security/hakurei
security/hakurei
4
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

hst/fs: rename method Target to Path
All checks were successful
Test / Create distribution (push) Successful in 32s
Details
Test / Sandbox (push) Successful in 2m7s
Details
Test / Hakurei (push) Successful in 3m7s
Details
Test / Hpkg (push) Successful in 3m50s
Details
Test / Sandbox (race detector) (push) Successful in 4m17s
Details
Test / Hakurei (race detector) (push) Successful in 5m3s
Details
Test / Flake checks (push) Successful in 1m27s
Details

Browse Source 
This allows adapter structs to use the same field names as Op structs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-08-16 02:06:41 +09:00
parent 4ffeec3004
commit 8dd3e1ee5d
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
15 changed files with 152 additions and 152 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
cmd/hpkg/app.go
View File

@ -91,14 +91,14 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg
Tty: app.Tty || flagDropShell,
MapRealUID: app.MapRealUID,
Filesystem: []hst.FilesystemConfigJSON{
{FilesystemConfig: &hst.FSBind{Src: pathSet.nixPath.Append("store"), Dst: pathNixStore}},
{FilesystemConfig: &hst.FSBind{Src: pathSet.metaPath, Dst: hst.AbsTmp.Append("app")}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("block"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("bus"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("class"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("dev"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("devices"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}},
{FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsTmp.Append("app")}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("block"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("bus"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("class"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("dev"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("devices"), Optional: true}},
},
Link: []hst.LinkConfig{
{pathCurrentSystem, app.CurrentSystem.String()},

14
cmd/hpkg/main.go
View File

@ -275,12 +275,12 @@ func main() {
"path:" + a.NixGL + "#nixVulkanNvidia",
}, true, func(config *hst.Config) *hst.Config {
config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("block"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("bus"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("class"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("dev"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("devices"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("block"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("bus"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("class"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("dev"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("devices"), Optional: true}},
}...)
appendGPUFilesystem(config)
return config
@ -308,7 +308,7 @@ func main() {
if a.GPU {
config.Container.Filesystem = append(config.Container.Filesystem,
hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Src: pathSet.nixPath.Append(".nixGL"), Dst: hst.AbsTmp.Append("nixGL")}})
hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append(".nixGL"), Target: hst.AbsTmp.Append("nixGL")}})
appendGPUFilesystem(config)
}

36
cmd/hpkg/paths.go
View File

@ -89,28 +89,28 @@ func pathSetByApp(id string) *appPathSet {
func appendGPUFilesystem(config *hst.Config) {
config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}},
// mali
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("mali"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("mali0"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("umplock"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("mali"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("mali0"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("umplock"), Device: true, Optional: true}},
// nvidia
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidiactl"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia-modeset"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidiactl"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia-modeset"), Device: true, Optional: true}},
// nvidia OpenCL/CUDA
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia-uvm"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia-uvm-tools"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia-uvm"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia-uvm-tools"), Device: true, Optional: true}},
// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia0"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia1"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia2"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia3"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia4"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia5"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia6"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia7"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia8"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia9"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia10"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia11"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia12"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia13"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia14"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia15"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia16"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia17"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia18"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia19"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia0"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia1"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia2"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia3"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia4"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia5"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia6"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia7"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia8"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia9"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia10"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia11"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia12"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia13"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia14"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia15"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia16"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia17"), Device: true, Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia18"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("nvidia19"), Device: true, Optional: true}},
}...)
}

6
cmd/hpkg/with.go
View File

@ -49,7 +49,7 @@ func withNixDaemon(
SeccompFlags: seccomp.AllowMultiarch,
Tty: dropShell,
Filesystem: []hst.FilesystemConfigJSON{
{FilesystemConfig: &hst.FSBind{Src: pathSet.nixPath, Dst: pathNix, Write: true}},
{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}},
},
Link: []hst.LinkConfig{
{pathCurrentSystem, app.CurrentSystem.String()},
@ -89,8 +89,8 @@ func withCacheDir(
SeccompFlags: seccomp.AllowMultiarch,
Tty: dropShell,
Filesystem: []hst.FilesystemConfigJSON{
{FilesystemConfig: &hst.FSBind{Src: workDir.Append("nix"), Dst: pathNix}},
{FilesystemConfig: &hst.FSBind{Src: workDir, Dst: hst.AbsTmp.Append("bundle")}},
{FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}},
{FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsTmp.Append("bundle")}},
},
Link: []hst.LinkConfig{
{pathCurrentSystem, app.CurrentSystem.String()},

8
hst/fs.go
View File

@ -13,11 +13,11 @@ import (
type FilesystemConfig interface {
// Valid returns whether the configuration is valid.
Valid() bool
// Target returns the pathname of the mount point in the container.
Target() *container.Absolute
// Host returns a slice of all host paths used by this mount point.
// Path returns the target path in the container.
Path() *container.Absolute
// Host returns a slice of all host paths used by this operation.
Host() []*container.Absolute
// Apply appends the [container.Op] implementing this mount point.
// Apply appends the [container.Op] implementing this operation.
Apply(ops *container.Ops)
fmt.Stringer

20
hst/fs_test.go
View File

@ -41,8 +41,8 @@ func TestFilesystemConfigJSON(t *testing.T) {
{"bind", hst.FilesystemConfigJSON{
FilesystemConfig: &hst.FSBind{
Dst: m("/etc"),
Src: m("/mnt/etc"),
Target: m("/etc"),
Source: m("/mnt/etc"),
Optional: true,
},
}, nil,
@ -51,7 +51,7 @@ func TestFilesystemConfigJSON(t *testing.T) {
{"ephemeral", hst.FilesystemConfigJSON{
FilesystemConfig: &hst.FSEphemeral{
Dst: m("/run/user/65534"),
Target: m("/run/user/65534"),
Write: true,
Size: 1 << 10,
Perm: 0700,
@ -62,7 +62,7 @@ func TestFilesystemConfigJSON(t *testing.T) {
{"overlay", hst.FilesystemConfigJSON{
FilesystemConfig: &hst.FSOverlay{
Dst: m("/nix/store"),
Target: m("/nix/store"),
Lower: ms("/mnt-root/nix/.ro-store"),
Upper: m("/mnt-root/nix/.rw-store/upper"),
Work: m("/mnt-root/nix/.rw-store/work"),
@ -159,7 +159,7 @@ func TestFilesystemConfigJSON(t *testing.T) {
t.Errorf("Valid: %v, want false", got)
}
if got := (&hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Src: m("/etc")}}).Valid(); !got {
if got := (&hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Source: m("/etc")}}).Valid(); !got {
t.Errorf("Valid: %v, want true", got)
}
})
@ -207,7 +207,7 @@ type stubFS struct {
}
func (s stubFS) Valid() bool { return false }
func (s stubFS) Target() *container.Absolute { panic("unreachable") }
func (s stubFS) Path() *container.Absolute { panic("unreachable") }
func (s stubFS) Host() []*container.Absolute { panic("unreachable") }
func (s stubFS) Apply(*container.Ops) { panic("unreachable") }
func (s stubFS) String() string { return "<invalid " + s.typeName + ">" }
@ -222,7 +222,7 @@ type fsTestCase struct {
fs hst.FilesystemConfig
valid bool
ops container.Ops
target *container.Absolute
path *container.Absolute
host []*container.Absolute
str string
}
@ -252,9 +252,9 @@ func checkFs(t *testing.T, testCases []fsTestCase) {
}
})
t.Run("target", func(t *testing.T) {
if got := tc.fs.Target(); !reflect.DeepEqual(got, tc.target) {
t.Errorf("Target: %q, want %q", got, tc.target)
t.Run("path", func(t *testing.T) {
if got := tc.fs.Path(); !reflect.DeepEqual(got, tc.path) {
t.Errorf("Target: %q, want %q", got, tc.path)
}
})

36
hst/fsbind.go
View File

@ -15,9 +15,9 @@ const FilesystemBind = "bind"
// FSBind represents a host to container bind mount.
type FSBind struct {
// mount point in container, same as src if empty
Dst *container.Absolute `json:"dst,omitempty"`
Target *container.Absolute `json:"dst,omitempty"`
// host filesystem path to make available to the container
Src *container.Absolute `json:"src"`
Source *container.Absolute `json:"src"`
// do not mount filesystem read-only
Write bool `json:"write,omitempty"`
// do not disable device files, implies Write
@ -26,23 +26,23 @@ type FSBind struct {
Optional bool `json:"optional,omitempty"`
}
func (b *FSBind) Valid() bool { return b != nil && b.Src != nil }
func (b *FSBind) Valid() bool { return b != nil && b.Source != nil }
func (b *FSBind) Target() *container.Absolute {
func (b *FSBind) Path() *container.Absolute {
if !b.Valid() {
return nil
}
if b.Dst == nil {
return b.Src
if b.Target == nil {
return b.Source
}
return b.Dst
return b.Target
}
func (b *FSBind) Host() []*container.Absolute {
if !b.Valid() {
return nil
}
return []*container.Absolute{b.Src}
return []*container.Absolute{b.Source}
}
func (b *FSBind) Apply(ops *container.Ops) {
@ -50,9 +50,9 @@ func (b *FSBind) Apply(ops *container.Ops) {
return
}
dst := b.Dst
if dst == nil {
dst = b.Src
target := b.Target
if target == nil {
target = b.Source
}
var flags int
if b.Write {
@ -64,7 +64,7 @@ func (b *FSBind) Apply(ops *container.Ops) {
if b.Optional {
flags |= container.BindOptional
}
ops.Bind(b.Src, dst, flags)
ops.Bind(b.Source, target, flags)
}
func (b *FSBind) String() string {
@ -73,9 +73,9 @@ func (b *FSBind) String() string {
return "<invalid>"
}
g += len(b.Src.String())
if b.Dst != nil {
g += len(b.Dst.String())
g += len(b.Source.String())
if b.Target != nil {
g += len(b.Target.String())
}
expr := new(strings.Builder)
@ -93,9 +93,9 @@ func (b *FSBind) String() string {
expr.WriteString("+")
}
expr.WriteString(b.Src.String())
if b.Dst != nil {
expr.WriteString(":" + b.Dst.String())
expr.WriteString(b.Source.String())
if b.Target != nil {
expr.WriteString(":" + b.Target.String())
}
return expr.String()

18
hst/fsbind_test.go
View File

@ -12,8 +12,8 @@ func TestFSBind(t *testing.T) {
{"nil", (*hst.FSBind)(nil), false, nil, nil, nil, "<invalid>"},
{"full", &hst.FSBind{
Dst: m("/dev"),
Src: m("/mnt/dev"),
Target: m("/dev"),
Source: m("/mnt/dev"),
Optional: true,
Device: true,
}, true, container.Ops{&container.BindMountOp{
@ -24,8 +24,8 @@ func TestFSBind(t *testing.T) {
"d+/mnt/dev:/dev"},
{"full write dev", &hst.FSBind{
Dst: m("/dev"),
Src: m("/mnt/dev"),
Target: m("/dev"),
Source: m("/mnt/dev"),
Write: true,
Device: true,
}, true, container.Ops{&container.BindMountOp{
@ -36,8 +36,8 @@ func TestFSBind(t *testing.T) {
"d*/mnt/dev:/dev"},
{"full write", &hst.FSBind{
Dst: m("/tmp"),
Src: m("/mnt/tmp"),
Target: m("/tmp"),
Source: m("/mnt/tmp"),
Write: true,
}, true, container.Ops{&container.BindMountOp{
Source: m("/mnt/tmp"),
@ -47,8 +47,8 @@ func TestFSBind(t *testing.T) {
"w*/mnt/tmp:/tmp"},
{"full no flags", &hst.FSBind{
Dst: m("/etc"),
Src: m("/mnt/etc"),
Target: m("/etc"),
Source: m("/mnt/etc"),
}, true, container.Ops{&container.BindMountOp{
Source: m("/mnt/etc"),
Target: m("/etc"),
@ -56,7 +56,7 @@ func TestFSBind(t *testing.T) {
"*/mnt/etc:/etc"},
{"nil dst", &hst.FSBind{
Src: m("/"),
Source: m("/"),
}, true, container.Ops{&container.BindMountOp{
Source: m("/"),
Target: m("/"),

16
hst/fsephemeral.go
View File

@ -16,7 +16,7 @@ const FilesystemEphemeral = "ephemeral"
// FSEphemeral represents an ephemeral container mount point.
type FSEphemeral struct {
// mount point in container
Dst *container.Absolute `json:"dst,omitempty"`
Target *container.Absolute `json:"dst,omitempty"`
// do not mount filesystem read-only
Write bool `json:"write,omitempty"`
// upper limit on the size of the filesystem
@ -25,13 +25,13 @@ type FSEphemeral struct {
Perm os.FileMode `json:"perm,omitempty"`
}
func (e *FSEphemeral) Valid() bool { return e != nil && e.Dst != nil }
func (e *FSEphemeral) Valid() bool { return e != nil && e.Target != nil }
func (e *FSEphemeral) Target() *container.Absolute {
func (e *FSEphemeral) Path() *container.Absolute {
if !e.Valid() {
return nil
}
return e.Dst
return e.Target
}
func (e *FSEphemeral) Host() []*container.Absolute { return nil }
@ -54,9 +54,9 @@ func (e *FSEphemeral) Apply(ops *container.Ops) {
}
if e.Write {
ops.Tmpfs(e.Dst, size, perm)
ops.Tmpfs(e.Target, size, perm)
} else {
ops.Readonly(e.Dst, perm)
ops.Readonly(e.Target, perm)
}
}
@ -66,7 +66,7 @@ func (e *FSEphemeral) String() string {
}
expr := new(strings.Builder)
expr.Grow(15 + len(FilesystemEphemeral) + len(e.Dst.String()))
expr.Grow(15 + len(FilesystemEphemeral) + len(e.Target.String()))
if e.Write {
expr.WriteString("w")
@ -77,7 +77,7 @@ func (e *FSEphemeral) String() string {
} else {
expr.WriteString(fsEphemeralDefaultPerm.String())
}
expr.WriteString("):" + e.Dst.String())
expr.WriteString("):" + e.Target.String())
return expr.String()
}

6
hst/fsephemeral_test.go
View File

@ -13,7 +13,7 @@ func TestFSEphemeral(t *testing.T) {
{"nil", (*hst.FSEphemeral)(nil), false, nil, nil, nil, "<invalid>"},
{"full", &hst.FSEphemeral{
Dst: m("/run/user/65534"),
Target: m("/run/user/65534"),
Write: true,
Size: 1 << 10,
Perm: 0700,
@ -26,7 +26,7 @@ func TestFSEphemeral(t *testing.T) {
}}, m("/run/user/65534"), nil,
"w+ephemeral(-rwx------):/run/user/65534"},
{"cover ro", &hst.FSEphemeral{Dst: m("/run/nscd")}, true,
{"cover ro", &hst.FSEphemeral{Target: m("/run/nscd")}, true,
container.Ops{&container.MountTmpfsOp{
FSName: "readonly",
Path: m("/run/nscd"),
@ -36,7 +36,7 @@ func TestFSEphemeral(t *testing.T) {
"+ephemeral(-rwxr-xr-x):/run/nscd"},
{"negative size", &hst.FSEphemeral{
Dst: hst.AbsTmp,
Target: hst.AbsTmp,
Write: true,
Size: -1,
}, true, container.Ops{&container.MountTmpfsOp{

16
hst/fsoverlay.go
View File

@ -15,7 +15,7 @@ const FilesystemOverlay = "overlay"
// FSOverlay represents an overlay mount point.
type FSOverlay struct {
// mount point in container
Dst *container.Absolute `json:"dst"`
Target *container.Absolute `json:"dst"`
// any filesystem, does not need to be on a writable filesystem, must not be nil
Lower []*container.Absolute `json:"lower"`
@ -26,7 +26,7 @@ type FSOverlay struct {
}
func (o *FSOverlay) Valid() bool {
if o == nil || o.Dst == nil {
if o == nil || o.Target == nil {
return false
}
@ -43,11 +43,11 @@ func (o *FSOverlay) Valid() bool {
}
}
func (o *FSOverlay) Target() *container.Absolute {
func (o *FSOverlay) Path() *container.Absolute {
if !o.Valid() {
return nil
}
return o.Dst
return o.Target
}
func (o *FSOverlay) Host() []*container.Absolute {
@ -68,9 +68,9 @@ func (o *FSOverlay) Apply(op *container.Ops) {
}
if o.Upper != nil && o.Work != nil { // rw
op.Overlay(o.Dst, o.Upper, o.Work, o.Lower...)
op.Overlay(o.Target, o.Upper, o.Work, o.Lower...)
} else { // ro
op.OverlayReadonly(o.Dst, o.Lower...)
op.OverlayReadonly(o.Target, o.Lower...)
}
}
@ -86,13 +86,13 @@ func (o *FSOverlay) String() string {
if o.Upper != nil && o.Work != nil {
return "w*" + strings.Join(append([]string{
container.EscapeOverlayDataSegment(o.Dst.String()),
container.EscapeOverlayDataSegment(o.Target.String()),
container.EscapeOverlayDataSegment(o.Upper.String()),
container.EscapeOverlayDataSegment(o.Work.String())},
lower...), container.SpecialOverlayPath)
} else {
return "*" + strings.Join(append([]string{
container.EscapeOverlayDataSegment(o.Dst.String())},
container.EscapeOverlayDataSegment(o.Target.String())},
lower...), container.SpecialOverlayPath)
}
}

14
hst/fsoverlay_test.go
View File

@ -10,13 +10,13 @@ import (
func TestFSOverlay(t *testing.T) {
checkFs(t, []fsTestCase{
{"nil", (*hst.FSOverlay)(nil), false, nil, nil, nil, "<invalid>"},
{"nil lower", &hst.FSOverlay{Dst: m("/etc"), Lower: []*container.Absolute{nil}}, false, nil, nil, nil, "<invalid>"},
{"zero lower", &hst.FSOverlay{Dst: m("/etc"), Upper: m("/"), Work: m("/")}, false, nil, nil, nil, "<invalid>"},
{"zero lower ro", &hst.FSOverlay{Dst: m("/etc")}, false, nil, nil, nil, "<invalid>"},
{"short lower", &hst.FSOverlay{Dst: m("/etc"), Lower: ms("/etc")}, false, nil, nil, nil, "<invalid>"},
{"nil lower", &hst.FSOverlay{Target: m("/etc"), Lower: []*container.Absolute{nil}}, false, nil, nil, nil, "<invalid>"},
{"zero lower", &hst.FSOverlay{Target: m("/etc"), Upper: m("/"), Work: m("/")}, false, nil, nil, nil, "<invalid>"},
{"zero lower ro", &hst.FSOverlay{Target: m("/etc")}, false, nil, nil, nil, "<invalid>"},
{"short lower", &hst.FSOverlay{Target: m("/etc"), Lower: ms("/etc")}, false, nil, nil, nil, "<invalid>"},
{"full", &hst.FSOverlay{
Dst: m("/nix/store"),
Target: m("/nix/store"),
Lower: ms("/mnt-root/nix/.ro-store"),
Upper: m("/mnt-root/nix/.rw-store/upper"),
Work: m("/mnt-root/nix/.rw-store/work"),
@ -29,7 +29,7 @@ func TestFSOverlay(t *testing.T) {
"w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store"},
{"ro", &hst.FSOverlay{
Dst: m("/mnt/src"),
Target: m("/mnt/src"),
Lower: ms("/tmp/.src0", "/tmp/.src1"),
}, true, container.Ops{&container.MountOverlayOp{
Target: m("/mnt/src"),
@ -38,7 +38,7 @@ func TestFSOverlay(t *testing.T) {
"*/mnt/src:/tmp/.src0:/tmp/.src1"},
{"ro work", &hst.FSOverlay{
Dst: m("/mnt/src"),
Target: m("/mnt/src"),
Lower: ms("/tmp/.src0", "/tmp/.src1"),
Work: m("/tmp"),
}, true, container.Ops{&container.MountOverlayOp{

16
hst/template.go
View File

@ -78,19 +78,19 @@ func Template() *Config {
"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT",
},
Filesystem: []FilesystemConfigJSON{
{&FSEphemeral{Dst: container.AbsFHSTmp, Write: true, Perm: 0755}},
{&FSEphemeral{Target: container.AbsFHSTmp, Write: true, Perm: 0755}},
{&FSOverlay{
Dst: container.MustAbs("/nix/store"),
Target: container.MustAbs("/nix/store"),
Lower: []*container.Absolute{container.MustAbs("/mnt-root/nix/.ro-store")},
Upper: container.MustAbs("/mnt-root/nix/.rw-store/upper"),
Work: container.MustAbs("/mnt-root/nix/.rw-store/work"),
}},
{&FSBind{Src: container.MustAbs("/nix/store")}},
{&FSBind{Src: container.AbsFHSRun.Append("current-system")}},
{&FSBind{Src: container.AbsFHSRun.Append("opengl-driver")}},
{&FSBind{Src: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"),
Dst: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true}},
{&FSBind{Src: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}},
{&FSBind{Source: container.MustAbs("/nix/store")}},
{&FSBind{Source: container.AbsFHSRun.Append("current-system")}},
{&FSBind{Source: container.AbsFHSRun.Append("opengl-driver")}},
{&FSBind{Source: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"),
Target: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true}},
{&FSBind{Source: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}},
},
Link: []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}},
AutoRoot: container.AbsFHSVarLib.Append("hakurei/base/org.debian"),

22
internal/app/app_nixos_linux_test.go
View File

@ -29,17 +29,17 @@ var testCasesNixos = []sealTestCase{
Container: &hst.ContainerConfig{
Userns: true, Net: true, MapRealUID: true, Env: nil, AutoEtc: true,
Filesystem: []hst.FilesystemConfigJSON{
f(&hst.FSBind{Src: m("/bin")}),
f(&hst.FSBind{Src: m("/usr/bin/")}),
f(&hst.FSBind{Src: m("/nix/store")}),
f(&hst.FSBind{Src: m("/run/current-system")}),
f(&hst.FSBind{Src: m("/sys/block"), Optional: true}),
f(&hst.FSBind{Src: m("/sys/bus"), Optional: true}),
f(&hst.FSBind{Src: m("/sys/class"), Optional: true}),
f(&hst.FSBind{Src: m("/sys/dev"), Optional: true}),
f(&hst.FSBind{Src: m("/sys/devices"), Optional: true}),
f(&hst.FSBind{Src: m("/run/opengl-driver")}),
f(&hst.FSBind{Src: m("/dev/dri"), Device: true, Optional: true}),
f(&hst.FSBind{Source: m("/bin")}),
f(&hst.FSBind{Source: m("/usr/bin/")}),
f(&hst.FSBind{Source: m("/nix/store")}),
f(&hst.FSBind{Source: m("/run/current-system")}),
f(&hst.FSBind{Source: m("/sys/block"), Optional: true}),
f(&hst.FSBind{Source: m("/sys/bus"), Optional: true}),
f(&hst.FSBind{Source: m("/sys/class"), Optional: true}),
f(&hst.FSBind{Source: m("/sys/dev"), Optional: true}),
f(&hst.FSBind{Source: m("/sys/devices"), Optional: true}),
f(&hst.FSBind{Source: m("/run/opengl-driver")}),
f(&hst.FSBind{Source: m("/dev/dri"), Device: true, Optional: true}),
},
},
SystemBus: &dbus.Config{

6
internal/app/seal_linux.go
View File

@ -248,15 +248,15 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
// bind GPU stuff
if config.Enablements.Unwrap()&(system.EX11|system.EWayland) != 0 {
conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}})
conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}})
}
// opportunistically bind kvm
conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("kvm"), Device: true, Optional: true}})
conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSDev.Append("kvm"), Device: true, Optional: true}})
// hide nscd from container if present
nscd := container.AbsFHSVar.Append("run/nscd")
if _, err := sys.Stat(nscd.String()); !errors.Is(err, fs.ErrNotExist) {
conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSEphemeral{Dst: nscd}})
conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSEphemeral{Target: nscd}})
}
config.Container = conf