diff --git a/internal/system/dispatcher.go b/internal/system/dispatcher.go index 1ea9f10..656487d 100644 --- a/internal/system/dispatcher.go +++ b/internal/system/dispatcher.go @@ -6,9 +6,11 @@ import ( "log" "os" + "hakurei.app/container/check" "hakurei.app/hst" "hakurei.app/internal/acl" "hakurei.app/internal/dbus" + "hakurei.app/internal/wayland" "hakurei.app/internal/xcb" ) @@ -45,6 +47,8 @@ type syscallDispatcher interface { // aclUpdate provides [acl.Update]. aclUpdate(name string, uid int, perms ...acl.Perm) error + waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (*wayland.SecurityContext, error) + // xcbChangeHosts provides [xcb.ChangeHosts]. xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error @@ -76,6 +80,10 @@ func (k direct) aclUpdate(name string, uid int, perms ...acl.Perm) error { return acl.Update(name, uid, perms...) } +func (k direct) waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (*wayland.SecurityContext, error) { + return wayland.New(displayPath, bindPath, appID, instanceID) +} + func (k direct) xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error { return xcb.ChangeHosts(mode, family, address) } diff --git a/internal/system/dispatcher_test.go b/internal/system/dispatcher_test.go index 95aab3e..2704bca 100644 --- a/internal/system/dispatcher_test.go +++ b/internal/system/dispatcher_test.go @@ -8,10 +8,12 @@ import ( "testing" "unsafe" + "hakurei.app/container/check" "hakurei.app/container/stub" "hakurei.app/hst" "hakurei.app/internal/acl" "hakurei.app/internal/dbus" + "hakurei.app/internal/wayland" "hakurei.app/internal/xcb" ) @@ -268,6 +270,15 @@ func (k *kstub) aclUpdate(name string, uid int, perms ...acl.Perm) error { stub.CheckArgReflect(k.Stub, "perms", perms, 2)) } +func (k *kstub) waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (*wayland.SecurityContext, error) { + k.Helper() + return nil, k.Expects("waylandNew").Error( + stub.CheckArgReflect(k.Stub, "displayPath", displayPath, 0), + stub.CheckArgReflect(k.Stub, "bindPath", bindPath, 1), + stub.CheckArg(k.Stub, "appID", appID, 2), + stub.CheckArg(k.Stub, "instanceID", instanceID, 3)) +} + func (k *kstub) xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error { k.Helper() return k.Expects("xcbChangeHosts").Error( diff --git a/internal/system/wayland.go b/internal/system/wayland.go index bbecde1..c9e431e 100644 --- a/internal/system/wayland.go +++ b/internal/system/wayland.go @@ -8,83 +8,74 @@ import ( "hakurei.app/container/check" "hakurei.app/hst" "hakurei.app/internal/acl" - "hakurei.app/system/wayland" + "hakurei.app/internal/wayland" ) -type waylandConn interface { - Attach(p string) (err error) - Bind(pathname, appID, instanceID string) (*os.File, error) - Close() error -} - // Wayland maintains a wayland socket with security-context-v1 attached via [wayland]. // The socket stops accepting connections once the pipe referred to by sync is closed. // The socket is pathname only and is destroyed on revert. func (sys *I) Wayland(dst, src *check.Absolute, appID, instanceID string) *I { sys.ops = append(sys.ops, &waylandOp{nil, - dst.String(), src.String(), - appID, instanceID, - new(wayland.Conn)}) + dst, src, appID, instanceID}) return sys } // waylandOp implements [I.Wayland]. type waylandOp struct { - sync *os.File - dst, src string + ctx *wayland.SecurityContext + dst, src *check.Absolute appID, instanceID string - - conn waylandConn } func (w *waylandOp) Type() hst.Enablement { return Process } -func (w *waylandOp) apply(sys *I) error { - if err := w.conn.Attach(w.src); err != nil { +func (w *waylandOp) apply(sys *I) (err error) { + if w.ctx, err = sys.waylandNew(w.src, w.dst, w.appID, w.instanceID); err != nil { return newOpError("wayland", err, false) } else { - sys.msg.Verbosef("wayland attached on %q", w.src) - } + sys.msg.Verbosef("wayland pathname socket on %q via %q", w.dst, w.src) - if sp, err := w.conn.Bind(w.dst, w.appID, w.instanceID); err != nil { - return newOpError("wayland", err, false) - } else { - w.sync = sp - sys.msg.Verbosef("wayland listening on %q", w.dst) - if err = sys.chmod(w.dst, 0); err != nil { + if err = sys.chmod(w.dst.String(), 0); err != nil { + if closeErr := w.ctx.Close(); closeErr != nil { + return newOpError("wayland", errors.Join(err, closeErr), false) + } return newOpError("wayland", err, false) } - return newOpError("wayland", sys.aclUpdate(w.dst, sys.uid, acl.Read, acl.Write, acl.Execute), false) + + if err = sys.aclUpdate(w.dst.String(), sys.uid, acl.Read, acl.Write, acl.Execute); err != nil { + if closeErr := w.ctx.Close(); closeErr != nil { + return newOpError("wayland", errors.Join(err, closeErr), false) + } + return newOpError("wayland", err, false) + } + + return nil } } func (w *waylandOp) revert(sys *I, _ *Criteria) error { var ( hangupErr error - closeErr error removeErr error ) - sys.msg.Verbosef("detaching from wayland on %q", w.src) - if w.sync != nil { - hangupErr = w.sync.Close() + sys.msg.Verbosef("hanging up wayland socket on %q", w.dst) + if w.ctx != nil { + hangupErr = w.ctx.Close() } - closeErr = w.conn.Close() - - sys.msg.Verbosef("removing wayland socket on %q", w.dst) - if err := sys.remove(w.dst); err != nil && !errors.Is(err, os.ErrNotExist) { + if err := sys.remove(w.dst.String()); err != nil && !errors.Is(err, os.ErrNotExist) { removeErr = err } - return newOpError("wayland", errors.Join(hangupErr, closeErr, removeErr), true) + return newOpError("wayland", errors.Join(hangupErr, removeErr), true) } func (w *waylandOp) Is(o Op) bool { target, ok := o.(*waylandOp) return ok && w != nil && target != nil && - w.dst == target.dst && w.src == target.src && + w.dst.Is(target.dst) && w.src.Is(target.src) && w.appID == target.appID && w.instanceID == target.instanceID } -func (w *waylandOp) Path() string { return w.dst } +func (w *waylandOp) Path() string { return w.dst.String() } func (w *waylandOp) String() string { return fmt.Sprintf("wayland socket at %q", w.dst) } diff --git a/internal/system/wayland_test.go b/internal/system/wayland_test.go index c70603b..d31c117 100644 --- a/internal/system/wayland_test.go +++ b/internal/system/wayland_test.go @@ -7,196 +7,62 @@ import ( "hakurei.app/container/stub" "hakurei.app/internal/acl" - "hakurei.app/system/wayland" ) -type stubWaylandConn struct { - t *testing.T - - wantAttach string - attachErr error - attached bool - - wantBind [3]string - bindErr error - bound bool - - closeErr error - closed bool -} - -func (conn *stubWaylandConn) Attach(p string) (err error) { - conn.t.Helper() - - if conn.attached { - conn.t.Fatal("Attach called twice") - } - conn.attached = true - - err = conn.attachErr - if p != conn.wantAttach { - conn.t.Errorf("Attach: p = %q, want %q", p, conn.wantAttach) - err = stub.ErrCheck - } - return -} - -func (conn *stubWaylandConn) Bind(pathname, appID, instanceID string) (*os.File, error) { - conn.t.Helper() - - if !conn.attached { - conn.t.Fatal("Bind called before Attach") - } - - if conn.bound { - conn.t.Fatal("Bind called twice") - } - conn.bound = true - - if pathname != conn.wantBind[0] { - conn.t.Errorf("Attach: pathname = %q, want %q", pathname, conn.wantBind[0]) - return nil, stub.ErrCheck - } - if appID != conn.wantBind[1] { - conn.t.Errorf("Attach: appID = %q, want %q", appID, conn.wantBind[1]) - return nil, stub.ErrCheck - } - if instanceID != conn.wantBind[2] { - conn.t.Errorf("Attach: instanceID = %q, want %q", instanceID, conn.wantBind[2]) - return nil, stub.ErrCheck - } - return nil, conn.bindErr -} - -func (conn *stubWaylandConn) Close() error { - conn.t.Helper() - - if !conn.attached { - conn.t.Fatal("Close called before Attach") - } - if !conn.bound { - conn.t.Fatal("Close called before Bind") - } - - if conn.closed { - conn.t.Fatal("Close called twice") - } - conn.closed = true - return conn.closeErr -} - func TestWaylandOp(t *testing.T) { t.Parallel() checkOpBehaviour(t, []opBehaviourTestCase{ - {"attach", 0xbeef, 0xff, &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", - "org.chromium.Chromium", - "ebf083d1b175911782d413369b64ce7c", - &stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{ - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, - attachErr: stub.UniqueError(5)}, - }, nil, &OpError{Op: "wayland", Err: stub.UniqueError(5)}, nil, nil}, - - {"bind", 0xbeef, 0xff, &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", - "org.chromium.Chromium", - "ebf083d1b175911782d413369b64ce7c", - &stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{ - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, - bindErr: stub.UniqueError(4)}, - }, []stub.Call{ - call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil), - }, &OpError{Op: "wayland", Err: stub.UniqueError(4)}, nil, nil}, - {"chmod", 0xbeef, 0xff, &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), + m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c", - &stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{ - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}}, }, []stub.Call{ - call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil), - call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil), + call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil), + call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil), call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, stub.UniqueError(3)), - }, &OpError{Op: "wayland", Err: stub.UniqueError(3)}, nil, nil}, + }, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(3), os.ErrInvalid)}, nil, nil}, {"aclUpdate", 0xbeef, 0xff, &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), + m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c", - &stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{ - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}}, }, []stub.Call{ - call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil), - call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil), + call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil), + call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil), call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil), call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, stub.UniqueError(2)), - }, &OpError{Op: "wayland", Err: stub.UniqueError(2)}, nil, nil}, + }, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(2), os.ErrInvalid)}, nil, nil}, {"remove", 0xbeef, 0xff, &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), + m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c", - &stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{ - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}}, }, []stub.Call{ - call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil), - call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil), + call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil), + call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil), call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil), call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil), }, nil, []stub.Call{ - call("verbosef", stub.ExpectArgs{"detaching from wayland on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil), - call("verbosef", stub.ExpectArgs{"removing wayland socket on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil), + call("verbosef", stub.ExpectArgs{"hanging up wayland socket on %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland")}}, nil, nil), call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, stub.UniqueError(1)), }, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(1)), Revert: true}}, - {"close", 0xbeef, 0xff, &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", - "org.chromium.Chromium", - "ebf083d1b175911782d413369b64ce7c", - &stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{ - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, - closeErr: stub.UniqueError(0)}, - }, []stub.Call{ - call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil), - call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil), - call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil), - call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil), - }, nil, []stub.Call{ - call("verbosef", stub.ExpectArgs{"detaching from wayland on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil), - call("verbosef", stub.ExpectArgs{"removing wayland socket on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil), - call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, nil), - }, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(0)), Revert: true}}, - {"success", 0xbeef, 0xff, &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), + m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c", - &stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{ - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}}, }, []stub.Call{ - call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil), - call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil), + call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil), + call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil), call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil), call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil), }, nil, []stub.Call{ - call("verbosef", stub.ExpectArgs{"detaching from wayland on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil), - call("verbosef", stub.ExpectArgs{"removing wayland socket on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil), + call("verbosef", stub.ExpectArgs{"hanging up wayland socket on %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland")}}, nil, nil), call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, nil), }, nil}, }) @@ -210,93 +76,81 @@ func TestWaylandOp(t *testing.T) { "ebf083d1b175911782d413369b64ce7c", ) }, []Op{&waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), + m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c", - new(wayland.Conn), }}, stub.Expect{}}, }) checkOpIs(t, []opIsTestCase{ {"dst differs", &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7d/wayland", - "/run/user/1971/wayland-0", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7d/wayland"), + m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c", - new(wayland.Conn), }, &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), + m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c", - new(wayland.Conn), }, false}, {"src differs", &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-1", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), + m("/run/user/1971/wayland-1"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c", - new(wayland.Conn), }, &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), + m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c", - new(wayland.Conn), }, false}, {"appID differs", &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), + m("/run/user/1971/wayland-0"), "org.chromium", "ebf083d1b175911782d413369b64ce7c", - new(wayland.Conn), }, &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), + m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c", - new(wayland.Conn), }, false}, {"instanceID differs", &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), + m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7d", - new(wayland.Conn), }, &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), + m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c", - new(wayland.Conn), }, false}, {"equals", &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), + m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c", - new(wayland.Conn), }, &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), + m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c", - new(wayland.Conn), }, true}, }) checkOpMeta(t, []opMetaTestCase{ {"chromium", &waylandOp{nil, - "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", - "/run/user/1971/wayland-0", + m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), + m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c", - new(wayland.Conn), }, Process, "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", `wayland socket at "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"`}, }) diff --git a/internal/wayland/conn.go b/internal/wayland/conn.go index addbc0d..c861c05 100644 --- a/internal/wayland/conn.go +++ b/internal/wayland/conn.go @@ -1,47 +1,85 @@ package wayland import ( + "errors" "os" "syscall" + + "hakurei.app/container/check" ) -func bindRawConn(done chan struct{}, rc syscall.RawConn, p, appID, instanceID string) ([2]int, error) { +// SecurityContext holds resources associated with a Wayland security_context. +type SecurityContext struct { + // Pipe with its write end passed to security-context-v1. + closeFds [2]int +} + +// Close releases any resources held by [SecurityContext], and prevents further +// connections to its associated socket. +func (sc *SecurityContext) Close() error { + if sc == nil { + return os.ErrInvalid + } + return errors.Join( + syscall.Close(sc.closeFds[1]), + syscall.Close(sc.closeFds[0]), + ) +} + +// New creates a new security context on the Wayland display at displayPath +// and associates it with a new socket bound to bindPath. +// +// New does not attach a finalizer to the resulting [SecurityContext] struct. +// The caller is responsible for calling [SecurityContext.Close]. +// +// A non-nil error unwraps to concrete type [Error]. +func New(displayPath, bindPath *check.Absolute, appID, instanceID string) (*SecurityContext, error) { + // ensure bindPath is available + if f, err := os.Create(bindPath.String()); err != nil { + return nil, &Error{Cause: RHostCreate, Errno: err} + } else if err = f.Close(); err != nil { + return nil, &Error{Cause: RHostCreate, Errno: err} + } else if err = os.Remove(bindPath.String()); err != nil { + return nil, &Error{Cause: RHostCreate, Errno: err} + } + + if fd, err := syscall.Socket(syscall.AF_UNIX, syscall.SOCK_STREAM|syscall.SOCK_CLOEXEC, 0); err != nil { + return nil, &Error{RHostSocket, err} + } else if err = syscall.Connect(fd, &syscall.SockaddrUnix{Name: displayPath.String()}); err != nil { + _ = syscall.Close(fd) + return nil, &Error{RHostConnect, err} + } else { + closeFds, bindErr := bindSecurityContext(fd, bindPath, appID, instanceID) + if bindErr != nil { + // do not leak the pipe and socket + err = errors.Join(bindErr, // already wrapped + syscall.Close(closeFds[1]), + syscall.Close(closeFds[0]), + syscall.Close(fd), + ) + } + return &SecurityContext{closeFds}, err + } +} + +// bindSecurityContext binds a socket associated to a security context created on serverFd, +// returning the pipe file descriptors used for security-context-v1 close_fd. +// +// A non-nil error unwraps to concrete type [Error]. +func bindSecurityContext(serverFd int, bindPath *check.Absolute, appID, instanceID string) ([2]int, error) { + // write end passed to security-context-v1 close_fd var closeFds [2]int if err := syscall.Pipe2(closeFds[0:], syscall.O_CLOEXEC); err != nil { return closeFds, err } - setupDone := make(chan error, 1) // does not block with c.done - - go func() { - if err := rc.Control(func(fd uintptr) { - // allow the Bind method to return after setup - setupDone <- bind(fd, p, appID, instanceID, uintptr(closeFds[1])) - close(setupDone) - - // keep socket alive until done is requested - <-done - }); err != nil { - setupDone <- err - } - - // notify Close that rc.Control has returned - close(done) - }() - - // return write end of the pipe - return closeFds, <-setupDone -} - -func bind(fd uintptr, p, appID, instanceID string, syncFd uintptr) error { - // ensure p is available - if f, err := os.Create(p); err != nil { - return err - } else if err = f.Close(); err != nil { - return err - } else if err = os.Remove(p); err != nil { - return err + // returned error is already wrapped + if err := bindWaylandFd(bindPath.String(), uintptr(serverFd), appID, instanceID, uintptr(closeFds[1])); err != nil { + return closeFds, errors.Join(err, + syscall.Close(closeFds[1]), + syscall.Close(closeFds[0]), + ) + } else { + return closeFds, nil } - - return bindWaylandFd(p, fd, appID, instanceID, syncFd) } diff --git a/internal/wayland/wayland-client-helper.c b/internal/wayland/wayland-client-helper.c index ccfbaf6..bf7b372 100644 --- a/internal/wayland/wayland-client-helper.c +++ b/internal/wayland/wayland-client-helper.c @@ -33,7 +33,7 @@ static const struct wl_registry_listener registry_listener = { hakurei_wayland_res hakurei_bind_wayland_fd( char *socket_path, - int fd, + int server_fd, const char *app_id, const char *instance_id, int close_fd) { @@ -47,7 +47,7 @@ hakurei_wayland_res hakurei_bind_wayland_fd( struct sockaddr_un sockaddr = {0}; struct wp_security_context_v1 *security_context; - display = wl_display_connect_to_fd(fd); + display = wl_display_connect_to_fd(server_fd); if (display == NULL) { res = HAKUREI_WAYLAND_CONNECT; goto out; diff --git a/internal/wayland/wayland-client-helper.h b/internal/wayland/wayland-client-helper.h index 9dd7c90..fc75a87 100644 --- a/internal/wayland/wayland-client-helper.h +++ b/internal/wayland/wayland-client-helper.h @@ -14,11 +14,18 @@ typedef enum { HAKUREI_WAYLAND_BIND, /* listen failed, errno */ HAKUREI_WAYLAND_LISTEN, + + /* ensure pathname failed, implemented in conn.go */ + HAKUREI_WAYLAND_HOST_CREAT, + /* socket for host server failed, implemented in conn.go */ + HAKUREI_WAYLAND_HOST_SOCKET, + /* connect for host server failed, implemented in conn.go */ + HAKUREI_WAYLAND_HOST_CONNECT, } hakurei_wayland_res; hakurei_wayland_res hakurei_bind_wayland_fd( char *socket_path, - int fd, + int server_fd, const char *app_id, const char *instance_id, int close_fd); diff --git a/internal/wayland/wayland.go b/internal/wayland/wayland.go index a7cddf5..ee8dfd1 100644 --- a/internal/wayland/wayland.go +++ b/internal/wayland/wayland.go @@ -31,10 +31,10 @@ const ( ) type ( - // Res is the outcome of a call to hakurei_bind_wayland_fd. + // Res is the outcome of a call to [New]. Res = C.hakurei_wayland_res - // An Error represents a failure during hakurei_bind_wayland_fd. + // An Error represents a failure during [New]. Error struct { // Where the failure occurred. Cause Res @@ -68,6 +68,13 @@ const ( RBind Res = C.HAKUREI_WAYLAND_BIND // RListen is returned if listen failed. The global errno is set. RListen Res = C.HAKUREI_WAYLAND_LISTEN + + // RHostCreate is returned if ensuring pathname availability failed. Returned by [New]. + RHostCreate Res = C.HAKUREI_WAYLAND_HOST_CREAT + // RHostSocket is returned if socket failed for host server. Returned by [New]. + RHostSocket Res = C.HAKUREI_WAYLAND_HOST_SOCKET + // RHostConnect is returned if connect failed for host server. Returned by [New]. + RHostConnect Res = C.HAKUREI_WAYLAND_HOST_CONNECT ) func (e *Error) Unwrap() error { return e.Errno } @@ -95,6 +102,16 @@ func (e *Error) Error() string { } return e.Errno.Error() + case RHostCreate: + if e.Errno == nil { + return "cannot ensure wayland pathname socket" + } + return e.Errno.Error() + case RHostSocket: + return e.withPrefix("socket for host wayland server") + case RHostConnect: + return e.withPrefix("connect to host wayland server") + default: return e.withPrefix("impossible outcome") /* not reached */ } diff --git a/internal/wayland/wayland_test.go b/internal/wayland/wayland_test.go index 059ce10..a74d749 100644 --- a/internal/wayland/wayland_test.go +++ b/internal/wayland/wayland_test.go @@ -1,6 +1,7 @@ package wayland_test import ( + "os" "syscall" "testing" @@ -58,6 +59,25 @@ func TestError(t *testing.T) { Cause: wayland.RSocket, }, "socket operation failed"}, + {"host create", wayland.Error{ + Cause: wayland.RHostCreate, + }, "cannot ensure wayland pathname socket"}, + + {"host create path", wayland.Error{ + Cause: wayland.RHostCreate, + Errno: &os.PathError{Op: "create", Path: "/proc/nonexistent", Err: syscall.EEXIST}, + }, "create /proc/nonexistent: file exists"}, + + {"host socket", wayland.Error{ + Cause: wayland.RHostSocket, + Errno: stub.UniqueError(5), + }, "socket for host wayland server: unique error 5 injected by the test suite"}, + + {"host connect", wayland.Error{ + Cause: wayland.RHostConnect, + Errno: stub.UniqueError(6), + }, "connect to host wayland server: unique error 6 injected by the test suite"}, + {"invalid", wayland.Error{ Cause: 0xbad, }, "impossible outcome"}, diff --git a/system/wayland/deprecated.go b/system/wayland/deprecated.go index e544597..3eddbf7 100644 --- a/system/wayland/deprecated.go +++ b/system/wayland/deprecated.go @@ -15,6 +15,9 @@ import ( "hakurei.app/internal/wayland" ) +//go:linkname bindWaylandFd hakurei.app/internal/wayland.bindWaylandFd +func bindWaylandFd(socketPath string, fd uintptr, appID, instanceID string, syncFd uintptr) error + // Conn represents a connection to the wayland display server. // // Deprecated: this interface is being replaced. @@ -60,9 +63,6 @@ func (c *Conn) Close() error { return nil } -//go:linkname bindRawConn hakurei.app/internal/wayland.bindRawConn -func bindRawConn(done chan struct{}, rc syscall.RawConn, p, appID, instanceID string) ([2]int, error) - // Bind binds the new socket to pathname. func (c *Conn) Bind(pathname, appID, instanceID string) (*os.File, error) { c.mu.Lock() @@ -88,6 +88,47 @@ func (c *Conn) Bind(pathname, appID, instanceID string) (*os.File, error) { } } +func bindRawConn(done chan struct{}, rc syscall.RawConn, p, appID, instanceID string) ([2]int, error) { + var closeFds [2]int + if err := syscall.Pipe2(closeFds[0:], syscall.O_CLOEXEC); err != nil { + return closeFds, err + } + + setupDone := make(chan error, 1) // does not block with c.done + + go func() { + if err := rc.Control(func(fd uintptr) { + // allow the Bind method to return after setup + setupDone <- bind(fd, p, appID, instanceID, uintptr(closeFds[1])) + close(setupDone) + + // keep socket alive until done is requested + <-done + }); err != nil { + setupDone <- err + } + + // notify Close that rc.Control has returned + close(done) + }() + + // return write end of the pipe + return closeFds, <-setupDone +} + +func bind(fd uintptr, p, appID, instanceID string, syncFd uintptr) error { + // ensure p is available + if f, err := os.Create(p); err != nil { + return err + } else if err = f.Close(); err != nil { + return err + } else if err = os.Remove(p); err != nil { + return err + } + + return bindWaylandFd(p, fd, appID, instanceID, syncFd) +} + const ( // WaylandDisplay contains the name of the server socket // (https://gitlab.freedesktop.org/wayland/wayland/-/blob/1.23.1/src/wayland-client.c#L1147)