internal/outcome: expose pipewire via pipewire-pulse
All checks were successful
Test / Create distribution (push) Successful in 28s
Test / Sandbox (push) Successful in 42s
Test / Hakurei (push) Successful in 3m20s
Test / Hpkg (push) Successful in 2m13s
Test / Sandbox (race detector) (push) Successful in 4m25s
Test / Hakurei (race detector) (push) Successful in 3m21s
Test / Flake checks (push) Successful in 1m30s
All checks were successful
Test / Create distribution (push) Successful in 28s
Test / Sandbox (push) Successful in 42s
Test / Hakurei (push) Successful in 3m20s
Test / Hpkg (push) Successful in 2m13s
Test / Sandbox (race detector) (push) Successful in 4m25s
Test / Hakurei (race detector) (push) Successful in 3m21s
Test / Flake checks (push) Successful in 1m30s
This no longer exposes the pipewire socket to the container, and instead mediates access via pipewire-pulse. This makes insecure parts of the protocol inaccessible as explained in the doc comment in hst. Closes #29. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
@@ -41,7 +41,6 @@ in
|
||||
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
|
||||
"DISPLAY=unix:/tmp/.X11-unix/X0"
|
||||
"HOME=/var/lib/hakurei/u0/a4"
|
||||
"PIPEWIRE_REMOTE=/run/user/65534/pipewire-0"
|
||||
"SHELL=/run/current-system/sw/bin/bash"
|
||||
"TERM=linux"
|
||||
"USER=u0_a4"
|
||||
@@ -49,6 +48,7 @@ in
|
||||
"XDG_RUNTIME_DIR=/run/user/65534"
|
||||
"XDG_SESSION_CLASS=user"
|
||||
"XDG_SESSION_TYPE=wayland"
|
||||
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
|
||||
];
|
||||
|
||||
fs = fs "dead" {
|
||||
@@ -138,12 +138,8 @@ in
|
||||
user = fs "800001ed" {
|
||||
"65534" = fs "800001c0" {
|
||||
bus = fs "10001fd" null null;
|
||||
pulse = fs "800001c0" {
|
||||
native = fs "10001ff" null null;
|
||||
pid = fs "1a4" null null;
|
||||
} null;
|
||||
pulse = fs "800001c0" { native = fs "10001ff" null null; } null;
|
||||
wayland-0 = fs "1000038" null null;
|
||||
pipewire-0 = fs "1000038" null null;
|
||||
} null;
|
||||
} null;
|
||||
} null;
|
||||
@@ -229,7 +225,6 @@ in
|
||||
(ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10004,gid=10004")
|
||||
(ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/tmp/.X11-unix" "/tmp/.X11-unix" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent ignore "/run/user/65534/pipewire-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
@@ -246,6 +241,7 @@ in
|
||||
(ent "/" "/.hakurei/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,upperdir=/host/tmp/.hakurei-store-rw/upper,workdir=/host/tmp/.hakurei-store-rw/work,redirect_dir=nofollow,userxattr")
|
||||
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/var/lib/hakurei/u0/a4" "/var/lib/hakurei/u0/a4" "rw,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
];
|
||||
|
||||
seccomp = true;
|
||||
|
||||
@@ -49,7 +49,6 @@ in
|
||||
env = [
|
||||
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus"
|
||||
"HOME=/var/lib/hakurei/u0/a3"
|
||||
"PIPEWIRE_REMOTE=/run/user/1000/pipewire-0"
|
||||
"SHELL=/run/current-system/sw/bin/bash"
|
||||
"TERM=linux"
|
||||
"USER=u0_a3"
|
||||
@@ -57,6 +56,7 @@ in
|
||||
"XDG_RUNTIME_DIR=/run/user/1000"
|
||||
"XDG_SESSION_CLASS=user"
|
||||
"XDG_SESSION_TYPE=wayland"
|
||||
"PULSE_SERVER=unix:/run/user/1000/pulse/native"
|
||||
];
|
||||
|
||||
fs = fs "dead" {
|
||||
@@ -163,12 +163,8 @@ in
|
||||
user = fs "800001ed" {
|
||||
"1000" = fs "800001f8" {
|
||||
bus = fs "10001fd" null null;
|
||||
pulse = fs "800001c0" {
|
||||
native = fs "10001ff" null null;
|
||||
pid = fs "1a4" null null;
|
||||
} null;
|
||||
pulse = fs "800001c0" { native = fs "10001ff" null null; } null;
|
||||
wayland-0 = fs "1000038" null null;
|
||||
pipewire-0 = fs "1000038" null null;
|
||||
} null;
|
||||
} null;
|
||||
} null;
|
||||
@@ -256,7 +252,6 @@ in
|
||||
(ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10003,gid=10003")
|
||||
(ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10003,gid=10003")
|
||||
(ent ignore "/run/user/1000/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent ignore "/run/user/1000/pipewire-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent ignore "/run/user/1000/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
@@ -273,6 +268,7 @@ in
|
||||
(ent "/" "/.hakurei/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,upperdir=/host/tmp/.hakurei-store-rw/upper,workdir=/host/tmp/.hakurei-store-rw/work,redirect_dir=nofollow,userxattr")
|
||||
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/var/lib/hakurei/u0/a3" "/var/lib/hakurei/u0/a3" "rw,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent ignore "/run/user/1000/pulse/native" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
];
|
||||
|
||||
seccomp = true;
|
||||
|
||||
@@ -49,7 +49,6 @@ in
|
||||
env = [
|
||||
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
|
||||
"HOME=/var/lib/hakurei/u0/a5"
|
||||
"PIPEWIRE_REMOTE=/run/user/65534/pipewire-0"
|
||||
"SHELL=/run/current-system/sw/bin/bash"
|
||||
"TERM=linux"
|
||||
"USER=u0_a5"
|
||||
@@ -57,6 +56,7 @@ in
|
||||
"XDG_RUNTIME_DIR=/run/user/65534"
|
||||
"XDG_SESSION_CLASS=user"
|
||||
"XDG_SESSION_TYPE=wayland"
|
||||
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
|
||||
];
|
||||
|
||||
fs = fs "dead" {
|
||||
@@ -161,12 +161,8 @@ in
|
||||
user = fs "800001ed" {
|
||||
"65534" = fs "800001f8" {
|
||||
bus = fs "10001fd" null null;
|
||||
pulse = fs "800001c0" {
|
||||
native = fs "10001ff" null null;
|
||||
pid = fs "1a4" null null;
|
||||
} null;
|
||||
pulse = fs "800001c0" { native = fs "10001ff" null null; } null;
|
||||
wayland-0 = fs "1000038" null null;
|
||||
pipewire-0 = fs "1000038" null null;
|
||||
} null;
|
||||
} null;
|
||||
} null;
|
||||
@@ -254,7 +250,6 @@ in
|
||||
(ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10005,gid=10005")
|
||||
(ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10005,gid=10005")
|
||||
(ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent ignore "/run/user/65534/pipewire-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
@@ -268,6 +263,7 @@ in
|
||||
(ent "/var/tmp" "/var/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/var/lib/hakurei/u0/a5" "/var/lib/hakurei/u0/a5" "rw,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
];
|
||||
|
||||
seccomp = true;
|
||||
|
||||
@@ -49,7 +49,6 @@ in
|
||||
env = [
|
||||
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
|
||||
"HOME=/var/lib/hakurei/u0/a1"
|
||||
"PIPEWIRE_REMOTE=/run/user/65534/pipewire-0"
|
||||
"SHELL=/run/current-system/sw/bin/bash"
|
||||
"TERM=linux"
|
||||
"USER=u0_a1"
|
||||
@@ -57,6 +56,7 @@ in
|
||||
"XDG_RUNTIME_DIR=/run/user/65534"
|
||||
"XDG_SESSION_CLASS=user"
|
||||
"XDG_SESSION_TYPE=wayland"
|
||||
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
|
||||
];
|
||||
|
||||
fs = fs "dead" {
|
||||
@@ -160,12 +160,8 @@ in
|
||||
user = fs "800001ed" {
|
||||
"65534" = fs "800001c0" {
|
||||
bus = fs "10001fd" null null;
|
||||
pulse = fs "800001c0" {
|
||||
native = fs "10001ff" null null;
|
||||
pid = fs "1a4" null null;
|
||||
} null;
|
||||
pulse = fs "800001c0" { native = fs "10001ff" null null; } null;
|
||||
wayland-0 = fs "1000038" null null;
|
||||
pipewire-0 = fs "1000038" null null;
|
||||
} null;
|
||||
} null;
|
||||
} null;
|
||||
@@ -251,7 +247,6 @@ in
|
||||
(ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10001,gid=10001")
|
||||
(ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10001,gid=10001")
|
||||
(ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent ignore "/run/user/65534/pipewire-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
@@ -265,6 +260,7 @@ in
|
||||
(ent "/var/tmp" "/var/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/var/lib/hakurei/u0/a1" "/var/lib/hakurei/u0/a1" "rw,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
];
|
||||
|
||||
seccomp = true;
|
||||
|
||||
@@ -50,7 +50,6 @@ in
|
||||
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
|
||||
"DISPLAY=:0"
|
||||
"HOME=/var/lib/hakurei/u0/a2"
|
||||
"PIPEWIRE_REMOTE=/run/user/65534/pipewire-0"
|
||||
"SHELL=/run/current-system/sw/bin/bash"
|
||||
"TERM=linux"
|
||||
"USER=u0_a2"
|
||||
@@ -58,6 +57,7 @@ in
|
||||
"XDG_RUNTIME_DIR=/run/user/65534"
|
||||
"XDG_SESSION_CLASS=user"
|
||||
"XDG_SESSION_TYPE=wayland"
|
||||
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
|
||||
];
|
||||
|
||||
fs = fs "dead" {
|
||||
@@ -165,12 +165,8 @@ in
|
||||
user = fs "800001ed" {
|
||||
"65534" = fs "800001f8" {
|
||||
bus = fs "10001fd" null null;
|
||||
pulse = fs "800001c0" {
|
||||
native = fs "10001ff" null null;
|
||||
pid = fs "1a4" null null;
|
||||
} null;
|
||||
pulse = fs "800001c0" { native = fs "10001ff" null null; } null;
|
||||
wayland-0 = fs "1000038" null null;
|
||||
pipewire-0 = fs "1000038" null null;
|
||||
} null;
|
||||
} null;
|
||||
} null;
|
||||
@@ -262,7 +258,6 @@ in
|
||||
(ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10002,gid=10002")
|
||||
(ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/tmp/.X11-unix" "/tmp/.X11-unix" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent ignore "/run/user/65534/pipewire-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
@@ -279,6 +274,7 @@ in
|
||||
(ent "/" "/.hakurei/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,upperdir=/host/tmp/.hakurei-store-rw/upper,workdir=/host/tmp/.hakurei-store-rw/work,redirect_dir=nofollow,uuid=on,userxattr")
|
||||
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent "/var/lib/hakurei/u0/a2" "/var/lib/hakurei/u0/a2" "rw,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
(ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
|
||||
];
|
||||
|
||||
seccomp = true;
|
||||
|
||||
Reference in New Issue
Block a user