nix: create current-system symlink

This is copied at runtime because it appears to be impossible to obtain this path in nix.

Signed-off-by: Ophestra <cat@gensokyo.uk>

fst/sandbox.go

@@ -245,9 +245,7 @@ func (s *SandboxConfig) ToContainer(sys SandboxSys, uid, gid *int) (*sandbox.Par
 		if etcPath == "" {
 			etcPath = "/etc"
 		}
-		container.
+		container.Bind(etcPath, Tmp+"/etc", 0)
-			Bind(etcPath, Tmp+"/etc", 0).
-			Mkdir("/etc", 0700)
 
 		// link host /etc contents to prevent dropping passwd/group bind mounts
 		if d, err := sys.ReadDir(etcPath); err != nil {

internal/app/app_nixos_test.go

@@ -124,7 +124,6 @@ var testCasesNixos = []sealTestCase{
 				Bind("/run/opengl-driver", "/run/opengl-driver", 0).
 				Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional).
 				Bind("/etc", fst.Tmp+"/etc", 0).
-				Mkdir("/etc", 0700).
 				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
 				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
 				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").

internal/app/app_pd_test.go

@@ -67,7 +67,6 @@ var testCasesPd = []sealTestCase{
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
 				Bind("/etc", fst.Tmp+"/etc", 0).
-				Mkdir("/etc", 0700).
 				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
 				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
 				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").
@@ -288,7 +287,6 @@ var testCasesPd = []sealTestCase{
 				Tmpfs("/run/user/1971", 8192, 0755).
 				Tmpfs("/run/dbus", 8192, 0755).
 				Bind("/etc", fst.Tmp+"/etc", 0).
-				Mkdir("/etc", 0700).
 				Link(fst.Tmp+"/etc/alsa", "/etc/alsa").
 				Link(fst.Tmp+"/etc/bashrc", "/etc/bashrc").
 				Link(fst.Tmp+"/etc/binfmt.d", "/etc/binfmt.d").

nixos.nix

@@ -84,6 +84,8 @@ in
                   command = if app.command == null then app.name else app.command;
                   script = if app.script == null then ("exec " + command + " $@") else app.script;
                   enablements = with app.capability; (if wayland then 1 else 0) + (if x11 then 2 else 0) + (if dbus then 4 else 0) + (if pulse then 8 else 0);
+                  isGraphical = if app.gpu != null then app.gpu else app.capability.wayland || app.capability.x11;
+
                   conf = {
                     inherit (app) id;
                     path = pkgs.writeScript "${app.name}-start" ''
@@ -91,6 +93,7 @@ in
                       ${script}
                     '';
                     args = [ "${app.name}-start" ];
+
                     confinement = {
                       app_id = aid;
                       inherit (app) groups;
@@ -108,6 +111,7 @@ in
                           ;
                         map_real_uid = app.mapRealUid;
                         direct_wayland = app.insecureWayland;
+
                         filesystem =
                           let
                             bind = src: { inherit src; };
@@ -124,7 +128,6 @@ in
                             (mustBind "/bin")
                             (mustBind "/usr/bin")
                             (mustBind "/nix/store")
-                            (mustBind "/run/current-system")
                             (bind "/sys/block")
                             (bind "/sys/bus")
                             (bind "/sys/class")
@@ -135,8 +138,7 @@ in
                             (mustBind "/nix/var")
                             (bind "/var/db/nix-channels")
                           ]
-                          ++ optionals (if app.gpu != null then app.gpu else app.capability.wayland || app.capability.x11) [
+                          ++ optionals isGraphical [
-                            (bind "/run/opengl-driver")
                             (devBind "/dev/dri")
                             (devBind "/dev/nvidiactl")
                             (devBind "/dev/nvidia-modeset")
@@ -147,7 +149,30 @@ in
                           ++ app.extraPaths;
                         auto_etc = true;
                         cover = [ "/var/run/nscd" ];
+
+                        symlink =
+                          [
+                            [
+                              "*/run/current-system"
+                              "/run/current-system"
+                            ]
+                          ]
+                          ++ optionals (isGraphical && config.hardware.graphics.enable) (
+                            [
+                              [
+                                config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver"."L+".argument
+                                "/run/opengl-driver"
+                              ]
+                            ]
+                            ++ optionals (app.multiarch && config.hardware.graphics.enable32Bit) [
+                              [
+                                config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver-32"."L+".argument
+                                /run/opengl-driver-32
+                              ]
+                            ]
+                          );
                       };
+
                       inherit enablements;
                       inherit (dbusConfig) session_bus system_bus;
                     };

sandbox/container.go

@@ -96,6 +96,9 @@ type (
 		*Ops
 		// Extra seccomp options.
 		Seccomp seccomp.SyscallOpts
+		// Permission bits of newly created parent directories.
+		// The zero value is interpreted as 0755.
+		ParentPerm os.FileMode
 
 		Flags HardeningFlags
 	}

sandbox/init.go

@@ -68,6 +68,9 @@ func Init(prepare func(prefix string), setVerbose func(verbose bool)) {
 		if params.Ops == nil {
 			log.Fatal("invalid setup parameters")
 		}
+		if params.ParentPerm == 0 {
+			params.ParentPerm = 0755
+		}
 
 		setVerbose(params.Verbose)
 		msg.Verbose("received setup parameters")

sandbox/mount.go

@@ -25,7 +25,7 @@ func (p *procPaths) bindMount(source, target string, flags uintptr, eq bool) err
 
 	var targetFinal string
 	if v, err := filepath.EvalSymlinks(target); err != nil {
-		return msg.WrapErr(err, err.Error())
+		return wrapErrSelf(err)
 	} else {
 		targetFinal = v
 		if targetFinal != target {
@@ -45,7 +45,7 @@ func (p *procPaths) bindMount(source, target string, flags uintptr, eq bool) err
 				fmt.Sprintf("cannot open %q:", targetFinal))
 		}
 		if v, err := os.Readlink(p.fd(destFd)); err != nil {
-			return msg.WrapErr(err, err.Error())
+			return wrapErrSelf(err)
 		} else if err = syscall.Close(destFd); err != nil {
 			return wrapErrSuffix(err,
 				fmt.Sprintf("cannot close %q:", targetFinal))
@@ -102,7 +102,7 @@ func remountWithFlags(n *vfs.MountInfoNode, mf uintptr) error {
 func mountTmpfs(fsname, name string, size int, perm os.FileMode) error {
 	target := toSysroot(name)
 	if err := os.MkdirAll(target, parentPerm(perm)); err != nil {
-		return msg.WrapErr(err, err.Error())
+		return wrapErrSelf(err)
 	}
 	opt := fmt.Sprintf("mode=%#o", perm)
 	if size > 0 {

sandbox/output.go

@@ -17,3 +17,10 @@ func wrapErrSuffix(err error, a ...any) error {
 	}
 	return msg.WrapErr(err, append(a, err)...)
 }
+
+func wrapErrSelf(err error) error {
+	if err == nil {
+		return nil
+	}
+	return msg.WrapErr(err, err.Error())
+}

sandbox/path.go

@@ -32,16 +32,16 @@ func toHost(name string) string {
 
 func createFile(name string, perm, pperm os.FileMode, content []byte) error {
 	if err := os.MkdirAll(path.Dir(name), pperm); err != nil {
-		return msg.WrapErr(err, err.Error())
+		return wrapErrSelf(err)
 	}
 	f, err := os.OpenFile(name, syscall.O_CREAT|syscall.O_EXCL|syscall.O_WRONLY, perm)
 	if err != nil {
-		return msg.WrapErr(err, err.Error())
+		return wrapErrSelf(err)
 	}
 	if content != nil {
 		_, err = f.Write(content)
 		if err != nil {
-			err = msg.WrapErr(err, err.Error())
+			err = wrapErrSelf(err)
 		}
 	}
 	return errors.Join(f.Close(), err)
@@ -78,7 +78,7 @@ func (p *procPaths) stdout() string   { return p.self + "/fd/1" }
 func (p *procPaths) fd(fd int) string { return p.self + "/fd/" + strconv.Itoa(fd) }
 func (p *procPaths) mountinfo(f func(d *vfs.MountInfoDecoder) error) error {
 	if r, err := os.Open(p.self + "/mountinfo"); err != nil {
-		return msg.WrapErr(err, err.Error())
+		return wrapErrSelf(err)
 	} else {
 		d := vfs.NewMountInfoDecoder(r)
 		err0 := f(d)

sandbox/sequential.go

@@ -8,6 +8,7 @@ import (
 	"path"
 	"path/filepath"
 	"slices"
+	"strings"
 	"syscall"
 	"unsafe"
 )
@@ -38,7 +39,7 @@ func (b *BindMount) early(*Params) error {
 			b.SourceFinal = "\x00"
 			return nil
 		}
-		return msg.WrapErr(err, err.Error())
+		return wrapErrSelf(err)
 	} else {
 		b.SourceFinal = v
 		return nil
@@ -65,10 +66,10 @@ func (b *BindMount) apply(*Params) error {
 	// this perm value emulates bwrap behaviour as it clears bits from 0755 based on
 	// op->perms which is never set for any bind setup op so always results in 0700
 	if fi, err := os.Stat(source); err != nil {
-		return msg.WrapErr(err, err.Error())
+		return wrapErrSelf(err)
 	} else if fi.IsDir() {
 		if err = os.MkdirAll(target, 0700); err != nil {
-			return msg.WrapErr(err, err.Error())
+			return wrapErrSelf(err)
 		}
 	} else if err = ensureFile(target, 0444, 0700); err != nil {
 		return err
@@ -104,7 +105,7 @@ func init() { gob.Register(new(MountProc)) }
 type MountProc string
 
 func (p MountProc) early(*Params) error { return nil }
-func (p MountProc) apply(*Params) error {
+func (p MountProc) apply(params *Params) error {
 	v := string(p)
 
 	if !path.IsAbs(v) {
@@ -113,8 +114,8 @@ func (p MountProc) apply(*Params) error {
 	}
 
 	target := toSysroot(v)
-	if err := os.MkdirAll(target, 0755); err != nil {
+	if err := os.MkdirAll(target, params.ParentPerm); err != nil {
-		return msg.WrapErr(err, err.Error())
+		return wrapErrSelf(err)
 	}
 	return wrapErrSuffix(syscall.Mount("proc", target, "proc",
 		syscall.MS_NOSUID|syscall.MS_NOEXEC|syscall.MS_NODEV, ""),
@@ -144,13 +145,13 @@ func (d MountDev) apply(params *Params) error {
 	}
 	target := toSysroot(v)
 
-	if err := mountTmpfs("devtmpfs", v, 0, 0755); err != nil {
+	if err := mountTmpfs("devtmpfs", v, 0, params.ParentPerm); err != nil {
 		return err
 	}
 
 	for _, name := range []string{"null", "zero", "full", "random", "urandom", "tty"} {
 		targetPath := toSysroot(path.Join(v, name))
-		if err := ensureFile(targetPath, 0444, 0755); err != nil {
+		if err := ensureFile(targetPath, 0444, params.ParentPerm); err != nil {
 			return err
 		}
 		if err := hostProc.bindMount(
@@ -167,7 +168,7 @@ func (d MountDev) apply(params *Params) error {
 			"/proc/self/fd/"+string(rune(i+'0')),
 			path.Join(target, name),
 		); err != nil {
-			return msg.WrapErr(err, err.Error())
+			return wrapErrSelf(err)
 		}
 	}
 	for _, pair := range [][2]string{
@@ -176,14 +177,14 @@ func (d MountDev) apply(params *Params) error {
 		{"pts/ptmx", "ptmx"},
 	} {
 		if err := os.Symlink(pair[0], path.Join(target, pair[1])); err != nil {
-			return msg.WrapErr(err, err.Error())
+			return wrapErrSelf(err)
 		}
 	}
 
 	devPtsPath := path.Join(target, "pts")
 	for _, name := range []string{path.Join(target, "shm"), devPtsPath} {
-		if err := os.Mkdir(name, 0755); err != nil {
+		if err := os.Mkdir(name, params.ParentPerm); err != nil {
-			return msg.WrapErr(err, err.Error())
+			return wrapErrSelf(err)
 		}
 	}
 
@@ -201,11 +202,11 @@ func (d MountDev) apply(params *Params) error {
 			uintptr(unsafe.Pointer(&buf[0])),
 		); errno == 0 {
 			consolePath := toSysroot(path.Join(v, "console"))
-			if err := ensureFile(consolePath, 0444, 0755); err != nil {
+			if err := ensureFile(consolePath, 0444, params.ParentPerm); err != nil {
 				return err
 			}
 			if name, err := os.Readlink(hostProc.stdout()); err != nil {
-				return msg.WrapErr(err, err.Error())
+				return wrapErrSelf(err)
 			} else if err = hostProc.bindMount(
 				toHost(name),
 				consolePath,
@@ -234,7 +235,7 @@ func init() { gob.Register(new(MountMqueue)) }
 type MountMqueue string
 
 func (m MountMqueue) early(*Params) error { return nil }
-func (m MountMqueue) apply(*Params) error {
+func (m MountMqueue) apply(params *Params) error {
 	v := string(m)
 
 	if !path.IsAbs(v) {
@@ -243,8 +244,8 @@ func (m MountMqueue) apply(*Params) error {
 	}
 
 	target := toSysroot(v)
-	if err := os.MkdirAll(target, 0755); err != nil {
+	if err := os.MkdirAll(target, params.ParentPerm); err != nil {
-		return msg.WrapErr(err, err.Error())
+		return wrapErrSelf(err)
 	}
 	return wrapErrSuffix(syscall.Mount("mqueue", target, "mqueue",
 		syscall.MS_NOSUID|syscall.MS_NOEXEC|syscall.MS_NODEV, ""),
@@ -294,8 +295,22 @@ func init() { gob.Register(new(Symlink)) }
 // Symlink creates a symlink in the container filesystem.
 type Symlink [2]string
 
-func (l *Symlink) early(*Params) error { return nil }
+func (l *Symlink) early(*Params) error {
-func (l *Symlink) apply(*Params) error {
+	if strings.HasPrefix(l[0], "*") {
+		l[0] = l[0][1:]
+		if !path.IsAbs(l[0]) {
+			return msg.WrapErr(syscall.EBADE,
+				fmt.Sprintf("path %q is not absolute", l[0]))
+		}
+		if name, err := os.Readlink(l[0]); err != nil {
+			return wrapErrSelf(err)
+		} else {
+			l[0] = name
+		}
+	}
+	return nil
+}
+func (l *Symlink) apply(params *Params) error {
 	// symlink target is an arbitrary path value, so only validate link name here
 	if !path.IsAbs(l[1]) {
 		return msg.WrapErr(syscall.EBADE,
@@ -303,14 +318,11 @@ func (l *Symlink) apply(*Params) error {
 	}
 
 	target := toSysroot(l[1])
-	if err := ensureFile(target, 0444, 0755); err != nil {
+	if err := os.MkdirAll(path.Dir(target), params.ParentPerm); err != nil {
-		return err
+		return wrapErrSelf(err)
-	}
-	if err := os.Remove(target); err != nil {
-		return msg.WrapErr(err, err.Error())
 	}
 	if err := os.Symlink(l[0], target); err != nil {
-		return msg.WrapErr(err, err.Error())
+		return wrapErrSelf(err)
 	}
 	return nil
 }
@@ -339,7 +351,7 @@ func (m *Mkdir) apply(*Params) error {
 	}
 
 	if err := os.MkdirAll(toSysroot(m.Path), m.Perm); err != nil {
-		return msg.WrapErr(err, err.Error())
+		return wrapErrSelf(err)
 	}
 	return nil
 }
@@ -361,7 +373,7 @@ type Tmpfile struct {
 }
 
 func (t *Tmpfile) early(*Params) error { return nil }
-func (t *Tmpfile) apply(*Params) error {
+func (t *Tmpfile) apply(params *Params) error {
 	if !path.IsAbs(t.Path) {
 		return msg.WrapErr(syscall.EBADE,
 			fmt.Sprintf("path %q is not absolute", t.Path))
@@ -369,7 +381,7 @@ func (t *Tmpfile) apply(*Params) error {
 
 	var tmpPath string
 	if f, err := os.CreateTemp("/", "tmp.*"); err != nil {
-		return msg.WrapErr(err, err.Error())
+		return wrapErrSelf(err)
 	} else if _, err = f.Write(t.Data); err != nil {
 		return wrapErrSuffix(err,
 			"cannot write to intermediate file:")
@@ -381,7 +393,7 @@ func (t *Tmpfile) apply(*Params) error {
 	}
 
 	target := toSysroot(t.Path)
-	if err := ensureFile(target, 0444, 0755); err != nil {
+	if err := ensureFile(target, 0444, params.ParentPerm); err != nil {
 		return err
 	} else if err = hostProc.bindMount(
 		tmpPath,
@@ -391,7 +403,7 @@ func (t *Tmpfile) apply(*Params) error {
 	); err != nil {
 		return err
 	} else if err = os.Remove(tmpPath); err != nil {
-		return msg.WrapErr(err, err.Error())
+		return wrapErrSelf(err)
 	}
 	return nil
 }

test/sandbox/case/mapuid.nix

@@ -39,7 +39,7 @@
         urandom = fs "42001b6" null null;
         zero = fs "42001b6" null null;
       } null;
-      etc = fs "800001c0" {
+      etc = fs "800001ed" {
         ".clean" = fs "80001ff" null null;
         ".updated" = fs "80001ff" null null;
         "NIXOS" = fs "80001ff" null null;
@@ -111,9 +111,9 @@
       } null;
       nix = fs "800001c0" { store = fs "801001fd" null null; } null;
       proc = fs "8000016d" null null;
-      run = fs "800001c0" {
+      run = fs "800001ed" {
-        current-system = fs "8000016d" null null;
+        current-system = fs "80001ff" null null;
-        opengl-driver = fs "8000016d" null null;
+        opengl-driver = fs "80001ff" null null;
         user = fs "800001ed" {
           "1000" = fs "800001ed" {
             bus = fs "10001fd" null null;
@@ -195,13 +195,11 @@
       (ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/nix/store" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
-      (ent ignore "/run/current-system" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
       (ent "/block" "/sys/block" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/bus" "/sys/bus" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/class" "/sys/class" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
-      (ent ignore "/run/opengl-driver" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
       (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
       (ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003")

test/sandbox/case/preset.nix

@@ -39,7 +39,7 @@
         urandom = fs "42001b6" null null;
         zero = fs "42001b6" null null;
       } null;
-      etc = fs "800001c0" {
+      etc = fs "800001ed" {
         ".clean" = fs "80001ff" null null;
         ".updated" = fs "80001ff" null null;
         "NIXOS" = fs "80001ff" null null;
@@ -111,9 +111,9 @@
       } null;
       nix = fs "800001c0" { store = fs "801001fd" null null; } null;
       proc = fs "8000016d" null null;
-      run = fs "800001c0" {
+      run = fs "800001ed" {
-        current-system = fs "8000016d" null null;
+        current-system = fs "80001ff" null null;
-        opengl-driver = fs "8000016d" null null;
+        opengl-driver = fs "80001ff" null null;
         user = fs "800001ed" {
           "65534" = fs "800001ed" {
             bus = fs "10001fd" null null;
@@ -195,13 +195,11 @@
       (ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/nix/store" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
-      (ent ignore "/run/current-system" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
       (ent "/block" "/sys/block" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/bus" "/sys/bus" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/class" "/sys/class" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
-      (ent ignore "/run/opengl-driver" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
       (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
       (ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000001,gid=1000001")

test/sandbox/case/tty.nix

@@ -40,7 +40,7 @@
         urandom = fs "42001b6" null null;
         zero = fs "42001b6" null null;
       } null;
-      etc = fs "800001c0" {
+      etc = fs "800001ed" {
         ".clean" = fs "80001ff" null null;
         ".updated" = fs "80001ff" null null;
         "NIXOS" = fs "80001ff" null null;
@@ -112,9 +112,9 @@
       } null;
       nix = fs "800001c0" { store = fs "801001fd" null null; } null;
       proc = fs "8000016d" null null;
-      run = fs "800001c0" {
+      run = fs "800001ed" {
-        current-system = fs "8000016d" null null;
+        current-system = fs "80001ff" null null;
-        opengl-driver = fs "8000016d" null null;
+        opengl-driver = fs "80001ff" null null;
         user = fs "800001ed" {
           "65534" = fs "800001ed" {
             bus = fs "10001fd" null null;
@@ -197,13 +197,11 @@
       (ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/nix/store" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
-      (ent ignore "/run/current-system" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
       (ent "/block" "/sys/block" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/bus" "/sys/bus" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/class" "/sys/class" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
       (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
-      (ent ignore "/run/opengl-driver" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
       (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
       (ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
       (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002")

test/test.py

@@ -141,7 +141,7 @@ def silent_output_interrupt(flags):
     wait_for_window("alice@machine")
     # aid 0 does not have home-manager
     machine.send_chars(f"exec fortify run {flags}-a 0 sh -c 'export PATH=/run/current-system/sw/bin:$PATH && touch /tmp/pd-silent-ready && sleep infinity' &>/tmp/pd-silent\n")
-    machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/pd-silent-ready", timeout=10)
+    machine.wait_for_file("/tmp/fortify.1000/tmpdir/0/pd-silent-ready", timeout=15)
     machine.succeed("rm /tmp/fortify.1000/tmpdir/0/pd-silent-ready")
     machine.send_key("ctrl-c")
     machine.wait_until_fails("pgrep foot", timeout=5)
@@ -172,18 +172,18 @@ fortify("-v run --wayland -X --dbus --pulse -u p1 foot && touch /tmp/p1-exit-ok"
 wait_for_window("p1@machine")
 print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000"))
 machine.send_chars("exit\n")
-machine.wait_for_file("/tmp/p1-exit-ok", timeout=10)
+machine.wait_for_file("/tmp/p1-exit-ok", timeout=15)
 # Verify acl is kept alive:
 print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000"))
 machine.send_chars("exit\n")
-machine.wait_for_file("/tmp/p0-exit-ok", timeout=10)
+machine.wait_for_file("/tmp/p0-exit-ok", timeout=15)
 machine.fail("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 1000000")
 
 # Start app (foot) with Wayland enablement:
 swaymsg("exec ne-foot")
 wait_for_window(f"u0_a{aid(0)}@machine")
 machine.send_chars("clear; wayland-info && touch /tmp/client-ok\n")
-machine.wait_for_file(tmpdir_path(0, "client-ok"), timeout=10)
+machine.wait_for_file(tmpdir_path(0, "client-ok"), timeout=15)
 collect_state_ui("foot_wayland")
 check_state("ne-foot", 1)
 # Verify acl on XDG_RUNTIME_DIR:
@@ -197,7 +197,7 @@ machine.wait_until_fails(f"getfacl --absolute-names --omit-header --numeric /run
 swaymsg("exec foot $SHELL -c '(ne-foot) & sleep 1 && fortify show $(fortify ps --short) && touch /tmp/ps-show-ok && cat'")
 wait_for_window(f"u0_a{aid(0)}@machine")
 machine.send_chars("clear; wayland-info && touch /tmp/term-ok\n")
-machine.wait_for_file(tmpdir_path(0, "term-ok"), timeout=10)
+machine.wait_for_file(tmpdir_path(0, "term-ok"), timeout=15)
 machine.wait_for_file("/tmp/ps-show-ok", timeout=5)
 collect_state_ui("foot_wayland_term")
 check_state("ne-foot", 1)
@@ -220,7 +220,7 @@ machine.wait_until_fails("pgrep foot", timeout=5)
 swaymsg("exec x11-alacritty")
 wait_for_window(f"u0_a{aid(2)}@machine")
 machine.send_chars("clear; glinfo && touch /tmp/x11-ok\n")
-machine.wait_for_file(tmpdir_path(2, "x11-ok"), timeout=10)
+machine.wait_for_file(tmpdir_path(2, "x11-ok"), timeout=15)
 collect_state_ui("alacritty_x11")
 check_state("x11-alacritty", 2)
 machine.send_chars("exit\n")
@@ -231,7 +231,7 @@ swaymsg("exec da-foot")
 wait_for_window(f"u0_a{aid(3)}@machine")
 machine.send_chars("clear; wayland-info && touch /tmp/direct-ok\n")
 collect_state_ui("foot_direct")
-machine.wait_for_file(tmpdir_path(3, "direct-ok"), timeout=10)
+machine.wait_for_file(tmpdir_path(3, "direct-ok"), timeout=15)
 check_state("da-foot", 1)
 # Verify acl on XDG_RUNTIME_DIR:
 print(machine.succeed(f"getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep {aid(3) + 1000000}"))