security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 7 Wiki Activity

hst/instance: embed config struct
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 41s
Details
Test / Sandbox (race detector) (push) Successful in 40s
Details
Test / Hakurei (push) Successful in 2m20s
Details
Test / Hakurei (race detector) (push) Successful in 2m59s
Details
Test / Hpkg (push) Successful in 3m20s
Details
Test / Flake checks (push) Successful in 1m28s
Details

Browse Source 
This makes the resulting json easier to parse since it can now be deserialised into the config struct.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-10-23 23:25:46 +09:00
parent 05488bfb8f
commit 2442eda8d9
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
4 changed files with 285 additions and 293 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

552
cmd/hakurei/print_test.go
View File

@ -189,154 +189,152 @@ App
"instance": "8e2c76b066dabe574cf073bdb46eb5c1", "instance": "8e2c76b066dabe574cf073bdb46eb5c1",
"pid": 3405691582, "pid": 3405691582,
"shim_pid": 3735928559, "shim_pid": 3735928559,
"config": { "id": "org.chromium.Chromium",
"id": "org.chromium.Chromium", "enablements": {
"enablements": { "wayland": true,
"wayland": true, "dbus": true,
"dbus": true, "pulse": true
"pulse": true },
"session_bus": {
"see": null,
"talk": [
"org.freedesktop.Notifications",
"org.freedesktop.FileManager1",
"org.freedesktop.ScreenSaver",
"org.freedesktop.secrets",
"org.kde.kwalletd5",
"org.kde.kwalletd6",
"org.gnome.SessionManager"
],
"own": [
"org.chromium.Chromium.*",
"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
"org.mpris.MediaPlayer2.chromium.*"
],
"call": {
"org.freedesktop.portal.*": "*"
}, },
"session_bus": { "broadcast": {
"see": null, "org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
"talk": [
"org.freedesktop.Notifications",
"org.freedesktop.FileManager1",
"org.freedesktop.ScreenSaver",
"org.freedesktop.secrets",
"org.kde.kwalletd5",
"org.kde.kwalletd6",
"org.gnome.SessionManager"
],
"own": [
"org.chromium.Chromium.*",
"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
"org.mpris.MediaPlayer2.chromium.*"
],
"call": {
"org.freedesktop.portal.*": "*"
},
"broadcast": {
"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
},
"filter": true
}, },
"system_bus": { "filter": true
"see": null, },
"talk": [ "system_bus": {
"org.bluez", "see": null,
"org.freedesktop.Avahi", "talk": [
"org.freedesktop.UPower" "org.bluez",
], "org.freedesktop.Avahi",
"own": null, "org.freedesktop.UPower"
"call": null, ],
"broadcast": null, "own": null,
"filter": true "call": null,
"broadcast": null,
"filter": true
},
"extra_perms": [
{
"ensure": true,
"path": "/var/lib/hakurei/u0",
"x": true
}, },
"extra_perms": [ {
"path": "/var/lib/hakurei/u0/org.chromium.Chromium",
"r": true,
"w": true,
"x": true
}
],
"identity": 9,
"groups": [
"video",
"dialout",
"plugdev"
],
"container": {
"hostname": "localhost",
"wait_delay": -1,
"env": {
"GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
"GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
},
"filesystem": [
{ {
"ensure": true, "type": "bind",
"path": "/var/lib/hakurei/u0", "dst": "/",
"x": true "src": "/var/lib/hakurei/base/org.debian",
"write": true,
"special": true
}, },
{ {
"path": "/var/lib/hakurei/u0/org.chromium.Chromium", "type": "bind",
"r": true, "dst": "/etc/",
"w": true, "src": "/etc/",
"x": true "special": true
},
{
"type": "ephemeral",
"dst": "/tmp/",
"write": true,
"perm": 493
},
{
"type": "overlay",
"dst": "/nix/store",
"lower": [
"/var/lib/hakurei/base/org.nixos/ro-store"
],
"upper": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper",
"work": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work"
},
{
"type": "link",
"dst": "/run/current-system",
"linkname": "/run/current-system",
"dereference": true
},
{
"type": "link",
"dst": "/run/opengl-driver",
"linkname": "/run/opengl-driver",
"dereference": true
},
{
"type": "bind",
"dst": "/data/data/org.chromium.Chromium",
"src": "/var/lib/hakurei/u0/org.chromium.Chromium",
"write": true,
"ensure": true
},
{
"type": "bind",
"src": "/dev/dri",
"dev": true,
"optional": true
} }
], ],
"identity": 9, "username": "chronos",
"groups": [ "shell": "/run/current-system/sw/bin/zsh",
"video", "home": "/data/data/org.chromium.Chromium",
"dialout", "path": "/run/current-system/sw/bin/chromium",
"plugdev" "args": [
"chromium",
"--ignore-gpu-blocklist",
"--disable-smooth-scrolling",
"--enable-features=UseOzonePlatform",
"--ozone-platform=wayland"
], ],
"container": { "seccomp_compat": true,
"hostname": "localhost", "devel": true,
"wait_delay": -1, "userns": true,
"env": { "host_net": true,
"GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY", "host_abstract": true,
"GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com", "tty": true,
"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT" "multiarch": true,
}, "map_real_uid": true,
"filesystem": [ "device": true,
{ "share_runtime": true,
"type": "bind", "share_tmpdir": true
"dst": "/",
"src": "/var/lib/hakurei/base/org.debian",
"write": true,
"special": true
},
{
"type": "bind",
"dst": "/etc/",
"src": "/etc/",
"special": true
},
{
"type": "ephemeral",
"dst": "/tmp/",
"write": true,
"perm": 493
},
{
"type": "overlay",
"dst": "/nix/store",
"lower": [
"/var/lib/hakurei/base/org.nixos/ro-store"
],
"upper": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper",
"work": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work"
},
{
"type": "link",
"dst": "/run/current-system",
"linkname": "/run/current-system",
"dereference": true
},
{
"type": "link",
"dst": "/run/opengl-driver",
"linkname": "/run/opengl-driver",
"dereference": true
},
{
"type": "bind",
"dst": "/data/data/org.chromium.Chromium",
"src": "/var/lib/hakurei/u0/org.chromium.Chromium",
"write": true,
"ensure": true
},
{
"type": "bind",
"src": "/dev/dri",
"dev": true,
"optional": true
}
],
"username": "chronos",
"shell": "/run/current-system/sw/bin/zsh",
"home": "/data/data/org.chromium.Chromium",
"path": "/run/current-system/sw/bin/chromium",
"args": [
"chromium",
"--ignore-gpu-blocklist",
"--disable-smooth-scrolling",
"--enable-features=UseOzonePlatform",
"--ozone-platform=wayland"
],
"seccomp_compat": true,
"devel": true,
"userns": true,
"host_net": true,
"host_abstract": true,
"tty": true,
"multiarch": true,
"map_real_uid": true,
"device": true,
"share_runtime": true,
"share_tmpdir": true
}
}, },
"time": "1970-01-01T00:00:00.000000009Z" "time": "1970-01-01T00:00:00.000000009Z"
} }
@ -537,154 +535,152 @@ func TestPrintPs(t *testing.T) {
"instance": "8e2c76b066dabe574cf073bdb46eb5c1", "instance": "8e2c76b066dabe574cf073bdb46eb5c1",
"pid": 3405691582, "pid": 3405691582,
"shim_pid": 3735928559, "shim_pid": 3735928559,
"config": { "id": "org.chromium.Chromium",
"id": "org.chromium.Chromium", "enablements": {
"enablements": { "wayland": true,
"wayland": true, "dbus": true,
"dbus": true, "pulse": true
"pulse": true },
"session_bus": {
"see": null,
"talk": [
"org.freedesktop.Notifications",
"org.freedesktop.FileManager1",
"org.freedesktop.ScreenSaver",
"org.freedesktop.secrets",
"org.kde.kwalletd5",
"org.kde.kwalletd6",
"org.gnome.SessionManager"
],
"own": [
"org.chromium.Chromium.*",
"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
"org.mpris.MediaPlayer2.chromium.*"
],
"call": {
"org.freedesktop.portal.*": "*"
}, },
"session_bus": { "broadcast": {
"see": null, "org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
"talk": [
"org.freedesktop.Notifications",
"org.freedesktop.FileManager1",
"org.freedesktop.ScreenSaver",
"org.freedesktop.secrets",
"org.kde.kwalletd5",
"org.kde.kwalletd6",
"org.gnome.SessionManager"
],
"own": [
"org.chromium.Chromium.*",
"org.mpris.MediaPlayer2.org.chromium.Chromium.*",
"org.mpris.MediaPlayer2.chromium.*"
],
"call": {
"org.freedesktop.portal.*": "*"
},
"broadcast": {
"org.freedesktop.portal.*": "@/org/freedesktop/portal/*"
},
"filter": true
}, },
"system_bus": { "filter": true
"see": null, },
"talk": [ "system_bus": {
"org.bluez", "see": null,
"org.freedesktop.Avahi", "talk": [
"org.freedesktop.UPower" "org.bluez",
], "org.freedesktop.Avahi",
"own": null, "org.freedesktop.UPower"
"call": null, ],
"broadcast": null, "own": null,
"filter": true "call": null,
"broadcast": null,
"filter": true
},
"extra_perms": [
{
"ensure": true,
"path": "/var/lib/hakurei/u0",
"x": true
}, },
"extra_perms": [ {
"path": "/var/lib/hakurei/u0/org.chromium.Chromium",
"r": true,
"w": true,
"x": true
}
],
"identity": 9,
"groups": [
"video",
"dialout",
"plugdev"
],
"container": {
"hostname": "localhost",
"wait_delay": -1,
"env": {
"GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY",
"GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT"
},
"filesystem": [
{ {
"ensure": true, "type": "bind",
"path": "/var/lib/hakurei/u0", "dst": "/",
"x": true "src": "/var/lib/hakurei/base/org.debian",
"write": true,
"special": true
}, },
{ {
"path": "/var/lib/hakurei/u0/org.chromium.Chromium", "type": "bind",
"r": true, "dst": "/etc/",
"w": true, "src": "/etc/",
"x": true "special": true
},
{
"type": "ephemeral",
"dst": "/tmp/",
"write": true,
"perm": 493
},
{
"type": "overlay",
"dst": "/nix/store",
"lower": [
"/var/lib/hakurei/base/org.nixos/ro-store"
],
"upper": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper",
"work": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work"
},
{
"type": "link",
"dst": "/run/current-system",
"linkname": "/run/current-system",
"dereference": true
},
{
"type": "link",
"dst": "/run/opengl-driver",
"linkname": "/run/opengl-driver",
"dereference": true
},
{
"type": "bind",
"dst": "/data/data/org.chromium.Chromium",
"src": "/var/lib/hakurei/u0/org.chromium.Chromium",
"write": true,
"ensure": true
},
{
"type": "bind",
"src": "/dev/dri",
"dev": true,
"optional": true
} }
], ],
"identity": 9, "username": "chronos",
"groups": [ "shell": "/run/current-system/sw/bin/zsh",
"video", "home": "/data/data/org.chromium.Chromium",
"dialout", "path": "/run/current-system/sw/bin/chromium",
"plugdev" "args": [
"chromium",
"--ignore-gpu-blocklist",
"--disable-smooth-scrolling",
"--enable-features=UseOzonePlatform",
"--ozone-platform=wayland"
], ],
"container": { "seccomp_compat": true,
"hostname": "localhost", "devel": true,
"wait_delay": -1, "userns": true,
"env": { "host_net": true,
"GOOGLE_API_KEY": "AIzaSyBHDrl33hwRp4rMQY0ziRbj8K9LPA6vUCY", "host_abstract": true,
"GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com", "tty": true,
"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT" "multiarch": true,
}, "map_real_uid": true,
"filesystem": [ "device": true,
{ "share_runtime": true,
"type": "bind", "share_tmpdir": true
"dst": "/",
"src": "/var/lib/hakurei/base/org.debian",
"write": true,
"special": true
},
{
"type": "bind",
"dst": "/etc/",
"src": "/etc/",
"special": true
},
{
"type": "ephemeral",
"dst": "/tmp/",
"write": true,
"perm": 493
},
{
"type": "overlay",
"dst": "/nix/store",
"lower": [
"/var/lib/hakurei/base/org.nixos/ro-store"
],
"upper": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/upper",
"work": "/var/lib/hakurei/nix/u0/org.chromium.Chromium/rw-store/work"
},
{
"type": "link",
"dst": "/run/current-system",
"linkname": "/run/current-system",
"dereference": true
},
{
"type": "link",
"dst": "/run/opengl-driver",
"linkname": "/run/opengl-driver",
"dereference": true
},
{
"type": "bind",
"dst": "/data/data/org.chromium.Chromium",
"src": "/var/lib/hakurei/u0/org.chromium.Chromium",
"write": true,
"ensure": true
},
{
"type": "bind",
"src": "/dev/dri",
"dev": true,
"optional": true
}
],
"username": "chronos",
"shell": "/run/current-system/sw/bin/zsh",
"home": "/data/data/org.chromium.Chromium",
"path": "/run/current-system/sw/bin/chromium",
"args": [
"chromium",
"--ignore-gpu-blocklist",
"--disable-smooth-scrolling",
"--enable-features=UseOzonePlatform",
"--ozone-platform=wayland"
],
"seccomp_compat": true,
"devel": true,
"userns": true,
"host_net": true,
"host_abstract": true,
"tty": true,
"multiarch": true,
"map_real_uid": true,
"device": true,
"share_runtime": true,
"share_tmpdir": true
}
}, },
"time": "1970-01-01T00:00:00.000000009Z" "time": "1970-01-01T00:00:00.000000009Z"
} }

10
cmd/hpkg/test/test.py
View File

@ -60,13 +60,11 @@ def check_state(name, enablements):
raise Exception(f"unexpected state length {len(instances)}") raise Exception(f"unexpected state length {len(instances)}")
instance = next(iter(instances.values())) instance = next(iter(instances.values()))
config = instance['config'] if len(instance['container']['args']) != 1 or not (instance['container']['args'][0].startswith("/nix/store/")) or f"hakurei-{name}-" not in (instance['container']['args'][0]):
raise Exception(f"unexpected args {instance['container']['args']}")
if len(config['container']['args']) != 1 or not (config['container']['args'][0].startswith("/nix/store/")) or f"hakurei-{name}-" not in (config['container']['args'][0]): if instance['enablements'] != enablements:
raise Exception(f"unexpected args {config['container']['args']}") raise Exception(f"unexpected enablements {instance['enablements']}")
if config['enablements'] != enablements:
raise Exception(f"unexpected enablements {config['enablements']}")
start_all() start_all()

2
hst/instance.go
View File

@ -80,7 +80,7 @@ type State struct {
ShimPID int `json:"shim_pid"` ShimPID int `json:"shim_pid"`
// Configuration used to start the container. // Configuration used to start the container.
Config *Config `json:"config"` *Config
// Point in time the shim process was created. // Point in time the shim process was created.
Time time.Time `json:"time"` Time time.Time `json:"time"`

14
test/test.py
View File

@ -58,17 +58,15 @@ def check_state(name, enablements):
raise Exception(f"unexpected state length {len(instances)}") raise Exception(f"unexpected state length {len(instances)}")
instance = next(iter(instances.values())) instance = next(iter(instances.values()))
config = instance['config']
command = f"{name}-start" command = f"{name}-start"
if not (config['container']['path'].startswith("/nix/store/")) or not (config['container']['path'].endswith(command)): if not (instance['container']['path'].startswith("/nix/store/")) or not (instance['container']['path'].endswith(command)):
raise Exception(f"unexpected path {config['path']}") raise Exception(f"unexpected path {instance['path']}")
if len(config['container']['args']) != 1 or config['container']['args'][0] != command: if len(instance['container']['args']) != 1 or instance['container']['args'][0] != command:
raise Exception(f"unexpected args {config['args']}") raise Exception(f"unexpected args {instance['args']}")
if config['enablements'] != enablements: if instance['enablements'] != enablements:
raise Exception(f"unexpected enablements {config['enablements']['enablements']}") raise Exception(f"unexpected enablements {instance['enablements']['enablements']}")
def hakurei(command): def hakurei(command):