true},
-			},
-		},
-	}
-
-	if dropShellInstall {
-		installConfig.Command = []string{shell, "-l"}
-		fortifyApp(installConfig, cleanup)
-		cleanup()
-		fmsg.Exit(0)
-	}
-	fortifyApp(installConfig, cleanup)
 
 	/*
 		Activate home-manager generation.
 	*/
 
-	activateConfig := &fst.Config{
+	withNixDaemon("activate", []string{
-		ID: bundle.ID,
+		// clean up broken links
-		Command: []string{shell, "-lc", "mkdir -p .local/state/{nix,home-manager} && chmod -R +w .local/state/{nix,home-manager} && rm -rf .local/state/{nix,home-manager} && " + // clean up broken links
+		"mkdir -p .local/state/{nix,home-manager}",
-			"nix-daemon --store / & " + // start nix-daemon
+		"chmod -R +w .local/state/{nix,home-manager}",
-			"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " + // wait for socket to appear
+		"rm -rf .local/state/{nix,home-manager}",
-			bundle.ActivationPackage + "/activate && " + // run activation script
+		// run activation script
-			"pkill nix-daemon", // terminate nix-daemon
+		bundle.ActivationPackage + "/activate",
-		},
+	}, false, workDir, bundle, pathSet, dropShellActivate, cleanup)
-		Confinement: fst.ConfinementConfig{
-			AppID:    bundle.AppID,
-			Groups:   bundle.Groups,
-			Username: "fortify",
-			Inner:    path.Join("/data/data", bundle.ID),
-			Outer:    pathSet.homeDir,
-			Sandbox: &fst.SandboxConfig{
-				Hostname:     formatHostname(bundle.Name) + "-activate",
-				UserNS:       true,              // nix sandbox requires userns
-				NoNewSession: dropShellActivate, // home-manager activation should not need job control
-				Filesystem: []*fst.FilesystemConfig{
-					{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
-				},
-				Link: [][2]string{
-					{bundle.CurrentSystem, "/run/current-system"},
-					{"/run/current-system/sw/bin", "/bin"},
-					{"/run/current-system/sw/bin", "/usr/bin"},
-				},
-				Etc:     path.Join(pathSet.cacheDir, "etc"),
-				AutoEtc: true,
-			},
-			ExtraPerms: []*fst.ExtraPermConfig{
-				{Path: dataHome, Execute: true},
-				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-				{Path: workDir, Execute: true},
-			},
-		},
-	}
-
-	if dropShellActivate {
-		activateConfig.Command = []string{shell, "-l"}
-		fortifyApp(activateConfig, cleanup)
-		cleanup()
-		fmsg.Exit(0)
-	}
-	fortifyApp(activateConfig, cleanup)
 
 	/*
 		Installation complete. Write metadata to block re-installs or downgrades.
@@ -242,3 +182,89 @@ func actionInstall(args []string) {
 
 	cleanup()
 }
+
+func withNixDaemon(action string, command []string, net bool, workDir string, bundle *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
+	fortifyAppDropShell(&fst.Config{
+		ID: bundle.ID,
+		Command: []string{shell, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
+			// start nix-daemon
+			"nix-daemon --store / & " +
+			// wait for socket to appear
+			"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " +
+			strings.Join(command, " && ") +
+			// terminate nix-daemon
+			" && pkill nix-daemon",
+		},
+		Confinement: fst.ConfinementConfig{
+			AppID:    bundle.AppID,
+			Groups:   bundle.Groups,
+			Username: "fortify",
+			Inner:    path.Join("/data/data", bundle.ID),
+			Outer:    pathSet.homeDir,
+			Sandbox: &fst.SandboxConfig{
+				Hostname:     formatHostname(bundle.Name) + "-" + action,
+				UserNS:       true, // nix sandbox requires userns
+				Net:          net,
+				NoNewSession: dropShell,
+				Filesystem: []*fst.FilesystemConfig{
+					{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
+				},
+				Link: [][2]string{
+					{bundle.CurrentSystem, "/run/current-system"},
+					{"/run/current-system/sw/bin", "/bin"},
+					{"/run/current-system/sw/bin", "/usr/bin"},
+				},
+				Etc:     path.Join(pathSet.cacheDir, "etc"),
+				AutoEtc: true,
+			},
+			ExtraPerms: []*fst.ExtraPermConfig{
+				{Path: dataHome, Execute: true},
+				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
+				{Path: workDir, Execute: true},
+			},
+		},
+	}, dropShell, beforeFail)
+}
+
+func withCacheDir(action string, command []string, workDir string, bundle *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
+	fortifyAppDropShell(&fst.Config{
+		ID:      bundle.ID,
+		Command: []string{shell, "-lc", strings.Join(command, " && ")},
+		Confinement: fst.ConfinementConfig{
+			AppID:    bundle.AppID,
+			Username: "nixos",
+			Inner:    path.Join("/data/data", bundle.ID, "cache"),
+			Outer:    pathSet.cacheDir, // this also ensures cacheDir via fshim
+			Sandbox: &fst.SandboxConfig{
+				Hostname:     formatHostname(bundle.Name) + "-" + action,
+				NoNewSession: dropShell,
+				Filesystem: []*fst.FilesystemConfig{
+					{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
+					{Src: workDir, Dst: path.Join(fst.Tmp, "bundle"), Must: true},
+				},
+				Link: [][2]string{
+					{bundle.CurrentSystem, "/run/current-system"},
+					{"/run/current-system/sw/bin", "/bin"},
+					{"/run/current-system/sw/bin", "/usr/bin"},
+				},
+				Etc:     path.Join(workDir, "etc"),
+				AutoEtc: true,
+			},
+			ExtraPerms: []*fst.ExtraPermConfig{
+				{Path: dataHome, Execute: true},
+				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
+				{Path: workDir, Execute: true},
+			},
+		},
+	}, dropShell, beforeFail)
+}
+
+func fortifyAppDropShell(config *fst.Config, dropShell bool, beforeFail func()) {
+	if dropShell {
+		config.Command = []string{shell, "-l"}
+		fortifyApp(config, beforeFail)
+		beforeFail()
+		fmsg.Exit(0)
+	}
+	fortifyApp(config, beforeFail)
+}

cmd/fpkg/start.go

@@ -84,7 +84,31 @@ func actionStart(args []string) {
 
 	if app.GPU {
 		config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem,
-			&fst.FilesystemConfig{Src: "/dev/dri", Device: true})
+			// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
+			&fst.FilesystemConfig{Src: "/dev/dri", Device: true},
+			// mali
+			&fst.FilesystemConfig{Src: "/dev/mali", Device: true},
+			&fst.FilesystemConfig{Src: "/dev/mali0", Device: true},
+			&fst.FilesystemConfig{Src: "/dev/umplock", Device: true},
+			// nvidia
+			&fst.FilesystemConfig{Src: "/dev/nvidiactl", Device: true},
+			&fst.FilesystemConfig{Src: "/dev/nvidia-modeset", Device: true},
+			// nvidia OpenCL/CUDA
+			&fst.FilesystemConfig{Src: "/dev/nvidia-uvm", Device: true},
+			&fst.FilesystemConfig{Src: "/dev/nvidia-uvm-tools", Device: true},
+
+			// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
+			&fst.FilesystemConfig{Src: "/dev/nvidia0", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia1", Device: true},
+			&fst.FilesystemConfig{Src: "/dev/nvidia2", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia3", Device: true},
+			&fst.FilesystemConfig{Src: "/dev/nvidia4", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia5", Device: true},
+			&fst.FilesystemConfig{Src: "/dev/nvidia6", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia7", Device: true},
+			&fst.FilesystemConfig{Src: "/dev/nvidia8", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia9", Device: true},
+			&fst.FilesystemConfig{Src: "/dev/nvidia10", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia11", Device: true},
+			&fst.FilesystemConfig{Src: "/dev/nvidia12", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia13", Device: true},
+			&fst.FilesystemConfig{Src: "/dev/nvidia14", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia15", Device: true},
+			&fst.FilesystemConfig{Src: "/dev/nvidia16", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia17", Device: true},
+			&fst.FilesystemConfig{Src: "/dev/nvidia18", Device: true}, &fst.FilesystemConfig{Src: "/dev/nvidia19", Device: true},
+		)
 	}
 
 	fortifyApp(config, func() {})

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733951536,
+        "lastModified": 1735344290,
-        "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
+        "narHash": "sha256-oJDtWPH1oJT34RJK1FSWjwX4qcGOBRkcNQPD0EbSfNM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
+        "rev": "613691f285dad87694c2ba1c9e6298d04736292d",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1734298236,
+        "lastModified": 1735326919,
-        "narHash": "sha256-aWhhqY44xBjMoO9r5fyPp5u8tqUNWRZ/m/P+abMSs5c=",
+        "narHash": "sha256-BZlgs4l9CXAauo78giGCZdazMMk5VZNro7o5SHFUuyE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "eb919d9300b6a18f8583f58aef16db458fbd7bec",
+        "rev": "8f0aa155aa29f7d2b471aa2ffd322745bf2b2036",
         "type": "github"
       },
       "original": {

test.nix

@@ -198,8 +198,8 @@ nixosTest {
     machine.wait_for_file("/run/user/1000/wayland-1")
     machine.wait_for_file("/tmp/sway-ipc.sock")
 
-    # Create fortify aid 0 home directory:
+    # Create fortify uid 0 state directory:
-    machine.succeed("install -dm 0700 -o 1000000 -g 1000000 /var/lib/fortify/u0/a0")
+    machine.succeed("install -dm 0755 -o u0_a0 -g users /var/lib/fortify/u0")
 
     # Start fortify outside Wayland session:
     print(machine.succeed("sudo -u alice -i fortify -v run -a 0 touch /tmp/success-bare"))