security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases 6 Wiki Activity

hst/config: remove symlink field
All checks were successful
Test / Create distribution (push) Successful in 35s
Details
Test / Sandbox (push) Successful in 2m15s
Details
Test / Hpkg (push) Successful in 4m10s
Details
Test / Sandbox (race detector) (push) Successful in 4m27s
Details
Test / Hakurei (race detector) (push) Successful in 5m12s
Details
Test / Hakurei (push) Successful in 2m11s
Details
Test / Flake checks (push) Successful in 1m29s
Details

Browse Source 
Closes #6.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-08-25 22:21:16 +09:00
parent 26cafe3e80
commit 9585b35d5b
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
8 changed files with 68 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
cmd/hakurei/print_test.go
View File

@ -51,8 +51,8 @@ Filesystem
w+ephemeral(-rwxr-xr-x):/tmp/ w+ephemeral(-rwxr-xr-x):/tmp/
w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store
*/nix/store */nix/store
*/run/current-system &/run/current-system:*/run/current-system
*/run/opengl-driver &/run/opengl-driver:*/run/opengl-driver
w*/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium w*/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium
d+/dev/dri d+/dev/dri
@ -128,8 +128,8 @@ Filesystem
w+ephemeral(-rwxr-xr-x):/tmp/ w+ephemeral(-rwxr-xr-x):/tmp/
w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store w*/nix/store:/mnt-root/nix/.rw-store/upper:/mnt-root/nix/.rw-store/work:/mnt-root/nix/.ro-store
*/nix/store */nix/store
*/run/current-system &/run/current-system:*/run/current-system
*/run/opengl-driver &/run/opengl-driver:*/run/opengl-driver
w*/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium w*/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium
d+/dev/dri d+/dev/dri
@ -310,12 +310,16 @@ App
"src": "/nix/store" "src": "/nix/store"
}, },
{ {
"type": "bind", "type": "link",
"src": "/run/current-system" "dst": "/run/current-system",
"linkname": "/run/current-system",
"dereference": true
}, },
{ {
"type": "bind", "type": "link",
"src": "/run/opengl-driver" "dst": "/run/opengl-driver",
"linkname": "/run/opengl-driver",
"dereference": true
}, },
{ {
"type": "bind", "type": "bind",
@ -329,12 +333,6 @@ App
"dev": true, "dev": true,
"optional": true "optional": true
} }
],
"symlink": [
{
"target": "/run/user/65534",
"linkname": "/run/user/150"
}
] ]
} }
}, },
@ -468,12 +466,16 @@ App
"src": "/nix/store" "src": "/nix/store"
}, },
{ {
"type": "bind", "type": "link",
"src": "/run/current-system" "dst": "/run/current-system",
"linkname": "/run/current-system",
"dereference": true
}, },
{ {
"type": "bind", "type": "link",
"src": "/run/opengl-driver" "dst": "/run/opengl-driver",
"linkname": "/run/opengl-driver",
"dereference": true
}, },
{ {
"type": "bind", "type": "bind",
@ -487,12 +489,6 @@ App
"dev": true, "dev": true,
"optional": true "optional": true
} }
],
"symlink": [
{
"target": "/run/user/65534",
"linkname": "/run/user/150"
}
] ]
} }
} }
@ -680,12 +676,16 @@ func Test_printPs(t *testing.T) {
"src": "/nix/store" "src": "/nix/store"
}, },
{ {
"type": "bind", "type": "link",
"src": "/run/current-system" "dst": "/run/current-system",
"linkname": "/run/current-system",
"dereference": true
}, },
{ {
"type": "bind", "type": "link",
"src": "/run/opengl-driver" "dst": "/run/opengl-driver",
"linkname": "/run/opengl-driver",
"dereference": true
}, },
{ {
"type": "bind", "type": "bind",
@ -699,12 +699,6 @@ func Test_printPs(t *testing.T) {
"dev": true, "dev": true,
"optional": true "optional": true
} }
],
"symlink": [
{
"target": "/run/user/65534",
"linkname": "/run/user/150"
}
] ]
} }
}, },

8
cmd/hpkg/app.go
View File

@ -96,6 +96,9 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg
Filesystem: []hst.FilesystemConfigJSON{ Filesystem: []hst.FilesystemConfigJSON{
{FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}}, {FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}}, {FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}},
{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
{FilesystemConfig: &hst.FSLink{Target: container.AbsFHSUsrBin, Linkname: pathSwBin.String()}},
{FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsTmp.Append("app")}}, {FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsTmp.Append("app")}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("block"), Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("block"), Optional: true}},
@ -104,11 +107,6 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("dev"), Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("dev"), Optional: true}},
{FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("devices"), Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("devices"), Optional: true}},
}, },
Link: []hst.LinkConfig{
{pathCurrentSystem, app.CurrentSystem.String()},
{pathBin, pathSwBin.String()},
{container.AbsFHSUsrBin, pathSwBin.String()},
},
}, },
ExtraPerms: []*hst.ExtraPermConfig{ ExtraPerms: []*hst.ExtraPermConfig{
{Path: dataHome, Execute: true}, {Path: dataHome, Execute: true},

16
cmd/hpkg/with.go
View File

@ -51,11 +51,9 @@ func withNixDaemon(
Filesystem: []hst.FilesystemConfigJSON{ Filesystem: []hst.FilesystemConfigJSON{
{FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}}, {FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: pathSet.cacheDir.Append("etc"), Special: true}},
{FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}}, {FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath, Target: pathNix, Write: true}},
}, {FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
Link: []hst.LinkConfig{ {FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
{pathCurrentSystem, app.CurrentSystem.String()}, {FilesystemConfig: &hst.FSLink{Target: container.AbsFHSUsrBin, Linkname: pathSwBin.String()}},
{pathBin, pathSwBin.String()},
{container.AbsFHSUsrBin, pathSwBin.String()},
}, },
}, },
}), dropShell, beforeFail) }), dropShell, beforeFail)
@ -90,13 +88,11 @@ func withCacheDir(
Filesystem: []hst.FilesystemConfigJSON{ Filesystem: []hst.FilesystemConfigJSON{
{FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: workDir.Append(container.FHSEtc), Special: true}}, {FilesystemConfig: &hst.FSBind{Target: container.AbsFHSEtc, Source: workDir.Append(container.FHSEtc), Special: true}},
{FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}}, {FilesystemConfig: &hst.FSBind{Source: workDir.Append("nix"), Target: pathNix}},
{FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}},
{FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}},
{FilesystemConfig: &hst.FSLink{Target: container.AbsFHSUsrBin, Linkname: pathSwBin.String()}},
{FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsTmp.Append("bundle")}}, {FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsTmp.Append("bundle")}},
}, },
Link: []hst.LinkConfig{
{pathCurrentSystem, app.CurrentSystem.String()},
{pathBin, pathSwBin.String()},
{container.AbsFHSUsrBin, pathSwBin.String()},
},
}, },
}, dropShell, beforeFail) }, dropShell, beforeFail)
} }

10
hst/config.go
View File

@ -96,16 +96,6 @@ type (
// container mount points; // container mount points;
// if the first element targets /, it is inserted early and excluded from path hiding // if the first element targets /, it is inserted early and excluded from path hiding
Filesystem []FilesystemConfigJSON `json:"filesystem"` Filesystem []FilesystemConfigJSON `json:"filesystem"`
// create symlinks inside container filesystem
Link []LinkConfig `json:"symlink"`
}
LinkConfig struct {
// symlink target in container
Target *container.Absolute `json:"target"`
// linkname the symlink points to;
// prepend '*' to dereference an absolute pathname on host
Linkname string `json:"linkname"`
} }
) )

5
hst/hst.go
View File

@ -107,13 +107,12 @@ func Template() *Config {
Work: container.MustAbs("/mnt-root/nix/.rw-store/work"), Work: container.MustAbs("/mnt-root/nix/.rw-store/work"),
}}, }},
{&FSBind{Source: container.MustAbs("/nix/store")}}, {&FSBind{Source: container.MustAbs("/nix/store")}},
{&FSBind{Source: container.AbsFHSRun.Append("current-system")}}, {&FSLink{Target: container.AbsFHSRun.Append("current-system"), Linkname: "/run/current-system", Dereference: true}},
{&FSBind{Source: container.AbsFHSRun.Append("opengl-driver")}}, {&FSLink{Target: container.AbsFHSRun.Append("opengl-driver"), Linkname: "/run/opengl-driver", Dereference: true}},
{&FSBind{Source: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"), {&FSBind{Source: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"),
Target: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true}}, Target: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true}},
{&FSBind{Source: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}}, {&FSBind{Source: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}},
}, },
Link: []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}},
}, },
} }
} }

18
hst/hst_test.go
View File

@ -135,12 +135,16 @@ func TestTemplate(t *testing.T) {
"src": "/nix/store" "src": "/nix/store"
}, },
{ {
"type": "bind", "type": "link",
"src": "/run/current-system" "dst": "/run/current-system",
"linkname": "/run/current-system",
"dereference": true
}, },
{ {
"type": "bind", "type": "link",
"src": "/run/opengl-driver" "dst": "/run/opengl-driver",
"linkname": "/run/opengl-driver",
"dereference": true
}, },
{ {
"type": "bind", "type": "bind",
@ -154,12 +158,6 @@ func TestTemplate(t *testing.T) {
"dev": true, "dev": true,
"optional": true "optional": true
} }
],
"symlink": [
{
"target": "/run/user/65534",
"linkname": "/run/user/150"
}
] ]
} }
}` }`

15
internal/app/container_linux.go
View File

@ -44,7 +44,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
AutoEtcPrefix: prefix, AutoEtcPrefix: prefix,
} }
{ {
ops := make(container.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)) ops := make(container.Ops, 0, preallocateOpsCount+len(s.Filesystem))
params.Ops = &ops params.Ops = &ops
as.Ops = &ops as.Ops = &ops
} }
@ -231,19 +231,6 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
} }
} }
for i, l := range s.Link {
if l.Target == nil || l.Linkname == "" {
return nil, nil, fmt.Errorf("invalid link at index %d", i)
}
linkname := l.Linkname
var dereference bool
if linkname[0] == '*' && path.IsAbs(linkname[1:]) {
linkname = linkname[1:]
dereference = true
}
params.Link(l.Target, linkname, dereference)
}
// no more ContainerConfig paths beyond this point // no more ContainerConfig paths beyond this point
if !s.Device { if !s.Device {
params.Remount(container.AbsFHSDev, syscall.MS_RDONLY) params.Remount(container.AbsFHSDev, syscall.MS_RDONLY)

39
nixos.nix
View File

@ -188,28 +188,29 @@ in
src = "/etc/"; src = "/etc/";
special = true; special = true;
} }
];
symlink = [
{
target = "/run/current-system";
linkname = "*/run/current-system";
}
]
++ optionals (isGraphical && config.hardware.graphics.enable) (
[
{ {
target = "/run/opengl-driver"; type = "link";
linkname = config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver"."L+".argument; dst = "/run/current-system";
linkname = "/run/current-system";
dereference = true;
} }
] ]
++ optionals (app.multiarch && config.hardware.graphics.enable32Bit) [ ++ optionals (isGraphical && config.hardware.graphics.enable) (
{ [
target = "/run/opengl-driver-32"; {
linkname = config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver-32"."L+".argument; type = "link";
} dst = "/run/opengl-driver";
] linkname = config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver"."L+".argument;
); }
]
++ optionals (app.multiarch && config.hardware.graphics.enable32Bit) [
{
type = "link";
dst = "/run/opengl-driver-32";
linkname = config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver-32"."L+".argument;
}
]
);
}; };
}; };