diff --git a/cmd/hakurei/print.go b/cmd/hakurei/print.go index af053d0..105a1e4 100644 --- a/cmd/hakurei/print.go +++ b/cmd/hakurei/print.go @@ -128,42 +128,11 @@ func printShowInstance( if config.Container != nil && len(config.Container.Filesystem) > 0 { t.Printf("Filesystem\n") for _, f := range config.Container.Filesystem { - g := 4 - if f.Src == nil { + if !f.Valid() { t.Println(" ") continue - } else { - g += len(f.Src.String()) } - if f.Dst != nil { - g += len(f.Dst.String()) - } - - expr := new(strings.Builder) - expr.Grow(g) - - if f.Device { - expr.WriteString(" d") - } else if f.Write { - expr.WriteString(" w") - } else { - expr.WriteString(" ") - } - if f.Must { - expr.WriteString("*") - } else { - expr.WriteString("+") - } - src := f.Src.String() - if src != container.Nonexistent { - expr.WriteString(src) - } else { - expr.WriteString("tmpfs") - } - if f.Dst != nil { - expr.WriteString(":" + f.Dst.String()) - } - t.Printf("%s\n", expr.String()) + t.Printf(" %s\n", f) } t.Printf("\n") } diff --git a/cmd/hakurei/print_test.go b/cmd/hakurei/print_test.go index 6f4a675..c72e7ab 100644 --- a/cmd/hakurei/print_test.go +++ b/cmd/hakurei/print_test.go @@ -48,11 +48,10 @@ func Test_printShowInstance(t *testing.T) { Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland Filesystem - w+tmpfs:/tmp/ - +/nix/store - +/run/current-system - +/run/opengl-driver - +/var/db/nix-channels + w+ephemeral(-rwxr-xr-x):/tmp/ + */nix/store + */run/current-system + */run/opengl-driver w*/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium d+/dev/dri @@ -86,7 +85,7 @@ App Etc: /etc/ `}, - {"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfig, 1)}, ExtraPerms: make([]*hst.ExtraPermConfig, 1)}, false, false, `App + {"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfigJSON, 1)}, ExtraPerms: make([]*hst.ExtraPermConfig, 1)}, false, false, `App Identity: 0 Enablements: (no enablements) Flags: none @@ -127,11 +126,10 @@ App Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland Filesystem - w+tmpfs:/tmp/ - +/nix/store - +/run/current-system - +/run/opengl-driver - +/var/db/nix-channels + w+ephemeral(-rwxr-xr-x):/tmp/ + */nix/store + */run/current-system + */run/opengl-driver w*/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium d+/dev/dri @@ -275,31 +273,34 @@ App "device": true, "filesystem": [ { + "type": "ephemeral", "dst": "/tmp/", - "src": "/proc/nonexistent", - "write": true + "write": true, + "perm": 493 }, { + "type": "bind", "src": "/nix/store" }, { + "type": "bind", "src": "/run/current-system" }, { + "type": "bind", "src": "/run/opengl-driver" }, { - "src": "/var/db/nix-channels" - }, - { + "type": "bind", "dst": "/data/data/org.chromium.Chromium", "src": "/var/lib/hakurei/u0/org.chromium.Chromium", - "write": true, - "require": true + "write": true }, { + "type": "bind", "src": "/dev/dri", - "dev": true + "dev": true, + "optional": true } ], "symlink": [ @@ -407,31 +408,34 @@ App "device": true, "filesystem": [ { + "type": "ephemeral", "dst": "/tmp/", - "src": "/proc/nonexistent", - "write": true + "write": true, + "perm": 493 }, { + "type": "bind", "src": "/nix/store" }, { + "type": "bind", "src": "/run/current-system" }, { + "type": "bind", "src": "/run/opengl-driver" }, { - "src": "/var/db/nix-channels" - }, - { + "type": "bind", "dst": "/data/data/org.chromium.Chromium", "src": "/var/lib/hakurei/u0/org.chromium.Chromium", - "write": true, - "require": true + "write": true }, { + "type": "bind", "src": "/dev/dri", - "dev": true + "dev": true, + "optional": true } ], "symlink": [ @@ -593,31 +597,34 @@ func Test_printPs(t *testing.T) { "device": true, "filesystem": [ { + "type": "ephemeral", "dst": "/tmp/", - "src": "/proc/nonexistent", - "write": true + "write": true, + "perm": 493 }, { + "type": "bind", "src": "/nix/store" }, { + "type": "bind", "src": "/run/current-system" }, { + "type": "bind", "src": "/run/opengl-driver" }, { - "src": "/var/db/nix-channels" - }, - { + "type": "bind", "dst": "/data/data/org.chromium.Chromium", "src": "/var/lib/hakurei/u0/org.chromium.Chromium", - "write": true, - "require": true + "write": true }, { + "type": "bind", "src": "/dev/dri", - "dev": true + "dev": true, + "optional": true } ], "symlink": [ diff --git a/cmd/hpkg/app.go b/cmd/hpkg/app.go index 705b393..131f839 100644 --- a/cmd/hpkg/app.go +++ b/cmd/hpkg/app.go @@ -91,15 +91,15 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg Device: app.Device, Tty: app.Tty || flagDropShell, MapRealUID: app.MapRealUID, - Filesystem: []hst.FilesystemConfig{ - {Src: pathSet.nixPath.Append("store"), Dst: pathNixStore, Must: true}, - {Src: pathSet.metaPath, Dst: hst.AbsTmp.Append("app"), Must: true}, - {Src: container.AbsFHSEtc.Append("resolv.conf")}, - {Src: container.AbsFHSSys.Append("block")}, - {Src: container.AbsFHSSys.Append("bus")}, - {Src: container.AbsFHSSys.Append("class")}, - {Src: container.AbsFHSSys.Append("dev")}, - {Src: container.AbsFHSSys.Append("devices")}, + Filesystem: []hst.FilesystemConfigJSON{ + {FilesystemConfig: &hst.FSBind{Src: pathSet.nixPath.Append("store"), Dst: pathNixStore}}, + {FilesystemConfig: &hst.FSBind{Src: pathSet.metaPath, Dst: hst.AbsTmp.Append("app")}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("block"), Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("bus"), Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("class"), Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("dev"), Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("devices"), Optional: true}}, }, Link: []hst.LinkConfig{ {pathCurrentSystem, app.CurrentSystem.String()}, diff --git a/cmd/hpkg/main.go b/cmd/hpkg/main.go index b8d6304..15d0db1 100644 --- a/cmd/hpkg/main.go +++ b/cmd/hpkg/main.go @@ -274,13 +274,13 @@ func main() { "--override-input nixpkgs path:/etc/nixpkgs " + "path:" + a.NixGL + "#nixVulkanNvidia", }, true, func(config *hst.Config) *hst.Config { - config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfig{ - {Src: container.AbsFHSEtc.Append("resolv.conf")}, - {Src: container.AbsFHSSys.Append("block")}, - {Src: container.AbsFHSSys.Append("bus")}, - {Src: container.AbsFHSSys.Append("class")}, - {Src: container.AbsFHSSys.Append("dev")}, - {Src: container.AbsFHSSys.Append("devices")}, + config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{ + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("block"), Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("bus"), Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("class"), Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("dev"), Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("devices"), Optional: true}}, }...) appendGPUFilesystem(config) return config @@ -308,7 +308,7 @@ func main() { if a.GPU { config.Container.Filesystem = append(config.Container.Filesystem, - hst.FilesystemConfig{Src: pathSet.nixPath.Append(".nixGL"), Dst: hst.AbsTmp.Append("nixGL")}) + hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Src: pathSet.nixPath.Append(".nixGL"), Dst: hst.AbsTmp.Append("nixGL")}}) appendGPUFilesystem(config) } diff --git a/cmd/hpkg/paths.go b/cmd/hpkg/paths.go index 095c24e..bb705bc 100644 --- a/cmd/hpkg/paths.go +++ b/cmd/hpkg/paths.go @@ -87,30 +87,30 @@ func pathSetByApp(id string) *appPathSet { } func appendGPUFilesystem(config *hst.Config) { - config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfig{ + config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{ // flatpak commit 763a686d874dd668f0236f911de00b80766ffe79 - {Src: container.AbsFHSDev.Append("dri"), Device: true}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}}, // mali - {Src: container.AbsFHSDev.Append("mali"), Device: true}, - {Src: container.AbsFHSDev.Append("mali0"), Device: true}, - {Src: container.AbsFHSDev.Append("umplock"), Device: true}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("mali"), Device: true, Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("mali0"), Device: true, Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("umplock"), Device: true, Optional: true}}, // nvidia - {Src: container.AbsFHSDev.Append("nvidiactl"), Device: true}, - {Src: container.AbsFHSDev.Append("nvidia-modeset"), Device: true}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidiactl"), Device: true, Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia-modeset"), Device: true, Optional: true}}, // nvidia OpenCL/CUDA - {Src: container.AbsFHSDev.Append("nvidia-uvm"), Device: true}, - {Src: container.AbsFHSDev.Append("nvidia-uvm-tools"), Device: true}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia-uvm"), Device: true, Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia-uvm-tools"), Device: true, Optional: true}}, // flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff - {Src: container.AbsFHSDev.Append("nvidia0"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia1"), Device: true}, - {Src: container.AbsFHSDev.Append("nvidia2"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia3"), Device: true}, - {Src: container.AbsFHSDev.Append("nvidia4"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia5"), Device: true}, - {Src: container.AbsFHSDev.Append("nvidia6"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia7"), Device: true}, - {Src: container.AbsFHSDev.Append("nvidia8"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia9"), Device: true}, - {Src: container.AbsFHSDev.Append("nvidia10"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia11"), Device: true}, - {Src: container.AbsFHSDev.Append("nvidia12"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia13"), Device: true}, - {Src: container.AbsFHSDev.Append("nvidia14"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia15"), Device: true}, - {Src: container.AbsFHSDev.Append("nvidia16"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia17"), Device: true}, - {Src: container.AbsFHSDev.Append("nvidia18"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia19"), Device: true}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia0"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia1"), Device: true, Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia2"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia3"), Device: true, Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia4"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia5"), Device: true, Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia6"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia7"), Device: true, Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia8"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia9"), Device: true, Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia10"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia11"), Device: true, Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia12"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia13"), Device: true, Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia14"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia15"), Device: true, Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia16"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia17"), Device: true, Optional: true}}, + {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia18"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia19"), Device: true, Optional: true}}, }...) } diff --git a/cmd/hpkg/with.go b/cmd/hpkg/with.go index 72ca245..305edf7 100644 --- a/cmd/hpkg/with.go +++ b/cmd/hpkg/with.go @@ -48,8 +48,8 @@ func withNixDaemon( Net: net, SeccompFlags: seccomp.AllowMultiarch, Tty: dropShell, - Filesystem: []hst.FilesystemConfig{ - {Src: pathSet.nixPath, Dst: pathNix, Write: true, Must: true}, + Filesystem: []hst.FilesystemConfigJSON{ + {FilesystemConfig: &hst.FSBind{Src: pathSet.nixPath, Dst: pathNix, Write: true}}, }, Link: []hst.LinkConfig{ {pathCurrentSystem, app.CurrentSystem.String()}, @@ -88,9 +88,9 @@ func withCacheDir( Hostname: formatHostname(app.Name) + "-" + action, SeccompFlags: seccomp.AllowMultiarch, Tty: dropShell, - Filesystem: []hst.FilesystemConfig{ - {Src: workDir.Append("nix"), Dst: pathNix, Must: true}, - {Src: workDir, Dst: hst.AbsTmp.Append("bundle"), Must: true}, + Filesystem: []hst.FilesystemConfigJSON{ + {FilesystemConfig: &hst.FSBind{Src: workDir.Append("nix"), Dst: pathNix}}, + {FilesystemConfig: &hst.FSBind{Src: workDir, Dst: hst.AbsTmp.Append("bundle")}}, }, Link: []hst.LinkConfig{ {pathCurrentSystem, app.CurrentSystem.String()}, diff --git a/hst/config.go b/hst/config.go index 73fb21b..c34ecb1 100644 --- a/hst/config.go +++ b/hst/config.go @@ -66,7 +66,7 @@ type ExtraPermConfig struct { } func (e *ExtraPermConfig) String() string { - if e.Path == nil { + if e == nil || e.Path == nil { return "" } buf := make([]byte, 0, 5+len(e.Path.String())) diff --git a/hst/config_test.go b/hst/config_test.go new file mode 100644 index 0000000..c8da8a2 --- /dev/null +++ b/hst/config_test.go @@ -0,0 +1,35 @@ +package hst_test + +import ( + "testing" + + "hakurei.app/container" + "hakurei.app/hst" +) + +func TestExtraPermConfig(t *testing.T) { + testCases := []struct { + name string + config *hst.ExtraPermConfig + want string + }{ + {"nil", nil, ""}, + {"nil path", &hst.ExtraPermConfig{Path: nil}, ""}, + {"r", &hst.ExtraPermConfig{Path: container.AbsFHSRoot, Read: true}, "r--:/"}, + {"r+", &hst.ExtraPermConfig{Ensure: true, Path: container.AbsFHSRoot, Read: true}, "r--+:/"}, + {"w", &hst.ExtraPermConfig{Path: hst.AbsTmp, Write: true}, "-w-:/.hakurei"}, + {"w+", &hst.ExtraPermConfig{Ensure: true, Path: hst.AbsTmp, Write: true}, "-w-+:/.hakurei"}, + {"x", &hst.ExtraPermConfig{Path: container.AbsFHSRunUser, Execute: true}, "--x:/run/user/"}, + {"x+", &hst.ExtraPermConfig{Ensure: true, Path: container.AbsFHSRunUser, Execute: true}, "--x+:/run/user/"}, + {"rwx", &hst.ExtraPermConfig{Path: container.AbsFHSTmp, Read: true, Write: true, Execute: true}, "rwx:/tmp/"}, + {"rwx+", &hst.ExtraPermConfig{Ensure: true, Path: container.AbsFHSTmp, Read: true, Write: true, Execute: true}, "rwx+:/tmp/"}, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + if got := tc.config.String(); got != tc.want { + t.Errorf("String: %q, want %q", got, tc.want) + } + }) + } +} diff --git a/hst/container.go b/hst/container.go index 0b51e10..d42c72d 100644 --- a/hst/container.go +++ b/hst/container.go @@ -51,8 +51,8 @@ type ( // pass through all devices Device bool `json:"device,omitempty"` - // container host filesystem bind mounts - Filesystem []FilesystemConfig `json:"filesystem"` + // container mount points + Filesystem []FilesystemConfigJSON `json:"filesystem"` // create symlinks inside container filesystem Link []LinkConfig `json:"symlink"` @@ -68,20 +68,6 @@ type ( AutoEtc bool `json:"auto_etc"` } - // FilesystemConfig is an abstract representation of a bind mount. - FilesystemConfig struct { - // mount point in container, same as src if empty - Dst *container.Absolute `json:"dst,omitempty"` - // host filesystem path to make available to the container - Src *container.Absolute `json:"src"` - // do not mount filesystem read-only - Write bool `json:"write,omitempty"` - // do not disable device files - Device bool `json:"dev,omitempty"` - // fail if the bind mount cannot be established for any reason - Must bool `json:"require,omitempty"` - } - LinkConfig struct { // symlink target in container Target *container.Absolute `json:"target"` diff --git a/hst/fs.go b/hst/fs.go new file mode 100644 index 0000000..f60ca32 --- /dev/null +++ b/hst/fs.go @@ -0,0 +1,121 @@ +package hst + +import ( + "encoding/json" + "errors" + "fmt" + "reflect" + + "hakurei.app/container" +) + +// FilesystemConfig is an abstract representation of a mount point. +type FilesystemConfig interface { + // Type returns the type of this mount point. + Type() string + // Target returns the pathname of the mount point in the container. + Target() *container.Absolute + // Host returns a slice of all host paths used by this mount point. + Host() []*container.Absolute + // Apply appends the [container.Op] implementing this mount point. + Apply(ops *container.Ops) + + fmt.Stringer +} + +var ( + ErrFSNull = errors.New("unexpected null in mount point") +) + +// FSTypeError is returned when [ContainerConfig.Filesystem] contains an entry with invalid type. +type FSTypeError string + +func (f FSTypeError) Error() string { return fmt.Sprintf("invalid filesystem type %q", string(f)) } + +// FSImplError is returned when the underlying struct of [FilesystemConfig] does not match +// what [FilesystemConfig.Type] claims to be. +type FSImplError struct { + Type string + Value FilesystemConfig +} + +func (f FSImplError) Error() string { + implType := reflect.TypeOf(f.Value) + var name string + for implType != nil && implType.Kind() == reflect.Ptr { + name += "*" + implType = implType.Elem() + } + if implType != nil { + name += implType.Name() + } else { + name += "nil" + } + return fmt.Sprintf("implementation %s is not %s", name, f.Type) +} + +// FilesystemConfigJSON is the [json] adapter for [FilesystemConfig]. +type FilesystemConfigJSON struct { + FilesystemConfig +} + +// Valid returns whether the [FilesystemConfigJSON] is valid. +func (f *FilesystemConfigJSON) Valid() bool { return f != nil && f.FilesystemConfig != nil } + +func (f *FilesystemConfigJSON) MarshalJSON() ([]byte, error) { + if f == nil || f.FilesystemConfig == nil { + return nil, ErrFSNull + } + var v any + t := f.Type() + switch t { + case FilesystemBind: + if ct, ok := f.FilesystemConfig.(*FSBind); !ok { + return nil, FSImplError{t, f.FilesystemConfig} + } else { + v = &struct { + Type string `json:"type"` + *FSBind + }{FilesystemBind, ct} + } + + case FilesystemEphemeral: + if ct, ok := f.FilesystemConfig.(*FSEphemeral); !ok { + return nil, FSImplError{t, f.FilesystemConfig} + } else { + v = &struct { + Type string `json:"type"` + *FSEphemeral + }{FilesystemEphemeral, ct} + } + + default: + return nil, FSTypeError(t) + } + + return json.Marshal(v) +} + +func (f *FilesystemConfigJSON) UnmarshalJSON(data []byte) error { + t := new(struct { + Type string `json:"type"` + }) + if err := json.Unmarshal(data, &t); err != nil { + return err + } + if t == nil { + return ErrFSNull + } + switch t.Type { + case FilesystemBind: + *f = FilesystemConfigJSON{new(FSBind)} + + case FilesystemEphemeral: + *f = FilesystemConfigJSON{new(FSEphemeral)} + + default: + return FSTypeError(t.Type) + } + + return json.Unmarshal(data, f.FilesystemConfig) +} diff --git a/hst/fs_test.go b/hst/fs_test.go new file mode 100644 index 0000000..46d7cce --- /dev/null +++ b/hst/fs_test.go @@ -0,0 +1,269 @@ +package hst_test + +import ( + "encoding/json" + "errors" + "reflect" + "strings" + "syscall" + "testing" + + "hakurei.app/container" + "hakurei.app/hst" +) + +func TestFilesystemConfigJSON(t *testing.T) { + testCases := []struct { + name string + want hst.FilesystemConfigJSON + + wantErr error + data, sData string + }{ + {"nil", hst.FilesystemConfigJSON{FilesystemConfig: nil}, hst.ErrFSNull, + `null`, `{"fs":null,"magic":3236757504}`}, + + {"bad type", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"cat"}}, + hst.FSTypeError("cat"), + `{"type":"cat","meow":true}`, `{"fs":{"type":"cat","meow":true},"magic":3236757504}`}, + + {"bad impl bind", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"bind"}}, + hst.FSImplError{ + Type: "bind", + Value: stubFS{"bind"}, + }, + "\x00", "\x00"}, + + {"bad impl ephemeral", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"ephemeral"}}, + hst.FSImplError{ + Type: "ephemeral", + Value: stubFS{"ephemeral"}, + }, + "\x00", "\x00"}, + + {"bind", hst.FilesystemConfigJSON{ + FilesystemConfig: &hst.FSBind{ + Dst: m("/etc"), + Src: m("/mnt/etc"), + Optional: true, + }, + }, nil, + `{"type":"bind","dst":"/etc","src":"/mnt/etc","optional":true}`, + `{"fs":{"type":"bind","dst":"/etc","src":"/mnt/etc","optional":true},"magic":3236757504}`}, + + {"ephemeral", hst.FilesystemConfigJSON{ + FilesystemConfig: &hst.FSEphemeral{ + Dst: m("/run/user/65534"), + Write: true, + Size: 1 << 10, + Perm: 0700, + }, + }, nil, + `{"type":"ephemeral","dst":"/run/user/65534","write":true,"size":1024,"perm":448}`, + `{"fs":{"type":"ephemeral","dst":"/run/user/65534","write":true,"size":1024,"perm":448},"magic":3236757504}`}, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + t.Run("marshal", func(t *testing.T) { + { + d, err := json.Marshal(&tc.want) + if !errors.Is(err, tc.wantErr) { + t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr) + } + if tc.wantErr != nil { + goto checkSMarshal + } + if string(d) != tc.data { + t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.data) + } + } + + checkSMarshal: + { + d, err := json.Marshal(&sCheck{tc.want, syscall.MS_MGC_VAL}) + if !errors.Is(err, tc.wantErr) { + t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr) + } + if tc.wantErr != nil { + return + } + if string(d) != tc.sData { + t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.sData) + } + } + }) + + t.Run("unmarshal", func(t *testing.T) { + if tc.data == "\x00" && tc.sData == "\x00" { + if errors.As(tc.wantErr, new(hst.FSImplError)) { + // this error is only returned on marshal + return + } + } + + { + var got hst.FilesystemConfigJSON + err := json.Unmarshal([]byte(tc.data), &got) + if !errors.Is(err, tc.wantErr) { + t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr) + } + if tc.wantErr != nil { + goto checkSUnmarshal + } + if !reflect.DeepEqual(&tc.want, &got) { + t.Errorf("Unmarshal: %#v, want %#v", &tc.want, &got) + } + } + + checkSUnmarshal: + { + var got sCheck + err := json.Unmarshal([]byte(tc.sData), &got) + if !errors.Is(err, tc.wantErr) { + t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr) + } + if tc.wantErr != nil { + return + } + want := sCheck{tc.want, syscall.MS_MGC_VAL} + if !reflect.DeepEqual(&got, &want) { + t.Errorf("Unmarshal: %#v, want %#v", &got, &want) + } + } + }) + }) + } + + t.Run("valid", func(t *testing.T) { + if got := (*hst.FilesystemConfigJSON).Valid(nil); got { + t.Errorf("Valid: %v, want false", got) + } + + if got := new(hst.FilesystemConfigJSON).Valid(); got { + t.Errorf("Valid: %v, want false", got) + } + + if got := (&hst.FilesystemConfigJSON{FilesystemConfig: new(hst.FSBind)}).Valid(); !got { + t.Errorf("Valid: %v, want true", got) + } + }) + + t.Run("passthrough", func(t *testing.T) { + if err := new(hst.FilesystemConfigJSON).UnmarshalJSON(make([]byte, 0)); err == nil { + t.Errorf("UnmarshalJSON: error = %v", err) + } + }) +} + +func TestFSErrors(t *testing.T) { + t.Run("type", func(t *testing.T) { + want := `invalid filesystem type "cat"` + if got := hst.FSTypeError("cat").Error(); got != want { + t.Errorf("Error: %q, want %q", got, want) + } + }) + + t.Run("impl", func(t *testing.T) { + testCases := []struct { + name string + val hst.FilesystemConfig + want string + }{ + {"nil", nil, "implementation nil is not cat"}, + {"stub", stubFS{"cat"}, "implementation stubFS is not cat"}, + {"*stub", &stubFS{"cat"}, "implementation *stubFS is not cat"}, + {"(*stub)(nil)", (*stubFS)(nil), "implementation *stubFS is not cat"}, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + err := hst.FSImplError{Type: "cat", Value: tc.val} + if got := err.Error(); got != tc.want { + t.Errorf("Error: %q, want %q", got, tc.want) + } + }) + } + }) +} + +type stubFS struct { + typeName string +} + +func (s stubFS) Type() string { return s.typeName } +func (s stubFS) Target() *container.Absolute { panic("unreachable") } +func (s stubFS) Host() []*container.Absolute { panic("unreachable") } +func (s stubFS) Apply(*container.Ops) { panic("unreachable") } +func (s stubFS) String() string { return "" } + +type sCheck struct { + FS hst.FilesystemConfigJSON `json:"fs"` + Magic int `json:"magic"` +} + +type fsTestCase struct { + name string + fs hst.FilesystemConfig + ops container.Ops + target *container.Absolute + host []*container.Absolute + str string +} + +func checkFs(t *testing.T, fstype string, testCases []fsTestCase) { + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + if got := tc.fs.Type(); got != fstype { + t.Errorf("Type: %q, want %q", got, fstype) + } + + t.Run("ops", func(t *testing.T) { + ops := new(container.Ops) + tc.fs.Apply(ops) + if !reflect.DeepEqual(ops, &tc.ops) { + gotString := new(strings.Builder) + for _, op := range *ops { + gotString.WriteString("\n" + op.String()) + } + wantString := new(strings.Builder) + for _, op := range tc.ops { + wantString.WriteString("\n" + op.String()) + } + t.Errorf("Apply: %s, want %s", gotString, wantString) + } + }) + + t.Run("target", func(t *testing.T) { + if got := tc.fs.Target(); !reflect.DeepEqual(got, tc.target) { + t.Errorf("Target: %q, want %q", got, tc.target) + } + }) + + t.Run("host", func(t *testing.T) { + if got := tc.fs.Host(); !reflect.DeepEqual(got, tc.host) { + t.Errorf("Host: %q, want %q", got, tc.host) + } + }) + + t.Run("string", func(t *testing.T) { + if tc.str == "\x00" { + return + } + + if got := tc.fs.String(); got != tc.str { + t.Errorf("String: %q, want %q", got, tc.str) + } + }) + }) + } +} + +func m(pathname string) *container.Absolute { return container.MustAbs(pathname) } +func ms(pathnames ...string) []*container.Absolute { + as := make([]*container.Absolute, len(pathnames)) + for i, pathname := range pathnames { + as[i] = container.MustAbs(pathname) + } + return as +} diff --git a/hst/fsbind.go b/hst/fsbind.go new file mode 100644 index 0000000..e95eb7b --- /dev/null +++ b/hst/fsbind.go @@ -0,0 +1,102 @@ +package hst + +import ( + "encoding/gob" + "strings" + + "hakurei.app/container" +) + +func init() { gob.Register(new(FSBind)) } + +// FilesystemBind is the [FilesystemConfig.Type] name of a bind mount point. +const FilesystemBind = "bind" + +// FSBind represents a host to container bind mount. +type FSBind struct { + // mount point in container, same as src if empty + Dst *container.Absolute `json:"dst,omitempty"` + // host filesystem path to make available to the container + Src *container.Absolute `json:"src"` + // do not mount filesystem read-only + Write bool `json:"write,omitempty"` + // do not disable device files, implies Write + Device bool `json:"dev,omitempty"` + // skip this mount point if the host path does not exist + Optional bool `json:"optional,omitempty"` +} + +func (b *FSBind) Type() string { return FilesystemBind } + +func (b *FSBind) Target() *container.Absolute { + if b == nil || b.Src == nil { + return nil + } + if b.Dst == nil { + return b.Src + } + return b.Dst +} + +func (b *FSBind) Host() []*container.Absolute { + if b == nil || b.Src == nil { + return nil + } + return []*container.Absolute{b.Src} +} + +func (b *FSBind) Apply(ops *container.Ops) { + if b == nil || b.Src == nil { + return + } + + dst := b.Dst + if dst == nil { + dst = b.Src + } + var flags int + if b.Write { + flags |= container.BindWritable + } + if b.Device { + flags |= container.BindDevice | container.BindWritable + } + if b.Optional { + flags |= container.BindOptional + } + ops.Bind(b.Src, dst, flags) +} + +func (b *FSBind) String() string { + g := 4 + if b == nil || b.Src == nil { + return "" + } + + g += len(b.Src.String()) + if b.Dst != nil { + g += len(b.Dst.String()) + } + + expr := new(strings.Builder) + expr.Grow(g) + + if b.Device { + expr.WriteString("d") + } else if b.Write { + expr.WriteString("w") + } + + if !b.Optional { + expr.WriteString("*") + } else { + expr.WriteString("+") + } + + expr.WriteString(b.Src.String()) + if b.Dst != nil { + expr.WriteString(":" + b.Dst.String()) + } + + return expr.String() +} diff --git a/hst/fsbind_test.go b/hst/fsbind_test.go new file mode 100644 index 0000000..22a6d9a --- /dev/null +++ b/hst/fsbind_test.go @@ -0,0 +1,66 @@ +package hst_test + +import ( + "testing" + + "hakurei.app/container" + "hakurei.app/hst" +) + +func TestFSBind(t *testing.T) { + checkFs(t, "bind", []fsTestCase{ + {"nil", (*hst.FSBind)(nil), nil, nil, nil, ""}, + + {"full", &hst.FSBind{ + Dst: m("/dev"), + Src: m("/mnt/dev"), + Optional: true, + Device: true, + }, container.Ops{&container.BindMountOp{ + Source: m("/mnt/dev"), + Target: m("/dev"), + Flags: container.BindWritable | container.BindDevice | container.BindOptional, + }}, m("/dev"), ms("/mnt/dev"), + "d+/mnt/dev:/dev"}, + + {"full write dev", &hst.FSBind{ + Dst: m("/dev"), + Src: m("/mnt/dev"), + Write: true, + Device: true, + }, container.Ops{&container.BindMountOp{ + Source: m("/mnt/dev"), + Target: m("/dev"), + Flags: container.BindWritable | container.BindDevice, + }}, m("/dev"), ms("/mnt/dev"), + "d*/mnt/dev:/dev"}, + + {"full write", &hst.FSBind{ + Dst: m("/tmp"), + Src: m("/mnt/tmp"), + Write: true, + }, container.Ops{&container.BindMountOp{ + Source: m("/mnt/tmp"), + Target: m("/tmp"), + Flags: container.BindWritable, + }}, m("/tmp"), ms("/mnt/tmp"), + "w*/mnt/tmp:/tmp"}, + + {"full no flags", &hst.FSBind{ + Dst: m("/etc"), + Src: m("/mnt/etc"), + }, container.Ops{&container.BindMountOp{ + Source: m("/mnt/etc"), + Target: m("/etc"), + }}, m("/etc"), ms("/mnt/etc"), + "*/mnt/etc:/etc"}, + + {"nil dst", &hst.FSBind{ + Src: m("/"), + }, container.Ops{&container.BindMountOp{ + Source: m("/"), + Target: m("/"), + }}, m("/"), ms("/"), + "*/"}, + }) +} diff --git a/hst/fsephemeral.go b/hst/fsephemeral.go new file mode 100644 index 0000000..e3f924c --- /dev/null +++ b/hst/fsephemeral.go @@ -0,0 +1,83 @@ +package hst + +import ( + "encoding/gob" + "os" + "strings" + + "hakurei.app/container" +) + +func init() { gob.Register(new(FSEphemeral)) } + +// FilesystemEphemeral is the [FilesystemConfig.Type] name of a mount point with ephemeral state. +const FilesystemEphemeral = "ephemeral" + +// FSEphemeral represents an ephemeral container mount point. +type FSEphemeral struct { + // mount point in container + Dst *container.Absolute `json:"dst,omitempty"` + // do not mount filesystem read-only + Write bool `json:"write,omitempty"` + // upper limit on the size of the filesystem + Size int `json:"size,omitempty"` + // initial permission bits of the new filesystem + Perm os.FileMode `json:"perm,omitempty"` +} + +func (e *FSEphemeral) Type() string { return FilesystemEphemeral } + +func (e *FSEphemeral) Target() *container.Absolute { + if e == nil { + return nil + } + return e.Dst +} + +func (e *FSEphemeral) Host() []*container.Absolute { return nil } + +const fsEphemeralDefaultPerm = os.FileMode(0755) + +func (e *FSEphemeral) Apply(ops *container.Ops) { + if e == nil || e.Dst == nil { + return + } + + size := e.Size + if size < 0 { + size = 0 + } + + perm := e.Perm + if perm == 0 { + perm = fsEphemeralDefaultPerm + } + + if e.Write { + ops.Tmpfs(e.Dst, size, perm) + } else { + ops.Readonly(e.Dst, perm) + } +} + +func (e *FSEphemeral) String() string { + if e == nil || e.Dst == nil { + return "" + } + + expr := new(strings.Builder) + expr.Grow(15 + len(FilesystemEphemeral) + len(e.Dst.String())) + + if e.Write { + expr.WriteString("w") + } + expr.WriteString("+" + FilesystemEphemeral + "(") + if e.Perm != 0 { + expr.WriteString(e.Perm.String()) + } else { + expr.WriteString(fsEphemeralDefaultPerm.String()) + } + expr.WriteString("):" + e.Dst.String()) + + return expr.String() +} diff --git a/hst/fsephemeral_test.go b/hst/fsephemeral_test.go new file mode 100644 index 0000000..f003a92 --- /dev/null +++ b/hst/fsephemeral_test.go @@ -0,0 +1,50 @@ +package hst_test + +import ( + "syscall" + "testing" + + "hakurei.app/container" + "hakurei.app/hst" +) + +func TestFSEphemeral(t *testing.T) { + checkFs(t, "ephemeral", []fsTestCase{ + {"nil", (*hst.FSEphemeral)(nil), nil, nil, nil, ""}, + + {"full", &hst.FSEphemeral{ + Dst: m("/run/user/65534"), + Write: true, + Size: 1 << 10, + Perm: 0700, + }, container.Ops{&container.MountTmpfsOp{ + FSName: "ephemeral", + Path: m("/run/user/65534"), + Flags: syscall.MS_NOSUID | syscall.MS_NODEV, + Size: 1 << 10, + Perm: 0700, + }}, m("/run/user/65534"), nil, + "w+ephemeral(-rwx------):/run/user/65534"}, + + {"cover ro", &hst.FSEphemeral{Dst: m("/run/nscd")}, + container.Ops{&container.MountTmpfsOp{ + FSName: "readonly", + Path: m("/run/nscd"), + Flags: syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_RDONLY, + Perm: 0755, + }}, m("/run/nscd"), nil, + "+ephemeral(-rwxr-xr-x):/run/nscd"}, + + {"negative size", &hst.FSEphemeral{ + Dst: hst.AbsTmp, + Write: true, + Size: -1, + }, container.Ops{&container.MountTmpfsOp{ + FSName: "ephemeral", + Path: hst.AbsTmp, + Flags: syscall.MS_NOSUID | syscall.MS_NODEV, + Perm: 0755, + }}, hst.AbsTmp, nil, + "w+ephemeral(-rwxr-xr-x):/.hakurei"}, + }) +} diff --git a/hst/template.go b/hst/template.go index dda43a0..db6748e 100644 --- a/hst/template.go +++ b/hst/template.go @@ -77,15 +77,14 @@ func Template() *Config { "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com", "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT", }, - Filesystem: []FilesystemConfig{ - {Dst: container.AbsFHSTmp, Src: container.AbsNonexistent, Write: true}, - {Src: container.MustAbs("/nix/store")}, - {Src: container.AbsFHSRun.Append("current-system")}, - {Src: container.AbsFHSRun.Append("opengl-driver")}, - {Src: container.AbsFHSVar.Append("db/nix-channels")}, - {Src: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"), - Dst: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true, Must: true}, - {Src: container.AbsFHSDev.Append("dri"), Device: true}, + Filesystem: []FilesystemConfigJSON{ + {&FSEphemeral{Dst: container.AbsFHSTmp, Write: true, Perm: 0755}}, + {&FSBind{Src: container.MustAbs("/nix/store")}}, + {&FSBind{Src: container.AbsFHSRun.Append("current-system")}}, + {&FSBind{Src: container.AbsFHSRun.Append("opengl-driver")}}, + {&FSBind{Src: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"), + Dst: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true}}, + {&FSBind{Src: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}}, }, Link: []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}}, AutoRoot: container.AbsFHSVarLib.Append("hakurei/base/org.debian"), diff --git a/hst/template_test.go b/hst/template_test.go index da119d4..e3c36f5 100644 --- a/hst/template_test.go +++ b/hst/template_test.go @@ -98,31 +98,34 @@ func TestTemplate(t *testing.T) { "device": true, "filesystem": [ { + "type": "ephemeral", "dst": "/tmp/", - "src": "/proc/nonexistent", - "write": true + "write": true, + "perm": 493 }, { + "type": "bind", "src": "/nix/store" }, { + "type": "bind", "src": "/run/current-system" }, { + "type": "bind", "src": "/run/opengl-driver" }, { - "src": "/var/db/nix-channels" - }, - { + "type": "bind", "dst": "/data/data/org.chromium.Chromium", "src": "/var/lib/hakurei/u0/org.chromium.Chromium", - "write": true, - "require": true + "write": true }, { + "type": "bind", "src": "/dev/dri", - "dev": true + "dev": true, + "optional": true } ], "symlink": [ diff --git a/internal/app/app_nixos_linux_test.go b/internal/app/app_nixos_linux_test.go index 901e825..ef58722 100644 --- a/internal/app/app_nixos_linux_test.go +++ b/internal/app/app_nixos_linux_test.go @@ -13,6 +13,9 @@ import ( ) func m(pathname string) *container.Absolute { return container.MustAbs(pathname) } +func f(c hst.FilesystemConfig) hst.FilesystemConfigJSON { + return hst.FilesystemConfigJSON{FilesystemConfig: c} +} var testCasesNixos = []sealTestCase{ { @@ -25,11 +28,18 @@ var testCasesNixos = []sealTestCase{ Container: &hst.ContainerConfig{ Userns: true, Net: true, MapRealUID: true, Env: nil, AutoEtc: true, - Filesystem: []hst.FilesystemConfig{ - {Src: m("/bin"), Must: true}, {Src: m("/usr/bin/"), Must: true}, - {Src: m("/nix/store"), Must: true}, {Src: m("/run/current-system"), Must: true}, - {Src: m("/sys/block")}, {Src: m("/sys/bus")}, {Src: m("/sys/class")}, {Src: m("/sys/dev")}, {Src: m("/sys/devices")}, - {Src: m("/run/opengl-driver"), Must: true}, {Src: m("/dev/dri"), Device: true}, + Filesystem: []hst.FilesystemConfigJSON{ + f(&hst.FSBind{Src: m("/bin")}), + f(&hst.FSBind{Src: m("/usr/bin/")}), + f(&hst.FSBind{Src: m("/nix/store")}), + f(&hst.FSBind{Src: m("/run/current-system")}), + f(&hst.FSBind{Src: m("/sys/block"), Optional: true}), + f(&hst.FSBind{Src: m("/sys/bus"), Optional: true}), + f(&hst.FSBind{Src: m("/sys/class"), Optional: true}), + f(&hst.FSBind{Src: m("/sys/dev"), Optional: true}), + f(&hst.FSBind{Src: m("/sys/devices"), Optional: true}), + f(&hst.FSBind{Src: m("/run/opengl-driver")}), + f(&hst.FSBind{Src: m("/dev/dri"), Device: true, Optional: true}), }, }, SystemBus: &dbus.Config{ diff --git a/internal/app/container_linux.go b/internal/app/container_linux.go index f93cfcc..3f1259f 100644 --- a/internal/app/container_linux.go +++ b/internal/app/container_linux.go @@ -6,7 +6,6 @@ import ( "io/fs" "maps" "path" - "slices" "syscall" "hakurei.app/container" @@ -126,73 +125,63 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid return nil, nil, err } } - // evaluated path, input path - hidePathSource := make([][2]string, 0, len(s.Filesystem)) + + var hidePathSourceCount int + for i, c := range s.Filesystem { + if !c.Valid() { + return nil, nil, fmt.Errorf("invalid filesystem at index %d", i) + } + c.Apply(params.Ops) + + // fs counter + hidePathSourceCount += len(c.Host()) + } // AutoRoot is a collection of many BindMountOp internally + var autoRootEntries []fs.DirEntry if s.AutoRoot != nil { if d, err := os.ReadDir(s.AutoRoot.String()); err != nil { return nil, nil, err } else { - hidePathSource = slices.Grow(hidePathSource, len(d)) - for _, ent := range d { - name := ent.Name() - if container.IsAutoRootBindable(name) { - name = path.Join(s.AutoRoot.String(), name) - srcP := [2]string{name, name} - if err = evalSymlinks(os, &srcP[0]); err != nil { - return nil, nil, err - } - hidePathSource = append(hidePathSource, srcP) - } + // autoroot counter + hidePathSourceCount += len(d) + autoRootEntries = d + } + } + + hidePathSource := make([]*container.Absolute, 0, hidePathSourceCount) + + // fs append + for _, c := range s.Filesystem { + // all entries already checked above + hidePathSource = append(hidePathSource, c.Host()...) + } + + // autoroot append + if s.AutoRoot != nil { + for _, ent := range autoRootEntries { + name := ent.Name() + if container.IsAutoRootBindable(name) { + hidePathSource = append(hidePathSource, s.AutoRoot.Append(name)) } } } - for i, c := range s.Filesystem { - if c.Src == nil { - return nil, nil, fmt.Errorf("invalid filesystem at index %d", i) + // evaluated path, input path + hidePathSourceEval := make([][2]string, len(hidePathSource)) + for i, a := range hidePathSource { + if a == nil { + // unreachable + return nil, nil, syscall.ENOTRECOVERABLE } - // special filesystems - switch c.Src.String() { - case container.Nonexistent: - if c.Dst == nil { - return nil, nil, errors.New("tmpfs dst must not be nil") - } - if c.Write { - params.Tmpfs(c.Dst, hst.TmpfsSize, hst.TmpfsPerm) - } else { - params.Readonly(c.Dst, hst.TmpfsPerm) - } - continue - } - - dst := c.Dst - if dst == nil { - dst = c.Src - } - - p := [2]string{c.Src.String(), c.Src.String()} - if err := evalSymlinks(os, &p[0]); err != nil { + hidePathSourceEval[i] = [2]string{a.String(), a.String()} + if err := evalSymlinks(os, &hidePathSourceEval[i][0]); err != nil { return nil, nil, err } - hidePathSource = append(hidePathSource, p) - - var flags int - if c.Write { - flags |= container.BindWritable - } - if c.Device { - flags |= container.BindDevice | container.BindWritable - } - if !c.Must { - flags |= container.BindOptional - } - params.Bind(c.Src, dst, flags) } - for _, p := range hidePathSource { + for _, p := range hidePathSourceEval { for i := range hidePaths { // skip matched entries if hidePathMatch[i] { diff --git a/internal/app/seal_linux.go b/internal/app/seal_linux.go index e27fee1..961447b 100644 --- a/internal/app/seal_linux.go +++ b/internal/app/seal_linux.go @@ -248,15 +248,15 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co // bind GPU stuff if config.Enablements&(system.EX11|system.EWayland) != 0 { - conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfig{Src: container.AbsFHSDev.Append("dri"), Device: true}) + conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}}) } // opportunistically bind kvm - conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfig{Src: container.AbsFHSDev.Append("kvm"), Device: true}) + conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("kvm"), Device: true, Optional: true}}) // hide nscd from container if present nscd := container.AbsFHSVar.Append("run/nscd") if _, err := sys.Stat(nscd.String()); !errors.Is(err, fs.ErrNotExist) { - conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfig{Dst: nscd, Src: container.AbsNonexistent}) + conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSEphemeral{Dst: nscd}}) } config.Container = conf diff --git a/nixos.nix b/nixos.nix index a26b365..90ce28b 100644 --- a/nixos.nix +++ b/nixos.nix @@ -142,36 +142,42 @@ in filesystem = let - bind = src: { inherit src; }; - mustBind = src: { + bind = src: { + type = "bind"; inherit src; - require = true; }; - devBind = src: { + optBind = src: { + type = "bind"; + inherit src; + optional = true; + }; + optDevBind = src: { + type = "bind"; inherit src; dev = true; + optional = true; }; in [ - (mustBind "/bin") - (mustBind "/usr/bin") - (mustBind "/nix/store") - (bind "/sys/block") - (bind "/sys/bus") - (bind "/sys/class") - (bind "/sys/dev") - (bind "/sys/devices") + (bind "/bin") + (bind "/usr/bin") + (bind "/nix/store") + (optBind "/sys/block") + (optBind "/sys/bus") + (optBind "/sys/class") + (optBind "/sys/dev") + (optBind "/sys/devices") ] ++ optionals app.nix [ - (mustBind "/nix/var") + (bind "/nix/var") ] ++ optionals isGraphical [ - (devBind "/dev/dri") - (devBind "/dev/nvidiactl") - (devBind "/dev/nvidia-modeset") - (devBind "/dev/nvidia-uvm") - (devBind "/dev/nvidia-uvm-tools") - (devBind "/dev/nvidia0") + (optDevBind "/dev/dri") + (optDevBind "/dev/nvidiactl") + (optDevBind "/dev/nvidia-modeset") + (optDevBind "/dev/nvidia-uvm") + (optDevBind "/dev/nvidia-uvm-tools") + (optDevBind "/dev/nvidia0") ] ++ optionals app.useCommonPaths cfg.commonPaths ++ app.extraPaths; diff --git a/options.nix b/options.nix index c6772f6..d5d8249 100644 --- a/options.nix +++ b/options.nix @@ -7,6 +7,7 @@ let mountPoint = let inherit (types) + enum str submodule nullOr @@ -15,6 +16,14 @@ let in listOf (submodule { options = { + type = mkOption { + type = enum [ "bind" ]; + default = "bind"; + description = '' + Type of the mount point; + ''; + }; + dst = mkOption { type = nullOr str; default = null; @@ -32,7 +41,7 @@ let write = mkEnableOption "mounting path as writable"; dev = mkEnableOption "use of device files"; - require = mkEnableOption "start failure if the bind mount cannot be established for any reason"; + optional = mkEnableOption "ignore nonexistent source path"; }; }); in