security/hakurei
security/hakurei
6
3
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases 10 Wiki Activity

cmd/hakurei: add pipewire flag
All checks were successful
Test / Create distribution (push) Successful in 38s
Details
Test / Sandbox (push) Successful in 2m38s
Details
Test / Sandbox (race detector) (push) Successful in 4m43s
Details
Test / Hakurei (push) Successful in 5m3s
Details
Test / Hpkg (push) Successful in 5m1s
Details
Test / Hakurei (race detector) (push) Successful in 6m34s
Details
Test / Flake checks (push) Successful in 1m30s
Details

Browse Source 
This is for "run" command, formerly permissive defaults behaviour.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-12-08 02:37:13 +09:00
parent bf856f06e5
commit 104eeecf65
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
3 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cmd/hakurei/command.go
View File

@ -91,7 +91,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
flagPrivateRuntime, flagPrivateTmpdir bool flagPrivateRuntime, flagPrivateTmpdir bool
flagWayland, flagX11, flagDBus, flagPulse bool flagWayland, flagX11, flagDBus, flagPipeWire, flagPulse bool
) )
c.NewCommand("run", "Configure and start a permissive container", func(args []string) error { c.NewCommand("run", "Configure and start a permissive container", func(args []string) error {
@ -146,6 +146,9 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
if flagDBus { if flagDBus {
et |= hst.EDBus et |= hst.EDBus
} }
if flagPipeWire || flagPulse {
et |= hst.EPipeWire
}
if flagPulse { if flagPulse {
et |= hst.EPulse et |= hst.EPulse
} }
@ -297,8 +300,10 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
"Enable direct connection to X11"). "Enable direct connection to X11").
Flag(&flagDBus, "dbus", command.BoolFlag(false), Flag(&flagDBus, "dbus", command.BoolFlag(false),
"Enable proxied connection to D-Bus"). "Enable proxied connection to D-Bus").
Flag(&flagPipeWire, "pipewire", command.BoolFlag(false),
"Enable connection to PipeWire via SecurityContext").
Flag(&flagPulse, "pulse", command.BoolFlag(false), Flag(&flagPulse, "pulse", command.BoolFlag(false),
"Enable direct connection to PulseAudio") "Enable PulseAudio compatibility daemon")
} }
{ {

6
cmd/hakurei/command_test.go
View File

@ -36,7 +36,7 @@ Commands:
}, },
{ {
"run", []string{"run", "-h"}, ` "run", []string{"run", "-h"}, `
Usage: hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pulse] COMMAND [OPTIONS] Usage: hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
Flags: Flags:
-X Enable direct connection to X11 -X Enable direct connection to X11
@ -58,12 +58,14 @@ Flags:
Reverse-DNS style Application identifier, leave empty to inherit instance identifier Reverse-DNS style Application identifier, leave empty to inherit instance identifier
-mpris -mpris
Allow owning MPRIS D-Bus path, has no effect if custom config is available Allow owning MPRIS D-Bus path, has no effect if custom config is available
-pipewire
Enable connection to PipeWire via SecurityContext
-private-runtime -private-runtime
Do not share XDG_RUNTIME_DIR between containers under the same identity Do not share XDG_RUNTIME_DIR between containers under the same identity
-private-tmpdir -private-tmpdir
Do not share TMPDIR between containers under the same identity Do not share TMPDIR between containers under the same identity
-pulse -pulse
Enable direct connection to PulseAudio Enable PulseAudio compatibility daemon
-u string -u string
Passwd user name within sandbox (default "chronos") Passwd user name within sandbox (default "chronos")
-wayland -wayland

3
dist/comp/_hakurei vendored
View File

@ -17,7 +17,8 @@ _hakurei_run() {
'--wayland[Enable connection to Wayland via security-context-v1]' \ '--wayland[Enable connection to Wayland via security-context-v1]' \
'-X[Enable direct connection to X11]' \ '-X[Enable direct connection to X11]' \
'--dbus[Enable proxied connection to D-Bus]' \ '--dbus[Enable proxied connection to D-Bus]' \
'--pulse[Enable direct connection to PulseAudio]' \ '--pipewire[Enable connection to PipeWire via SecurityContext]' \
'--pulse[Enable PulseAudio compatibility daemon]' \
'--dbus-config[Path to session bus proxy config file]: :_files -g "*.json"' \ '--dbus-config[Path to session bus proxy config file]: :_files -g "*.json"' \
'--dbus-system[Path to system bus proxy config file]: :_files -g "*.json"' \ '--dbus-system[Path to system bus proxy config file]: :_files -g "*.json"' \
'--mpris[Allow owning MPRIS D-Bus path]' \ '--mpris[Allow owning MPRIS D-Bus path]' \