security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases 6 Wiki Activity

hst/config: remove container etc field
All checks were successful
Test / Create distribution (push) Successful in 36s
Details
Test / Sandbox (push) Successful in 2m25s
Details
Test / Hakurei (push) Successful in 3m18s
Details
Test / Hpkg (push) Successful in 4m14s
Details
Test / Sandbox (race detector) (push) Successful in 4m32s
Details
Test / Hakurei (race detector) (push) Successful in 5m19s
Details
Test / Flake checks (push) Successful in 1m29s
Details

Browse Source 
This no longer needs special treatment since it can be specified as a generic filesystem entry.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-08-25 19:13:31 +09:00
parent 6d202d73b4
commit 0dcac55a0c
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
13 changed files with 60 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cmd/hakurei/print.go
View File

@ -12,7 +12,6 @@ import (
"text/tabwriter" "text/tabwriter"
"time" "time"
"hakurei.app/container"
"hakurei.app/hst" "hakurei.app/hst"
"hakurei.app/internal/app/state" "hakurei.app/internal/app/state"
"hakurei.app/internal/hlog" "hakurei.app/internal/hlog"
@ -104,18 +103,11 @@ func printShowInstance(
writeFlag("tty", params.Tty) writeFlag("tty", params.Tty)
writeFlag("mapuid", params.MapRealUID) writeFlag("mapuid", params.MapRealUID)
writeFlag("directwl", config.DirectWayland) writeFlag("directwl", config.DirectWayland)
writeFlag("autoetc", params.AutoEtc)
if len(flags) == 0 { if len(flags) == 0 {
flags = append(flags, "none") flags = append(flags, "none")
} }
t.Printf(" Flags:\t%s\n", strings.Join(flags, " ")) t.Printf(" Flags:\t%s\n", strings.Join(flags, " "))
etc := params.Etc
if etc == nil {
etc = container.AbsFHSEtc
}
t.Printf(" Etc:\t%s\n", etc)
if config.Path != nil { if config.Path != nil {
t.Printf(" Path:\t%s\n", config.Path) t.Printf(" Path:\t%s\n", config.Path)
} }

40
cmd/hakurei/print_test.go
View File

@ -41,13 +41,13 @@ func Test_printShowInstance(t *testing.T) {
Groups: video, dialout, plugdev Groups: video, dialout, plugdev
Data: /var/lib/hakurei/u0/org.chromium.Chromium Data: /var/lib/hakurei/u0/org.chromium.Chromium
Hostname: localhost Hostname: localhost
Flags: userns devel net abstract device tty mapuid autoetc Flags: userns devel net abstract device tty mapuid
Etc: /etc/
Path: /run/current-system/sw/bin/chromium Path: /run/current-system/sw/bin/chromium
Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
Filesystem Filesystem
autoroot:w:/var/lib/hakurei/base/org.debian autoroot:w:/var/lib/hakurei/base/org.debian
autoetc:/etc/
w+ephemeral(-rwxr-xr-x):/tmp/ w+ephemeral(-rwxr-xr-x):/tmp/
w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store
*/nix/store */nix/store
@ -83,14 +83,12 @@ App
Identity: 0 Identity: 0
Enablements: (no enablements) Enablements: (no enablements)
Flags: none Flags: none
Etc: /etc/
`}, `},
{"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfigJSON, 1)}, ExtraPerms: make([]*hst.ExtraPermConfig, 1)}, false, false, `App {"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfigJSON, 1)}, ExtraPerms: make([]*hst.ExtraPermConfig, 1)}, false, false, `App
Identity: 0 Identity: 0
Enablements: (no enablements) Enablements: (no enablements)
Flags: none Flags: none
Etc: /etc/
Filesystem Filesystem
<invalid> <invalid>
@ -120,13 +118,13 @@ App
Groups: video, dialout, plugdev Groups: video, dialout, plugdev
Data: /var/lib/hakurei/u0/org.chromium.Chromium Data: /var/lib/hakurei/u0/org.chromium.Chromium
Hostname: localhost Hostname: localhost
Flags: userns devel net abstract device tty mapuid autoetc Flags: userns devel net abstract device tty mapuid
Etc: /etc/
Path: /run/current-system/sw/bin/chromium Path: /run/current-system/sw/bin/chromium
Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
Filesystem Filesystem
autoroot:w:/var/lib/hakurei/base/org.debian autoroot:w:/var/lib/hakurei/base/org.debian
autoetc:/etc/
w+ephemeral(-rwxr-xr-x):/tmp/ w+ephemeral(-rwxr-xr-x):/tmp/
w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store
*/nix/store */nix/store
@ -286,6 +284,12 @@ App
"write": true, "write": true,
"special": true "special": true
}, },
{
"type": "bind",
"dst": "/etc/",
"src": "/etc/",
"special": true
},
{ {
"type": "ephemeral", "type": "ephemeral",
"dst": "/tmp/", "dst": "/tmp/",
@ -331,9 +335,7 @@ App
"target": "/run/user/65534", "target": "/run/user/65534",
"linkname": "/run/user/150" "linkname": "/run/user/150"
} }
], ]
"etc": "/etc/",
"auto_etc": true
} }
}, },
"time": "1970-01-01T00:00:00.000000009Z" "time": "1970-01-01T00:00:00.000000009Z"
@ -440,6 +442,12 @@ App
"write": true, "write": true,
"special": true "special": true
}, },
{
"type": "bind",
"dst": "/etc/",
"src": "/etc/",
"special": true
},
{ {
"type": "ephemeral", "type": "ephemeral",
"dst": "/tmp/", "dst": "/tmp/",
@ -485,9 +493,7 @@ App
"target": "/run/user/65534", "target": "/run/user/65534",
"linkname": "/run/user/150" "linkname": "/run/user/150"
} }
], ]
"etc": "/etc/",
"auto_etc": true
} }
} }
`}, `},
@ -648,6 +654,12 @@ func Test_printPs(t *testing.T) {
"write": true, "write": true,
"special": true "special": true
}, },
{
"type": "bind",
"dst": "/etc/",
"src": "/etc/",
"special": true
},
{ {
"type": "ephemeral", "type": "ephemeral",
"dst": "/tmp/", "dst": "/tmp/",
@ -693,9 +705,7 @@ func Test_printPs(t *testing.T) {
"target": "/run/user/65534", "target": "/run/user/65534",
"linkname": "/run/user/150" "linkname": "/run/user/150"
} }
], ]
"etc": "/etc/",
"auto_etc": true
} }
}, },
"time": "1970-01-01T00:00:00.000000009Z" "time": "1970-01-01T00:00:00.000000009Z"

3
cmd/hpkg/app.go
View File

@ -94,6 +94,7 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg
Tty: app.Tty || flagDropShell, Tty: app.Tty || flagDropShell,
MapRealUID: app.MapRealUID, MapRealUID: app.MapRealUID,
Filesystem: []hst.FilesystemConfigJSON{ Filesystem: []hst.FilesystemConfigJSON{
{FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}}, {FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}},
{FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsTmp.Append("app")}}, {FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsTmp.Append("app")}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}},
@ -108,8 +109,6 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg
{pathBin, pathSwBin.String()}, {pathBin, pathSwBin.String()},
{container.AbsFHSUsrBin, pathSwBin.String()}, {container.AbsFHSUsrBin, pathSwBin.String()},
}, },
Etc: pathSet.cacheDir.Append("etc"),
AutoEtc: true,
}, },
ExtraPerms: []*hst.ExtraPermConfig{ ExtraPerms: []*hst.ExtraPermConfig{
{Path: dataHome, Execute: true}, {Path: dataHome, Execute: true},

6
cmd/hpkg/with.go
View File

@ -49,6 +49,7 @@ func withNixDaemon(
SeccompFlags: seccomp.AllowMultiarch, SeccompFlags: seccomp.AllowMultiarch,
Tty: dropShell, Tty: dropShell,
Filesystem: []hst.FilesystemConfigJSON{ Filesystem: []hst.FilesystemConfigJSON{
{FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}}, {FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}},
}, },
Link: []hst.LinkConfig{ Link: []hst.LinkConfig{
@ -56,8 +57,6 @@ func withNixDaemon(
{pathBin, pathSwBin.String()}, {pathBin, pathSwBin.String()},
{container.AbsFHSUsrBin, pathSwBin.String()}, {container.AbsFHSUsrBin, pathSwBin.String()},
}, },
Etc: pathSet.cacheDir.Append("etc"),
AutoEtc: true,
}, },
}), dropShell, beforeFail) }), dropShell, beforeFail)
} }
@ -89,6 +88,7 @@ func withCacheDir(
SeccompFlags: seccomp.AllowMultiarch, SeccompFlags: seccomp.AllowMultiarch,
Tty: dropShell, Tty: dropShell,
Filesystem: []hst.FilesystemConfigJSON{ Filesystem: []hst.FilesystemConfigJSON{
{FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: workDir.Append(container.FHSEtc), Special: true}},
{FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}}, {FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}},
{FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsTmp.Append("bundle")}}, {FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsTmp.Append("bundle")}},
}, },
@ -97,8 +97,6 @@ func withCacheDir(
{pathBin, pathSwBin.String()}, {pathBin, pathSwBin.String()},
{container.AbsFHSUsrBin, pathSwBin.String()}, {container.AbsFHSUsrBin, pathSwBin.String()},
}, },
Etc: workDir.Append(container.FHSEtc),
AutoEtc: true,
}, },
}, dropShell, beforeFail) }, dropShell, beforeFail)
} }

5
hst/config.go
View File

@ -98,11 +98,6 @@ type (
Filesystem []FilesystemConfigJSON `json:"filesystem"` Filesystem []FilesystemConfigJSON `json:"filesystem"`
// create symlinks inside container filesystem // create symlinks inside container filesystem
Link []LinkConfig `json:"symlink"` Link []LinkConfig `json:"symlink"`
// read-only /etc directory
Etc *container.Absolute `json:"etc,omitempty"`
// automatically set up /etc symlinks
AutoEtc bool `json:"auto_etc"`
} }
LinkConfig struct { LinkConfig struct {

5
hst/hst.go
View File

@ -98,6 +98,7 @@ func Template() *Config {
}, },
Filesystem: []FilesystemConfigJSON{ Filesystem: []FilesystemConfigJSON{
{&FSBind{container.AbsFHSRoot, container.AbsFHSVarLib.Append("hakurei/base/org.debian"), true, false, false, true}}, {&FSBind{container.AbsFHSRoot, container.AbsFHSVarLib.Append("hakurei/base/org.debian"), true, false, false, true}},
{&FSBind{container.AbsFHSEtc, container.AbsFHSEtc, false, false, false, true}},
{&FSEphemeral{Target: container.AbsFHSTmp, Write: true, Perm: 0755}}, {&FSEphemeral{Target: container.AbsFHSTmp, Write: true, Perm: 0755}},
{&FSOverlay{ {&FSOverlay{
Target: container.MustAbs("/nix/store"), Target: container.MustAbs("/nix/store"),
@ -112,9 +113,7 @@ func Template() *Config {
Target: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true}}, Target: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true}},
{&FSBind{Source: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}}, {&FSBind{Source: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}},
}, },
Link: []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}}, Link: []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}},
Etc: container.AbsFHSEtc,
AutoEtc: true,
}, },
} }
} }

10
hst/hst_test.go
View File

@ -109,6 +109,12 @@ func TestTemplate(t *testing.T) {
"write": true, "write": true,
"special": true "special": true
}, },
{
"type": "bind",
"dst": "/etc/",
"src": "/etc/",
"special": true
},
{ {
"type": "ephemeral", "type": "ephemeral",
"dst": "/tmp/", "dst": "/tmp/",
@ -154,9 +160,7 @@ func TestTemplate(t *testing.T) {
"target": "/run/user/65534", "target": "/run/user/65534",
"linkname": "/run/user/150" "linkname": "/run/user/150"
} }
], ]
"etc": "/etc/",
"auto_etc": true
} }
}` }`

3
internal/app/app_nixos_linux_test.go
View File

@ -27,7 +27,7 @@ var testCasesNixos = []sealTestCase{
Shell: m("/run/current-system/sw/bin/zsh"), Shell: m("/run/current-system/sw/bin/zsh"),
Container: &hst.ContainerConfig{ Container: &hst.ContainerConfig{
Userns: true, HostNet: true, MapRealUID: true, Env: nil, AutoEtc: true, Userns: true, HostNet: true, MapRealUID: true, Env: nil,
Filesystem: []hst.FilesystemConfigJSON{ Filesystem: []hst.FilesystemConfigJSON{
f(&hst.FSBind{Source: m("/bin")}), f(&hst.FSBind{Source: m("/bin")}),
f(&hst.FSBind{Source: m("/usr/bin/")}), f(&hst.FSBind{Source: m("/usr/bin/")}),
@ -40,6 +40,7 @@ var testCasesNixos = []sealTestCase{
f(&hst.FSBind{Source: m("/sys/devices"), Optional: true}), f(&hst.FSBind{Source: m("/sys/devices"), Optional: true}),
f(&hst.FSBind{Source: m("/run/opengl-driver")}), f(&hst.FSBind{Source: m("/run/opengl-driver")}),
f(&hst.FSBind{Source: m("/dev/dri"), Device: true, Optional: true}), f(&hst.FSBind{Source: m("/dev/dri"), Device: true, Optional: true}),
f(&hst.FSBind{Source: m("/etc/"), Target: m("/etc/"), Special: true}),
}, },
}, },
SystemBus: &dbus.Config{ SystemBus: &dbus.Config{

4
internal/app/app_pd_linux_test.go
View File

@ -49,9 +49,9 @@ var testCasesPd = []sealTestCase{
DevWritable(m("/dev/"), true). DevWritable(m("/dev/"), true).
Bind(m("/dev/kvm"), m("/dev/kvm"), container.BindWritable|container.BindDevice|container.BindOptional). Bind(m("/dev/kvm"), m("/dev/kvm"), container.BindWritable|container.BindDevice|container.BindOptional).
Readonly(m("/var/run/nscd"), 0755). Readonly(m("/var/run/nscd"), 0755).
Etc(m("/etc/"), "4a450b6596d7bc15bd01780eb9a607ac").
Tmpfs(m("/run/user/1971"), 8192, 0755). Tmpfs(m("/run/user/1971"), 8192, 0755).
Tmpfs(m("/run/dbus"), 8192, 0755). Tmpfs(m("/run/dbus"), 8192, 0755).
Etc(m("/etc/"), "4a450b6596d7bc15bd01780eb9a607ac").
Remount(m("/dev/"), syscall.MS_RDONLY). Remount(m("/dev/"), syscall.MS_RDONLY).
Tmpfs(m("/run/user/"), 4096, 0755). Tmpfs(m("/run/user/"), 4096, 0755).
Bind(m("/tmp/hakurei.1971/runtime/0"), m("/run/user/65534"), container.BindWritable). Bind(m("/tmp/hakurei.1971/runtime/0"), m("/run/user/65534"), container.BindWritable).
@ -186,9 +186,9 @@ var testCasesPd = []sealTestCase{
Bind(m("/dev/dri"), m("/dev/dri"), container.BindWritable|container.BindDevice|container.BindOptional). Bind(m("/dev/dri"), m("/dev/dri"), container.BindWritable|container.BindDevice|container.BindOptional).
Bind(m("/dev/kvm"), m("/dev/kvm"), container.BindWritable|container.BindDevice|container.BindOptional). Bind(m("/dev/kvm"), m("/dev/kvm"), container.BindWritable|container.BindDevice|container.BindOptional).
Readonly(m("/var/run/nscd"), 0755). Readonly(m("/var/run/nscd"), 0755).
Etc(m("/etc/"), "ebf083d1b175911782d413369b64ce7c").
Tmpfs(m("/run/user/1971"), 8192, 0755). Tmpfs(m("/run/user/1971"), 8192, 0755).
Tmpfs(m("/run/dbus"), 8192, 0755). Tmpfs(m("/run/dbus"), 8192, 0755).
Etc(m("/etc/"), "ebf083d1b175911782d413369b64ce7c").
Remount(m("/dev/"), syscall.MS_RDONLY). Remount(m("/dev/"), syscall.MS_RDONLY).
Tmpfs(m("/run/user/"), 4096, 0755). Tmpfs(m("/run/user/"), 4096, 0755).
Bind(m("/tmp/hakurei.1971/runtime/9"), m("/run/user/65534"), container.BindWritable). Bind(m("/tmp/hakurei.1971/runtime/9"), m("/run/user/65534"), container.BindWritable).

12
internal/app/container_linux.go
View File

@ -244,18 +244,6 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
params.Link(l.Target, linkname, dereference) params.Link(l.Target, linkname, dereference)
} }
if !s.AutoEtc {
if s.Etc != nil {
params.Bind(s.Etc, container.AbsFHSEtc, 0)
}
} else {
if s.Etc == nil {
params.Etc(container.AbsFHSEtc, prefix)
} else {
params.Etc(s.Etc, prefix)
}
}
// no more ContainerConfig paths beyond this point // no more ContainerConfig paths beyond this point
if !s.Device { if !s.Device {
params.Remount(container.AbsFHSDev, syscall.MS_RDONLY) params.Remount(container.AbsFHSDev, syscall.MS_RDONLY)

10
internal/app/seal_linux.go
View File

@ -242,7 +242,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
HostNet: true, HostNet: true,
HostAbstract: true, HostAbstract: true,
Tty: true, Tty: true,
AutoEtc: true,
Filesystem: []hst.FilesystemConfigJSON{ Filesystem: []hst.FilesystemConfigJSON{
{&hst.FSBind{ {&hst.FSBind{
@ -267,6 +266,15 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSEphemeral{Target: nscd}}) conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSEphemeral{Target: nscd}})
} }
// do autoetc last
conf.Filesystem = append(conf.Filesystem,
hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{
Target: container.AbsFHSEtc,
Source: container.AbsFHSEtc,
Special: true,
}},
)
config.Container = conf config.Container = conf
} }

11
nixos.nix
View File

@ -180,8 +180,15 @@ in
(optDevBind "/dev/nvidia0") (optDevBind "/dev/nvidia0")
] ]
++ optionals app.useCommonPaths cfg.commonPaths ++ optionals app.useCommonPaths cfg.commonPaths
++ app.extraPaths; ++ app.extraPaths
auto_etc = true; ++ [
{
type = "bind";
dst = "/etc/";
src = "/etc/";
special = true;
}
];
symlink = [ symlink = [
{ {

2
test/sandbox/case/pd.nix
View File

@ -182,9 +182,9 @@
(ent "/" "/dev/mqueue" "rw,nosuid,nodev,noexec,relatime" "mqueue" "mqueue" "rw") (ent "/" "/dev/mqueue" "rw,nosuid,nodev,noexec,relatime" "mqueue" "mqueue" "rw")
(ent "/kvm" "/dev/kvm" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) (ent "/kvm" "/dev/kvm" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/" "/run/nscd" "ro,nosuid,nodev,relatime" "tmpfs" "readonly" "ro,mode=755,uid=1000000,gid=1000000") (ent "/" "/run/nscd" "ro,nosuid,nodev,relatime" "tmpfs" "readonly" "ro,mode=755,uid=1000000,gid=1000000")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=8k,mode=755,uid=1000000,gid=1000000") (ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=8k,mode=755,uid=1000000,gid=1000000")
(ent "/" "/run/dbus" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=8k,mode=755,uid=1000000,gid=1000000") (ent "/" "/run/dbus" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=8k,mode=755,uid=1000000,gid=1000000")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000000,gid=1000000") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000000,gid=1000000")
(ent "/tmp/hakurei.1000/runtime/0" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/tmp/hakurei.1000/runtime/0" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/tmp/hakurei.1000/tmpdir/0" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/tmp/hakurei.1000/tmpdir/0" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")