hst: move container type to config

Container state initialisation is no longer implemented in hst so splitting them no longer makes sense.

Signed-off-by: Ophestra <cat@gensokyo.uk>

hst/config.go

@@ -2,7 +2,10 @@
 package hst
 
 import (
+	"time"
+
 	"hakurei.app/container"
+	"hakurei.app/container/seccomp"
 	"hakurei.app/system/dbus"
 )
 
@@ -11,7 +14,8 @@ const Tmp = "/.hakurei"
 var AbsTmp = container.MustAbs(Tmp)
 
 // Config is used to seal an app implementation.
-type Config struct {
+type (
+	Config struct {
 		// reverse-DNS style arbitrary identifier string from config;
 		// passed to wayland security-context-v1 as application ID
 		// and used as part of defaults in dbus session proxy
@@ -53,7 +57,66 @@ type Config struct {
 
 		// abstract container configuration baseline
 		Container *ContainerConfig `json:"container"`
-}
+	}
+
+	// ContainerConfig describes the container configuration baseline to which the app implementation adds upon.
+	ContainerConfig struct {
+		// container hostname
+		Hostname string `json:"hostname,omitempty"`
+
+		// duration to wait for after interrupting a container's initial process in nanoseconds;
+		// a negative value causes the container to be terminated immediately on cancellation
+		WaitDelay time.Duration `json:"wait_delay,omitempty"`
+
+		// extra seccomp flags
+		SeccompFlags seccomp.ExportFlag `json:"seccomp_flags"`
+		// extra seccomp presets
+		SeccompPresets seccomp.FilterPreset `json:"seccomp_presets"`
+		// disable project-specific filter extensions
+		SeccompCompat bool `json:"seccomp_compat,omitempty"`
+		// allow ptrace and friends
+		Devel bool `json:"devel,omitempty"`
+		// allow userns creation in container
+		Userns bool `json:"userns,omitempty"`
+		// share host net namespace
+		Net bool `json:"net,omitempty"`
+		// allow dangerous terminal I/O
+		Tty bool `json:"tty,omitempty"`
+		// allow multiarch
+		Multiarch bool `json:"multiarch,omitempty"`
+
+		// initial process environment variables
+		Env map[string]string `json:"env"`
+		// map target user uid to privileged user uid in the user namespace
+		MapRealUID bool `json:"map_real_uid"`
+
+		// pass through all devices
+		Device bool `json:"device,omitempty"`
+		// container mount points
+		Filesystem []FilesystemConfigJSON `json:"filesystem"`
+		// create symlinks inside container filesystem
+		Link []LinkConfig `json:"symlink"`
+
+		// automatically bind mount top-level directories to container root;
+		// the zero value disables this behaviour
+		AutoRoot *container.Absolute `json:"auto_root,omitempty"`
+		// extra flags for AutoRoot
+		RootFlags int `json:"root_flags,omitempty"`
+
+		// read-only /etc directory
+		Etc *container.Absolute `json:"etc,omitempty"`
+		// automatically set up /etc symlinks
+		AutoEtc bool `json:"auto_etc"`
+	}
+
+	LinkConfig struct {
+		// symlink target in container
+		Target *container.Absolute `json:"target"`
+		// linkname the symlink points to;
+		// prepend '*' to dereference an absolute pathname on host
+		Linkname string `json:"linkname"`
+	}
+)
 
 // ExtraPermConfig describes an acl update op.
 type ExtraPermConfig struct {

hst/container.go

@@ -1,78 +0,0 @@
-package hst
-
-import (
-	"time"
-
-	"hakurei.app/container"
-	"hakurei.app/container/seccomp"
-)
-
-const (
-	// TmpfsPerm is the permission bits for tmpfs mount points
-	// configured through [FilesystemConfig].
-	TmpfsPerm = 0755
-
-	// TmpfsSize is the size for tmpfs mount points
-	// configured through [FilesystemConfig].
-	TmpfsSize = 0
-)
-
-type (
-	// ContainerConfig describes the container configuration baseline to which the app implementation adds upon.
-	ContainerConfig struct {
-		// container hostname
-		Hostname string `json:"hostname,omitempty"`
-
-		// duration to wait for after interrupting a container's initial process in nanoseconds;
-		// a negative value causes the container to be terminated immediately on cancellation
-		WaitDelay time.Duration `json:"wait_delay,omitempty"`
-
-		// extra seccomp flags
-		SeccompFlags seccomp.ExportFlag `json:"seccomp_flags"`
-		// extra seccomp presets
-		SeccompPresets seccomp.FilterPreset `json:"seccomp_presets"`
-		// disable project-specific filter extensions
-		SeccompCompat bool `json:"seccomp_compat,omitempty"`
-		// allow ptrace and friends
-		Devel bool `json:"devel,omitempty"`
-		// allow userns creation in container
-		Userns bool `json:"userns,omitempty"`
-		// share host net namespace
-		Net bool `json:"net,omitempty"`
-		// allow dangerous terminal I/O
-		Tty bool `json:"tty,omitempty"`
-		// allow multiarch
-		Multiarch bool `json:"multiarch,omitempty"`
-
-		// initial process environment variables
-		Env map[string]string `json:"env"`
-		// map target user uid to privileged user uid in the user namespace
-		MapRealUID bool `json:"map_real_uid"`
-
-		// pass through all devices
-		Device bool `json:"device,omitempty"`
-		// container mount points
-		Filesystem []FilesystemConfigJSON `json:"filesystem"`
-		// create symlinks inside container filesystem
-		Link []LinkConfig `json:"symlink"`
-
-		// automatically bind mount top-level directories to container root;
-		// the zero value disables this behaviour
-		AutoRoot *container.Absolute `json:"auto_root,omitempty"`
-		// extra flags for AutoRoot
-		RootFlags int `json:"root_flags,omitempty"`
-
-		// read-only /etc directory
-		Etc *container.Absolute `json:"etc,omitempty"`
-		// automatically set up /etc symlinks
-		AutoEtc bool `json:"auto_etc"`
-	}
-
-	LinkConfig struct {
-		// symlink target in container
-		Target *container.Absolute `json:"target"`
-		// linkname the symlink points to;
-		// prepend '*' to dereference an absolute pathname on host
-		Linkname string `json:"linkname"`
-	}
-)

internal/app/seal_linux.go

@@ -479,7 +479,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 
 	// append ExtraPerms last
 	for _, p := range config.ExtraPerms {
-		if p == nil {
+		if p == nil || p.Path == nil {
 			continue
 		}