fst: improve config

The config struct more or less "grew" to what it is today. This change moves things around to make more sense and fixes nonsensical comments describing obsolete behaviour. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-04-13 03:23:28 +09:00
parent c460892cbd
commit 31b7ddd122
21 changed files with 833 additions and 831 deletions
--- a/cmd/fpkg/app.go
+++ b/cmd/fpkg/app.go
@@ -19,7 +19,7 @@ type appInfo struct {
 	// passed through to [fst.Config]
 	ID string `json:"id"`
 	// passed through to [fst.Config]
-	AppID int `json:"app_id"`
+	Identity int `json:"identity"`
 	// passed through to [fst.Config]
 	Groups []string `json:"groups,omitempty"`
 	// passed through to [fst.Config]
@@ -64,57 +64,61 @@ type appInfo struct {

 func (app *appInfo) toFst(pathSet *appPathSet, argv []string, flagDropShell bool) *fst.Config {
 	config := &fst.Config{
-		ID:   app.ID,
+		ID: app.ID,
+
 		Path: argv[0],
 		Args: argv,
-		Confinement: fst.ConfinementConfig{
-			AppID:    app.AppID,
-			Groups:   app.Groups,
-			Username: "fortify",
-			Inner:    path.Join("/data/data", app.ID),
-			Outer:    pathSet.homeDir,
-			Shell:    shellPath,
-			Sandbox: &fst.SandboxConfig{
-				Hostname:      formatHostname(app.Name),
-				Devel:         app.Devel,
-				Userns:        app.Userns,
-				Net:           app.Net,
-				Device:        app.Device,
-				Tty:           app.Tty || flagDropShell,
-				MapRealUID:    app.MapRealUID,
-				DirectWayland: app.DirectWayland,
-				Filesystem: []*fst.FilesystemConfig{
-					{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},
-					{Src: pathSet.metaPath, Dst: path.Join(fst.Tmp, "app"), Must: true},
-					{Src: "/etc/resolv.conf"},
-					{Src: "/sys/block"},
-					{Src: "/sys/bus"},
-					{Src: "/sys/class"},
-					{Src: "/sys/dev"},
-					{Src: "/sys/devices"},
-				},
-				Link: [][2]string{
-					{app.CurrentSystem, "/run/current-system"},
-					{"/run/current-system/sw/bin", "/bin"},
-					{"/run/current-system/sw/bin", "/usr/bin"},
-				},
-				Etc:     path.Join(pathSet.cacheDir, "etc"),
-				AutoEtc: true,
+
+		Enablements: app.Enablements,
+
+		SystemBus:     app.SystemBus,
+		SessionBus:    app.SessionBus,
+		DirectWayland: app.DirectWayland,
+
+		Username: "fortify",
+		Shell:    shellPath,
+		Data:     pathSet.homeDir,
+		Dir:      path.Join("/data/data", app.ID),
+
+		Identity: app.Identity,
+		Groups:   app.Groups,
+
+		Container: &fst.ContainerConfig{
+			Hostname:   formatHostname(app.Name),
+			Devel:      app.Devel,
+			Userns:     app.Userns,
+			Net:        app.Net,
+			Device:     app.Device,
+			Tty:        app.Tty || flagDropShell,
+			MapRealUID: app.MapRealUID,
+			Filesystem: []*fst.FilesystemConfig{
+				{Src: path.Join(pathSet.nixPath, "store"), Dst: "/nix/store", Must: true},
+				{Src: pathSet.metaPath, Dst: path.Join(fst.Tmp, "app"), Must: true},
+				{Src: "/etc/resolv.conf"},
+				{Src: "/sys/block"},
+				{Src: "/sys/bus"},
+				{Src: "/sys/class"},
+				{Src: "/sys/dev"},
+				{Src: "/sys/devices"},
 			},
-			ExtraPerms: []*fst.ExtraPermConfig{
-				{Path: dataHome, Execute: true},
-				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
+			Link: [][2]string{
+				{app.CurrentSystem, "/run/current-system"},
+				{"/run/current-system/sw/bin", "/bin"},
+				{"/run/current-system/sw/bin", "/usr/bin"},
 			},
-			SystemBus:   app.SystemBus,
-			SessionBus:  app.SessionBus,
-			Enablements: app.Enablements,
+			Etc:     path.Join(pathSet.cacheDir, "etc"),
+			AutoEtc: true,
+		},
+		ExtraPerms: []*fst.ExtraPermConfig{
+			{Path: dataHome, Execute: true},
+			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 		},
 	}
 	if app.Multiarch {
-		config.Confinement.Sandbox.Seccomp |= seccomp.FilterMultiarch
+		config.Container.Seccomp |= seccomp.FilterMultiarch
 	}
 	if app.Bluetooth {
-		config.Confinement.Sandbox.Seccomp |= seccomp.FilterBluetooth
+		config.Container.Seccomp |= seccomp.FilterBluetooth
 	}
 	return config
 }
--- a/cmd/fpkg/build.nix
+++ b/cmd/fpkg/build.nix
@@ -31,7 +31,7 @@
  '',

  id ? name,
-  app_id ? throw "app_id is required",
+  identity ? throw "identity is required",
  groups ? [ ],
  userns ? false,
  net ? true,
@@ -147,7 +147,7 @@ let
      name
      version
      id
-      app_id
+      identity
      launcher
      groups
      userns
--- a/cmd/fpkg/main.go
+++ b/cmd/fpkg/main.go
@@ -157,11 +157,11 @@ func main() {
 					return errSuccess
 				}

-				// AppID determines uid
-				if a.AppID != bundle.AppID {
+				// identity determines uid
+				if a.Identity != bundle.Identity {
 					cleanup()
-					log.Printf("package %q app id %d differs from installed %d",
-						pkgPath, bundle.AppID, a.AppID)
+					log.Printf("package %q identity %d differs from installed %d",
+						pkgPath, bundle.Identity, a.Identity)
 					return syscall.EBADE
 				}

@@ -292,7 +292,7 @@ func main() {
 						"--override-input nixpkgs path:/etc/nixpkgs " +
 						"path:" + a.NixGL + "#nixVulkanNvidia",
 				}, true, func(config *fst.Config) *fst.Config {
-					config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
+					config.Container.Filesystem = append(config.Container.Filesystem, []*fst.FilesystemConfig{
 						{Src: "/etc/resolv.conf"},
 						{Src: "/sys/block"},
 						{Src: "/sys/bus"},
@@ -324,7 +324,7 @@ func main() {
 			*/

 			if a.GPU {
-				config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem,
+				config.Container.Filesystem = append(config.Container.Filesystem,
 					&fst.FilesystemConfig{Src: path.Join(pathSet.nixPath, ".nixGL"), Dst: path.Join(fst.Tmp, "nixGL")})
 				appendGPUFilesystem(config)
 			}
--- a/cmd/fpkg/paths.go
+++ b/cmd/fpkg/paths.go
@@ -72,7 +72,7 @@ func pathSetByApp(id string) *appPathSet {
 }

 func appendGPUFilesystem(config *fst.Config) {
-	config.Confinement.Sandbox.Filesystem = append(config.Confinement.Sandbox.Filesystem, []*fst.FilesystemConfig{
+	config.Container.Filesystem = append(config.Container.Filesystem, []*fst.FilesystemConfig{
 		// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
 		{Src: "/dev/dri", Device: true},
 		// mali
--- a/cmd/fpkg/test/foot.nix
+++ b/cmd/fpkg/test/foot.nix
@@ -10,7 +10,7 @@ buildPackage {
  name = "foot";
  inherit (foot) version;

-  app_id = 2;
+  identity = 2;
  id = "org.codeberg.dnkl.foot";

  modules = [
--- a/cmd/fpkg/test/test.py
+++ b/cmd/fpkg/test/test.py
@@ -65,8 +65,8 @@ def check_state(name, enablements):
    if len(config['args']) != 1 or not (config['args'][0].startswith("/nix/store/")) or f"fortify-{name}-" not in (config['args'][0]):
        raise Exception(f"unexpected args {instance['config']['args']}")

-    if config['confinement']['enablements'] != enablements:
-        raise Exception(f"unexpected enablements {instance['config']['confinement']['enablements']}")
+    if config['enablements'] != enablements:
+        raise Exception(f"unexpected enablements {instance['config']['enablements']}")


 start_all()
--- a/cmd/fpkg/with.go
+++ b/cmd/fpkg/with.go
@@ -16,7 +16,8 @@ func withNixDaemon(
 	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
 ) {
 	mustRunAppDropShell(ctx, updateConfig(&fst.Config{
-		ID:   app.ID,
+		ID: app.ID,
+
 		Path: shellPath,
 		Args: []string{shellPath, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
 			// start nix-daemon
@@ -29,33 +30,34 @@ func withNixDaemon(
 			// terminate nix-daemon
 			" && pkill nix-daemon",
 		},
-		Confinement: fst.ConfinementConfig{
-			AppID:    app.AppID,
-			Username: "fortify",
-			Inner:    path.Join("/data/data", app.ID),
-			Outer:    pathSet.homeDir,
-			Shell:    shellPath,
-			Sandbox: &fst.SandboxConfig{
-				Hostname: formatHostname(app.Name) + "-" + action,
-				Userns:   true, // nix sandbox requires userns
-				Net:      net,
-				Seccomp:  seccomp.FilterMultiarch,
-				Tty:      dropShell,
-				Filesystem: []*fst.FilesystemConfig{
-					{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
-				},
-				Link: [][2]string{
-					{app.CurrentSystem, "/run/current-system"},
-					{"/run/current-system/sw/bin", "/bin"},
-					{"/run/current-system/sw/bin", "/usr/bin"},
-				},
-				Etc:     path.Join(pathSet.cacheDir, "etc"),
-				AutoEtc: true,
+
+		Username: "fortify",
+		Shell:    shellPath,
+		Data:     pathSet.homeDir,
+		Dir:      path.Join("/data/data", app.ID),
+		ExtraPerms: []*fst.ExtraPermConfig{
+			{Path: dataHome, Execute: true},
+			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
+		},
+
+		Identity: app.Identity,
+
+		Container: &fst.ContainerConfig{
+			Hostname: formatHostname(app.Name) + "-" + action,
+			Userns:   true, // nix sandbox requires userns
+			Net:      net,
+			Seccomp:  seccomp.FilterMultiarch,
+			Tty:      dropShell,
+			Filesystem: []*fst.FilesystemConfig{
+				{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},
 			},
-			ExtraPerms: []*fst.ExtraPermConfig{
-				{Path: dataHome, Execute: true},
-				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
+			Link: [][2]string{
+				{app.CurrentSystem, "/run/current-system"},
+				{"/run/current-system/sw/bin", "/bin"},
+				{"/run/current-system/sw/bin", "/usr/bin"},
 			},
+			Etc:     path.Join(pathSet.cacheDir, "etc"),
+			AutoEtc: true,
 		},
 	}), dropShell, beforeFail)
 }
@@ -65,36 +67,38 @@ func withCacheDir(
 	action string, command []string, workDir string,
 	app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
 	mustRunAppDropShell(ctx, &fst.Config{
-		ID:   app.ID,
+		ID: app.ID,
+
 		Path: shellPath,
 		Args: []string{shellPath, "-lc", strings.Join(command, " && ")},
-		Confinement: fst.ConfinementConfig{
-			AppID:    app.AppID,
-			Username: "nixos",
-			Inner:    path.Join("/data/data", app.ID, "cache"),
-			Outer:    pathSet.cacheDir, // this also ensures cacheDir via shim
-			Shell:    shellPath,
-			Sandbox: &fst.SandboxConfig{
-				Hostname: formatHostname(app.Name) + "-" + action,
-				Seccomp:  seccomp.FilterMultiarch,
-				Tty:      dropShell,
-				Filesystem: []*fst.FilesystemConfig{
-					{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
-					{Src: workDir, Dst: path.Join(fst.Tmp, "bundle"), Must: true},
-				},
-				Link: [][2]string{
-					{app.CurrentSystem, "/run/current-system"},
-					{"/run/current-system/sw/bin", "/bin"},
-					{"/run/current-system/sw/bin", "/usr/bin"},
-				},
-				Etc:     path.Join(workDir, "etc"),
-				AutoEtc: true,
+
+		Username: "nixos",
+		Shell:    shellPath,
+		Data:     pathSet.cacheDir, // this also ensures cacheDir via shim
+		Dir:      path.Join("/data/data", app.ID, "cache"),
+		ExtraPerms: []*fst.ExtraPermConfig{
+			{Path: dataHome, Execute: true},
+			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
+			{Path: workDir, Execute: true},
+		},
+
+		Identity: app.Identity,
+
+		Container: &fst.ContainerConfig{
+			Hostname: formatHostname(app.Name) + "-" + action,
+			Seccomp:  seccomp.FilterMultiarch,
+			Tty:      dropShell,
+			Filesystem: []*fst.FilesystemConfig{
+				{Src: path.Join(workDir, "nix"), Dst: "/nix", Must: true},
+				{Src: workDir, Dst: path.Join(fst.Tmp, "bundle"), Must: true},
 			},
-			ExtraPerms: []*fst.ExtraPermConfig{
-				{Path: dataHome, Execute: true},
-				{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
-				{Path: workDir, Execute: true},
+			Link: [][2]string{
+				{app.CurrentSystem, "/run/current-system"},
+				{"/run/current-system/sw/bin", "/bin"},
+				{"/run/current-system/sw/bin", "/usr/bin"},
 			},
+			Etc:     path.Join(workDir, "etc"),
+			AutoEtc: true,
 		},
 	}, dropShell, beforeFail)
 }