security/hakurei
security/hakurei
4
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

hst/fs: interface filesystem config
All checks were successful
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m14s
Details
Test / Hakurei (push) Successful in 3m37s
Details
Test / Hpkg (push) Successful in 4m27s
Details
Test / Sandbox (race detector) (push) Successful in 4m23s
Details
Test / Hakurei (race detector) (push) Successful in 5m22s
Details
Test / Flake checks (push) Successful in 1m22s
Details

Browse Source 
This allows mount points to be represented by different underlying structs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-08-12 04:38:45 +09:00
parent e99d7affb0
commit 99ac96511b
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
22 changed files with 927 additions and 223 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
cmd/hakurei/print.go
View File

@ -128,42 +128,11 @@ func printShowInstance(
if config.Container != nil && len(config.Container.Filesystem) > 0 { if config.Container != nil && len(config.Container.Filesystem) > 0 {
t.Printf("Filesystem\n") t.Printf("Filesystem\n")
for _, f := range config.Container.Filesystem { for _, f := range config.Container.Filesystem {
g := 4 if !f.Valid() {
if f.Src == nil {
t.Println(" <invalid>") t.Println(" <invalid>")
continue continue
} else {
g += len(f.Src.String())
} }
if f.Dst != nil { t.Printf(" %s\n", f)
g += len(f.Dst.String())
}
expr := new(strings.Builder)
expr.Grow(g)
if f.Device {
expr.WriteString(" d")
} else if f.Write {
expr.WriteString(" w")
} else {
expr.WriteString(" ")
}
if f.Must {
expr.WriteString("*")
} else {
expr.WriteString("+")
}
src := f.Src.String()
if src != container.Nonexistent {
expr.WriteString(src)
} else {
expr.WriteString("tmpfs")
}
if f.Dst != nil {
expr.WriteString(":" + f.Dst.String())
}
t.Printf("%s\n", expr.String())
} }
t.Printf("\n") t.Printf("\n")
} }

77
cmd/hakurei/print_test.go
View File

@ -48,11 +48,10 @@ func Test_printShowInstance(t *testing.T) {
Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
Filesystem Filesystem
w+tmpfs:/tmp/ w+ephemeral(-rwxr-xr-x):/tmp/
+/nix/store */nix/store
+/run/current-system */run/current-system
+/run/opengl-driver */run/opengl-driver
+/var/db/nix-channels
w*/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium w*/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium
d+/dev/dri d+/dev/dri
@ -86,7 +85,7 @@ App
Etc: /etc/ Etc: /etc/
`}, `},
{"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfig, 1)}, ExtraPerms: make([]*hst.ExtraPermConfig, 1)}, false, false, `App {"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfigJSON, 1)}, ExtraPerms: make([]*hst.ExtraPermConfig, 1)}, false, false, `App
Identity: 0 Identity: 0
Enablements: (no enablements) Enablements: (no enablements)
Flags: none Flags: none
@ -127,11 +126,10 @@ App
Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland Arguments: chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
Filesystem Filesystem
w+tmpfs:/tmp/ w+ephemeral(-rwxr-xr-x):/tmp/
+/nix/store */nix/store
+/run/current-system */run/current-system
+/run/opengl-driver */run/opengl-driver
+/var/db/nix-channels
w*/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium w*/var/lib/hakurei/u0/org.chromium.Chromium:/data/data/org.chromium.Chromium
d+/dev/dri d+/dev/dri
@ -275,31 +273,34 @@ App
"device": true, "device": true,
"filesystem": [ "filesystem": [
{ {
"type": "ephemeral",
"dst": "/tmp/", "dst": "/tmp/",
"src": "/proc/nonexistent", "write": true,
"write": true "perm": 493
}, },
{ {
"type": "bind",
"src": "/nix/store" "src": "/nix/store"
}, },
{ {
"type": "bind",
"src": "/run/current-system" "src": "/run/current-system"
}, },
{ {
"type": "bind",
"src": "/run/opengl-driver" "src": "/run/opengl-driver"
}, },
{ {
"src": "/var/db/nix-channels" "type": "bind",
},
{
"dst": "/data/data/org.chromium.Chromium", "dst": "/data/data/org.chromium.Chromium",
"src": "/var/lib/hakurei/u0/org.chromium.Chromium", "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
"write": true, "write": true
"require": true
}, },
{ {
"type": "bind",
"src": "/dev/dri", "src": "/dev/dri",
"dev": true "dev": true,
"optional": true
} }
], ],
"symlink": [ "symlink": [
@ -407,31 +408,34 @@ App
"device": true, "device": true,
"filesystem": [ "filesystem": [
{ {
"type": "ephemeral",
"dst": "/tmp/", "dst": "/tmp/",
"src": "/proc/nonexistent", "write": true,
"write": true "perm": 493
}, },
{ {
"type": "bind",
"src": "/nix/store" "src": "/nix/store"
}, },
{ {
"type": "bind",
"src": "/run/current-system" "src": "/run/current-system"
}, },
{ {
"type": "bind",
"src": "/run/opengl-driver" "src": "/run/opengl-driver"
}, },
{ {
"src": "/var/db/nix-channels" "type": "bind",
},
{
"dst": "/data/data/org.chromium.Chromium", "dst": "/data/data/org.chromium.Chromium",
"src": "/var/lib/hakurei/u0/org.chromium.Chromium", "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
"write": true, "write": true
"require": true
}, },
{ {
"type": "bind",
"src": "/dev/dri", "src": "/dev/dri",
"dev": true "dev": true,
"optional": true
} }
], ],
"symlink": [ "symlink": [
@ -593,31 +597,34 @@ func Test_printPs(t *testing.T) {
"device": true, "device": true,
"filesystem": [ "filesystem": [
{ {
"type": "ephemeral",
"dst": "/tmp/", "dst": "/tmp/",
"src": "/proc/nonexistent", "write": true,
"write": true "perm": 493
}, },
{ {
"type": "bind",
"src": "/nix/store" "src": "/nix/store"
}, },
{ {
"type": "bind",
"src": "/run/current-system" "src": "/run/current-system"
}, },
{ {
"type": "bind",
"src": "/run/opengl-driver" "src": "/run/opengl-driver"
}, },
{ {
"src": "/var/db/nix-channels" "type": "bind",
},
{
"dst": "/data/data/org.chromium.Chromium", "dst": "/data/data/org.chromium.Chromium",
"src": "/var/lib/hakurei/u0/org.chromium.Chromium", "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
"write": true, "write": true
"require": true
}, },
{ {
"type": "bind",
"src": "/dev/dri", "src": "/dev/dri",
"dev": true "dev": true,
"optional": true
} }
], ],
"symlink": [ "symlink": [

18
cmd/hpkg/app.go
View File

@ -91,15 +91,15 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg
Device: app.Device, Device: app.Device,
Tty: app.Tty || flagDropShell, Tty: app.Tty || flagDropShell,
MapRealUID: app.MapRealUID, MapRealUID: app.MapRealUID,
Filesystem: []hst.FilesystemConfig{ Filesystem: []hst.FilesystemConfigJSON{
{Src: pathSet.nixPath.Append("store"), Dst: pathNixStore, Must: true}, {FilesystemConfig: &hst.FSBind{Src: pathSet.nixPath.Append("store"), Dst: pathNixStore}},
{Src: pathSet.metaPath, Dst: hst.AbsTmp.Append("app"), Must: true}, {FilesystemConfig: &hst.FSBind{Src: pathSet.metaPath, Dst: hst.AbsTmp.Append("app")}},
{Src: container.AbsFHSEtc.Append("resolv.conf")}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}},
{Src: container.AbsFHSSys.Append("block")}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("block"), Optional: true}},
{Src: container.AbsFHSSys.Append("bus")}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("bus"), Optional: true}},
{Src: container.AbsFHSSys.Append("class")}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("class"), Optional: true}},
{Src: container.AbsFHSSys.Append("dev")}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("dev"), Optional: true}},
{Src: container.AbsFHSSys.Append("devices")}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("devices"), Optional: true}},
}, },
Link: []hst.LinkConfig{ Link: []hst.LinkConfig{
{pathCurrentSystem, app.CurrentSystem.String()}, {pathCurrentSystem, app.CurrentSystem.String()},

16
cmd/hpkg/main.go
View File

@ -274,13 +274,13 @@ func main() {
"--override-input nixpkgs path:/etc/nixpkgs " + "--override-input nixpkgs path:/etc/nixpkgs " +
"path:" + a.NixGL + "#nixVulkanNvidia", "path:" + a.NixGL + "#nixVulkanNvidia",
}, true, func(config *hst.Config) *hst.Config { }, true, func(config *hst.Config) *hst.Config {
config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfig{ config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
{Src: container.AbsFHSEtc.Append("resolv.conf")}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSEtc.Append("resolv.conf"), Optional: true}},
{Src: container.AbsFHSSys.Append("block")}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("block"), Optional: true}},
{Src: container.AbsFHSSys.Append("bus")}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("bus"), Optional: true}},
{Src: container.AbsFHSSys.Append("class")}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("class"), Optional: true}},
{Src: container.AbsFHSSys.Append("dev")}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("dev"), Optional: true}},
{Src: container.AbsFHSSys.Append("devices")}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSSys.Append("devices"), Optional: true}},
}...) }...)
appendGPUFilesystem(config) appendGPUFilesystem(config)
return config return config
@ -308,7 +308,7 @@ func main() {
if a.GPU { if a.GPU {
config.Container.Filesystem = append(config.Container.Filesystem, config.Container.Filesystem = append(config.Container.Filesystem,
hst.FilesystemConfig{Src: pathSet.nixPath.Append(".nixGL"), Dst: hst.AbsTmp.Append("nixGL")}) hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Src: pathSet.nixPath.Append(".nixGL"), Dst: hst.AbsTmp.Append("nixGL")}})
appendGPUFilesystem(config) appendGPUFilesystem(config)
} }

38
cmd/hpkg/paths.go
View File

@ -87,30 +87,30 @@ func pathSetByApp(id string) *appPathSet {
} }
func appendGPUFilesystem(config *hst.Config) { func appendGPUFilesystem(config *hst.Config) {
config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfig{ config.Container.Filesystem = append(config.Container.Filesystem, []hst.FilesystemConfigJSON{
// flatpak commit 763a686d874dd668f0236f911de00b80766ffe79 // flatpak commit 763a686d874dd668f0236f911de00b80766ffe79
{Src: container.AbsFHSDev.Append("dri"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}},
// mali // mali
{Src: container.AbsFHSDev.Append("mali"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("mali"), Device: true, Optional: true}},
{Src: container.AbsFHSDev.Append("mali0"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("mali0"), Device: true, Optional: true}},
{Src: container.AbsFHSDev.Append("umplock"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("umplock"), Device: true, Optional: true}},
// nvidia // nvidia
{Src: container.AbsFHSDev.Append("nvidiactl"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidiactl"), Device: true, Optional: true}},
{Src: container.AbsFHSDev.Append("nvidia-modeset"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia-modeset"), Device: true, Optional: true}},
// nvidia OpenCL/CUDA // nvidia OpenCL/CUDA
{Src: container.AbsFHSDev.Append("nvidia-uvm"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia-uvm"), Device: true, Optional: true}},
{Src: container.AbsFHSDev.Append("nvidia-uvm-tools"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia-uvm-tools"), Device: true, Optional: true}},
// flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff // flatpak commit d2dff2875bb3b7e2cd92d8204088d743fd07f3ff
{Src: container.AbsFHSDev.Append("nvidia0"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia1"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia0"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia1"), Device: true, Optional: true}},
{Src: container.AbsFHSDev.Append("nvidia2"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia3"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia2"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia3"), Device: true, Optional: true}},
{Src: container.AbsFHSDev.Append("nvidia4"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia5"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia4"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia5"), Device: true, Optional: true}},
{Src: container.AbsFHSDev.Append("nvidia6"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia7"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia6"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia7"), Device: true, Optional: true}},
{Src: container.AbsFHSDev.Append("nvidia8"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia9"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia8"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia9"), Device: true, Optional: true}},
{Src: container.AbsFHSDev.Append("nvidia10"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia11"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia10"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia11"), Device: true, Optional: true}},
{Src: container.AbsFHSDev.Append("nvidia12"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia13"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia12"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia13"), Device: true, Optional: true}},
{Src: container.AbsFHSDev.Append("nvidia14"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia15"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia14"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia15"), Device: true, Optional: true}},
{Src: container.AbsFHSDev.Append("nvidia16"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia17"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia16"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia17"), Device: true, Optional: true}},
{Src: container.AbsFHSDev.Append("nvidia18"), Device: true}, {Src: container.AbsFHSDev.Append("nvidia19"), Device: true}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia18"), Device: true, Optional: true}}, {FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("nvidia19"), Device: true, Optional: true}},
}...) }...)
} }

10
cmd/hpkg/with.go
View File

@ -48,8 +48,8 @@ func withNixDaemon(
Net: net, Net: net,
SeccompFlags: seccomp.AllowMultiarch, SeccompFlags: seccomp.AllowMultiarch,
Tty: dropShell, Tty: dropShell,
Filesystem: []hst.FilesystemConfig{ Filesystem: []hst.FilesystemConfigJSON{
{Src: pathSet.nixPath, Dst: pathNix, Write: true, Must: true}, {FilesystemConfig: &hst.FSBind{Src: pathSet.nixPath, Dst: pathNix, Write: true}},
}, },
Link: []hst.LinkConfig{ Link: []hst.LinkConfig{
{pathCurrentSystem, app.CurrentSystem.String()}, {pathCurrentSystem, app.CurrentSystem.String()},
@ -88,9 +88,9 @@ func withCacheDir(
Hostname: formatHostname(app.Name) + "-" + action, Hostname: formatHostname(app.Name) + "-" + action,
SeccompFlags: seccomp.AllowMultiarch, SeccompFlags: seccomp.AllowMultiarch,
Tty: dropShell, Tty: dropShell,
Filesystem: []hst.FilesystemConfig{ Filesystem: []hst.FilesystemConfigJSON{
{Src: workDir.Append("nix"), Dst: pathNix, Must: true}, {FilesystemConfig: &hst.FSBind{Src: workDir.Append("nix"), Dst: pathNix}},
{Src: workDir, Dst: hst.AbsTmp.Append("bundle"), Must: true}, {FilesystemConfig: &hst.FSBind{Src: workDir, Dst: hst.AbsTmp.Append("bundle")}},
}, },
Link: []hst.LinkConfig{ Link: []hst.LinkConfig{
{pathCurrentSystem, app.CurrentSystem.String()}, {pathCurrentSystem, app.CurrentSystem.String()},

2
hst/config.go
View File

@ -66,7 +66,7 @@ type ExtraPermConfig struct {
} }
func (e *ExtraPermConfig) String() string { func (e *ExtraPermConfig) String() string {
if e.Path == nil { if e == nil || e.Path == nil {
return "<invalid>" return "<invalid>"
} }
buf := make([]byte, 0, 5+len(e.Path.String())) buf := make([]byte, 0, 5+len(e.Path.String()))

35
hst/config_test.go Normal file
View File

@ -0,0 +1,35 @@
package hst_test
import (
"testing"
"hakurei.app/container"
"hakurei.app/hst"
)
func TestExtraPermConfig(t *testing.T) {
testCases := []struct {
name string
config *hst.ExtraPermConfig
want string
}{
{"nil", nil, "<invalid>"},
{"nil path", &hst.ExtraPermConfig{Path: nil}, "<invalid>"},
{"r", &hst.ExtraPermConfig{Path: container.AbsFHSRoot, Read: true}, "r--:/"},
{"r+", &hst.ExtraPermConfig{Ensure: true, Path: container.AbsFHSRoot, Read: true}, "r--+:/"},
{"w", &hst.ExtraPermConfig{Path: hst.AbsTmp, Write: true}, "-w-:/.hakurei"},
{"w+", &hst.ExtraPermConfig{Ensure: true, Path: hst.AbsTmp, Write: true}, "-w-+:/.hakurei"},
{"x", &hst.ExtraPermConfig{Path: container.AbsFHSRunUser, Execute: true}, "--x:/run/user/"},
{"x+", &hst.ExtraPermConfig{Ensure: true, Path: container.AbsFHSRunUser, Execute: true}, "--x+:/run/user/"},
{"rwx", &hst.ExtraPermConfig{Path: container.AbsFHSTmp, Read: true, Write: true, Execute: true}, "rwx:/tmp/"},
{"rwx+", &hst.ExtraPermConfig{Ensure: true, Path: container.AbsFHSTmp, Read: true, Write: true, Execute: true}, "rwx+:/tmp/"},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
if got := tc.config.String(); got != tc.want {
t.Errorf("String: %q, want %q", got, tc.want)
}
})
}
}

18
hst/container.go
View File

@ -51,8 +51,8 @@ type (
// pass through all devices // pass through all devices
Device bool `json:"device,omitempty"` Device bool `json:"device,omitempty"`
// container host filesystem bind mounts // container mount points
Filesystem []FilesystemConfig `json:"filesystem"` Filesystem []FilesystemConfigJSON `json:"filesystem"`
// create symlinks inside container filesystem // create symlinks inside container filesystem
Link []LinkConfig `json:"symlink"` Link []LinkConfig `json:"symlink"`
@ -68,20 +68,6 @@ type (
AutoEtc bool `json:"auto_etc"` AutoEtc bool `json:"auto_etc"`
} }
// FilesystemConfig is an abstract representation of a bind mount.
FilesystemConfig struct {
// mount point in container, same as src if empty
Dst *container.Absolute `json:"dst,omitempty"`
// host filesystem path to make available to the container
Src *container.Absolute `json:"src"`
// do not mount filesystem read-only
Write bool `json:"write,omitempty"`
// do not disable device files
Device bool `json:"dev,omitempty"`
// fail if the bind mount cannot be established for any reason
Must bool `json:"require,omitempty"`
}
LinkConfig struct { LinkConfig struct {
// symlink target in container // symlink target in container
Target *container.Absolute `json:"target"` Target *container.Absolute `json:"target"`

121
hst/fs.go Normal file
View File

@ -0,0 +1,121 @@
package hst
import (
"encoding/json"
"errors"
"fmt"
"reflect"
"hakurei.app/container"
)
// FilesystemConfig is an abstract representation of a mount point.
type FilesystemConfig interface {
// Type returns the type of this mount point.
Type() string
// Target returns the pathname of the mount point in the container.
Target() *container.Absolute
// Host returns a slice of all host paths used by this mount point.
Host() []*container.Absolute
// Apply appends the [container.Op] implementing this mount point.
Apply(ops *container.Ops)
fmt.Stringer
}
var (
ErrFSNull = errors.New("unexpected null in mount point")
)
// FSTypeError is returned when [ContainerConfig.Filesystem] contains an entry with invalid type.
type FSTypeError string
func (f FSTypeError) Error() string { return fmt.Sprintf("invalid filesystem type %q", string(f)) }
// FSImplError is returned when the underlying struct of [FilesystemConfig] does not match
// what [FilesystemConfig.Type] claims to be.
type FSImplError struct {
Type string
Value FilesystemConfig
}
func (f FSImplError) Error() string {
implType := reflect.TypeOf(f.Value)
var name string
for implType != nil && implType.Kind() == reflect.Ptr {
name += "*"
implType = implType.Elem()
}
if implType != nil {
name += implType.Name()
} else {
name += "nil"
}
return fmt.Sprintf("implementation %s is not %s", name, f.Type)
}
// FilesystemConfigJSON is the [json] adapter for [FilesystemConfig].
type FilesystemConfigJSON struct {
FilesystemConfig
}
// Valid returns whether the [FilesystemConfigJSON] is valid.
func (f *FilesystemConfigJSON) Valid() bool { return f != nil && f.FilesystemConfig != nil }
func (f *FilesystemConfigJSON) MarshalJSON() ([]byte, error) {
if f == nil || f.FilesystemConfig == nil {
return nil, ErrFSNull
}
var v any
t := f.Type()
switch t {
case FilesystemBind:
if ct, ok := f.FilesystemConfig.(*FSBind); !ok {
return nil, FSImplError{t, f.FilesystemConfig}
} else {
v = &struct {
Type string `json:"type"`
*FSBind
}{FilesystemBind, ct}
}
case FilesystemEphemeral:
if ct, ok := f.FilesystemConfig.(*FSEphemeral); !ok {
return nil, FSImplError{t, f.FilesystemConfig}
} else {
v = &struct {
Type string `json:"type"`
*FSEphemeral
}{FilesystemEphemeral, ct}
}
default:
return nil, FSTypeError(t)
}
return json.Marshal(v)
}
func (f *FilesystemConfigJSON) UnmarshalJSON(data []byte) error {
t := new(struct {
Type string `json:"type"`
})
if err := json.Unmarshal(data, &t); err != nil {
return err
}
if t == nil {
return ErrFSNull
}
switch t.Type {
case FilesystemBind:
*f = FilesystemConfigJSON{new(FSBind)}
case FilesystemEphemeral:
*f = FilesystemConfigJSON{new(FSEphemeral)}
default:
return FSTypeError(t.Type)
}
return json.Unmarshal(data, f.FilesystemConfig)
}

269
hst/fs_test.go Normal file
View File

@ -0,0 +1,269 @@
package hst_test
import (
"encoding/json"
"errors"
"reflect"
"strings"
"syscall"
"testing"
"hakurei.app/container"
"hakurei.app/hst"
)
func TestFilesystemConfigJSON(t *testing.T) {
testCases := []struct {
name string
want hst.FilesystemConfigJSON
wantErr error
data, sData string
}{
{"nil", hst.FilesystemConfigJSON{FilesystemConfig: nil}, hst.ErrFSNull,
`null`, `{"fs":null,"magic":3236757504}`},
{"bad type", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"cat"}},
hst.FSTypeError("cat"),
`{"type":"cat","meow":true}`, `{"fs":{"type":"cat","meow":true},"magic":3236757504}`},
{"bad impl bind", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"bind"}},
hst.FSImplError{
Type: "bind",
Value: stubFS{"bind"},
},
"\x00", "\x00"},
{"bad impl ephemeral", hst.FilesystemConfigJSON{FilesystemConfig: stubFS{"ephemeral"}},
hst.FSImplError{
Type: "ephemeral",
Value: stubFS{"ephemeral"},
},
"\x00", "\x00"},
{"bind", hst.FilesystemConfigJSON{
FilesystemConfig: &hst.FSBind{
Dst: m("/etc"),
Src: m("/mnt/etc"),
Optional: true,
},
}, nil,
`{"type":"bind","dst":"/etc","src":"/mnt/etc","optional":true}`,
`{"fs":{"type":"bind","dst":"/etc","src":"/mnt/etc","optional":true},"magic":3236757504}`},
{"ephemeral", hst.FilesystemConfigJSON{
FilesystemConfig: &hst.FSEphemeral{
Dst: m("/run/user/65534"),
Write: true,
Size: 1 << 10,
Perm: 0700,
},
}, nil,
`{"type":"ephemeral","dst":"/run/user/65534","write":true,"size":1024,"perm":448}`,
`{"fs":{"type":"ephemeral","dst":"/run/user/65534","write":true,"size":1024,"perm":448},"magic":3236757504}`},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
t.Run("marshal", func(t *testing.T) {
{
d, err := json.Marshal(&tc.want)
if !errors.Is(err, tc.wantErr) {
t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
}
if tc.wantErr != nil {
goto checkSMarshal
}
if string(d) != tc.data {
t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.data)
}
}
checkSMarshal:
{
d, err := json.Marshal(&sCheck{tc.want, syscall.MS_MGC_VAL})
if !errors.Is(err, tc.wantErr) {
t.Errorf("Marshal: error = %v, want %v", err, tc.wantErr)
}
if tc.wantErr != nil {
return
}
if string(d) != tc.sData {
t.Errorf("Marshal:\n%s\nwant:\n%s", string(d), tc.sData)
}
}
})
t.Run("unmarshal", func(t *testing.T) {
if tc.data == "\x00" && tc.sData == "\x00" {
if errors.As(tc.wantErr, new(hst.FSImplError)) {
// this error is only returned on marshal
return
}
}
{
var got hst.FilesystemConfigJSON
err := json.Unmarshal([]byte(tc.data), &got)
if !errors.Is(err, tc.wantErr) {
t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
}
if tc.wantErr != nil {
goto checkSUnmarshal
}
if !reflect.DeepEqual(&tc.want, &got) {
t.Errorf("Unmarshal: %#v, want %#v", &tc.want, &got)
}
}
checkSUnmarshal:
{
var got sCheck
err := json.Unmarshal([]byte(tc.sData), &got)
if !errors.Is(err, tc.wantErr) {
t.Errorf("Unmarshal: error = %v, want %v", err, tc.wantErr)
}
if tc.wantErr != nil {
return
}
want := sCheck{tc.want, syscall.MS_MGC_VAL}
if !reflect.DeepEqual(&got, &want) {
t.Errorf("Unmarshal: %#v, want %#v", &got, &want)
}
}
})
})
}
t.Run("valid", func(t *testing.T) {
if got := (*hst.FilesystemConfigJSON).Valid(nil); got {
t.Errorf("Valid: %v, want false", got)
}
if got := new(hst.FilesystemConfigJSON).Valid(); got {
t.Errorf("Valid: %v, want false", got)
}
if got := (&hst.FilesystemConfigJSON{FilesystemConfig: new(hst.FSBind)}).Valid(); !got {
t.Errorf("Valid: %v, want true", got)
}
})
t.Run("passthrough", func(t *testing.T) {
if err := new(hst.FilesystemConfigJSON).UnmarshalJSON(make([]byte, 0)); err == nil {
t.Errorf("UnmarshalJSON: error = %v", err)
}
})
}
func TestFSErrors(t *testing.T) {
t.Run("type", func(t *testing.T) {
want := `invalid filesystem type "cat"`
if got := hst.FSTypeError("cat").Error(); got != want {
t.Errorf("Error: %q, want %q", got, want)
}
})
t.Run("impl", func(t *testing.T) {
testCases := []struct {
name string
val hst.FilesystemConfig
want string
}{
{"nil", nil, "implementation nil is not cat"},
{"stub", stubFS{"cat"}, "implementation stubFS is not cat"},
{"*stub", &stubFS{"cat"}, "implementation *stubFS is not cat"},
{"(*stub)(nil)", (*stubFS)(nil), "implementation *stubFS is not cat"},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
err := hst.FSImplError{Type: "cat", Value: tc.val}
if got := err.Error(); got != tc.want {
t.Errorf("Error: %q, want %q", got, tc.want)
}
})
}
})
}
type stubFS struct {
typeName string
}
func (s stubFS) Type() string { return s.typeName }
func (s stubFS) Target() *container.Absolute { panic("unreachable") }
func (s stubFS) Host() []*container.Absolute { panic("unreachable") }
func (s stubFS) Apply(*container.Ops) { panic("unreachable") }
func (s stubFS) String() string { return "<invalid " + s.typeName + ">" }
type sCheck struct {
FS hst.FilesystemConfigJSON `json:"fs"`
Magic int `json:"magic"`
}
type fsTestCase struct {
name string
fs hst.FilesystemConfig
ops container.Ops
target *container.Absolute
host []*container.Absolute
str string
}
func checkFs(t *testing.T, fstype string, testCases []fsTestCase) {
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
if got := tc.fs.Type(); got != fstype {
t.Errorf("Type: %q, want %q", got, fstype)
}
t.Run("ops", func(t *testing.T) {
ops := new(container.Ops)
tc.fs.Apply(ops)
if !reflect.DeepEqual(ops, &tc.ops) {
gotString := new(strings.Builder)
for _, op := range *ops {
gotString.WriteString("\n" + op.String())
}
wantString := new(strings.Builder)
for _, op := range tc.ops {
wantString.WriteString("\n" + op.String())
}
t.Errorf("Apply: %s, want %s", gotString, wantString)
}
})
t.Run("target", func(t *testing.T) {
if got := tc.fs.Target(); !reflect.DeepEqual(got, tc.target) {
t.Errorf("Target: %q, want %q", got, tc.target)
}
})
t.Run("host", func(t *testing.T) {
if got := tc.fs.Host(); !reflect.DeepEqual(got, tc.host) {
t.Errorf("Host: %q, want %q", got, tc.host)
}
})
t.Run("string", func(t *testing.T) {
if tc.str == "\x00" {
return
}
if got := tc.fs.String(); got != tc.str {
t.Errorf("String: %q, want %q", got, tc.str)
}
})
})
}
}
func m(pathname string) *container.Absolute { return container.MustAbs(pathname) }
func ms(pathnames ...string) []*container.Absolute {
as := make([]*container.Absolute, len(pathnames))
for i, pathname := range pathnames {
as[i] = container.MustAbs(pathname)
}
return as
}

102
hst/fsbind.go Normal file
View File

@ -0,0 +1,102 @@
package hst
import (
"encoding/gob"
"strings"
"hakurei.app/container"
)
func init() { gob.Register(new(FSBind)) }
// FilesystemBind is the [FilesystemConfig.Type] name of a bind mount point.
const FilesystemBind = "bind"
// FSBind represents a host to container bind mount.
type FSBind struct {
// mount point in container, same as src if empty
Dst *container.Absolute `json:"dst,omitempty"`
// host filesystem path to make available to the container
Src *container.Absolute `json:"src"`
// do not mount filesystem read-only
Write bool `json:"write,omitempty"`
// do not disable device files, implies Write
Device bool `json:"dev,omitempty"`
// skip this mount point if the host path does not exist
Optional bool `json:"optional,omitempty"`
}
func (b *FSBind) Type() string { return FilesystemBind }
func (b *FSBind) Target() *container.Absolute {
if b == nil || b.Src == nil {
return nil
}
if b.Dst == nil {
return b.Src
}
return b.Dst
}
func (b *FSBind) Host() []*container.Absolute {
if b == nil || b.Src == nil {
return nil
}
return []*container.Absolute{b.Src}
}
func (b *FSBind) Apply(ops *container.Ops) {
if b == nil || b.Src == nil {
return
}
dst := b.Dst
if dst == nil {
dst = b.Src
}
var flags int
if b.Write {
flags |= container.BindWritable
}
if b.Device {
flags |= container.BindDevice | container.BindWritable
}
if b.Optional {
flags |= container.BindOptional
}
ops.Bind(b.Src, dst, flags)
}
func (b *FSBind) String() string {
g := 4
if b == nil || b.Src == nil {
return "<invalid>"
}
g += len(b.Src.String())
if b.Dst != nil {
g += len(b.Dst.String())
}
expr := new(strings.Builder)
expr.Grow(g)
if b.Device {
expr.WriteString("d")
} else if b.Write {
expr.WriteString("w")
}
if !b.Optional {
expr.WriteString("*")
} else {
expr.WriteString("+")
}
expr.WriteString(b.Src.String())
if b.Dst != nil {
expr.WriteString(":" + b.Dst.String())
}
return expr.String()
}

66
hst/fsbind_test.go Normal file
View File

@ -0,0 +1,66 @@
package hst_test
import (
"testing"
"hakurei.app/container"
"hakurei.app/hst"
)
func TestFSBind(t *testing.T) {
checkFs(t, "bind", []fsTestCase{
{"nil", (*hst.FSBind)(nil), nil, nil, nil, "<invalid>"},
{"full", &hst.FSBind{
Dst: m("/dev"),
Src: m("/mnt/dev"),
Optional: true,
Device: true,
}, container.Ops{&container.BindMountOp{
Source: m("/mnt/dev"),
Target: m("/dev"),
Flags: container.BindWritable | container.BindDevice | container.BindOptional,
}}, m("/dev"), ms("/mnt/dev"),
"d+/mnt/dev:/dev"},
{"full write dev", &hst.FSBind{
Dst: m("/dev"),
Src: m("/mnt/dev"),
Write: true,
Device: true,
}, container.Ops{&container.BindMountOp{
Source: m("/mnt/dev"),
Target: m("/dev"),
Flags: container.BindWritable | container.BindDevice,
}}, m("/dev"), ms("/mnt/dev"),
"d*/mnt/dev:/dev"},
{"full write", &hst.FSBind{
Dst: m("/tmp"),
Src: m("/mnt/tmp"),
Write: true,
}, container.Ops{&container.BindMountOp{
Source: m("/mnt/tmp"),
Target: m("/tmp"),
Flags: container.BindWritable,
}}, m("/tmp"), ms("/mnt/tmp"),
"w*/mnt/tmp:/tmp"},
{"full no flags", &hst.FSBind{
Dst: m("/etc"),
Src: m("/mnt/etc"),
}, container.Ops{&container.BindMountOp{
Source: m("/mnt/etc"),
Target: m("/etc"),
}}, m("/etc"), ms("/mnt/etc"),
"*/mnt/etc:/etc"},
{"nil dst", &hst.FSBind{
Src: m("/"),
}, container.Ops{&container.BindMountOp{
Source: m("/"),
Target: m("/"),
}}, m("/"), ms("/"),
"*/"},
})
}

83
hst/fsephemeral.go Normal file
View File

@ -0,0 +1,83 @@
package hst
import (
"encoding/gob"
"os"
"strings"
"hakurei.app/container"
)
func init() { gob.Register(new(FSEphemeral)) }
// FilesystemEphemeral is the [FilesystemConfig.Type] name of a mount point with ephemeral state.
const FilesystemEphemeral = "ephemeral"
// FSEphemeral represents an ephemeral container mount point.
type FSEphemeral struct {
// mount point in container
Dst *container.Absolute `json:"dst,omitempty"`
// do not mount filesystem read-only
Write bool `json:"write,omitempty"`
// upper limit on the size of the filesystem
Size int `json:"size,omitempty"`
// initial permission bits of the new filesystem
Perm os.FileMode `json:"perm,omitempty"`
}
func (e *FSEphemeral) Type() string { return FilesystemEphemeral }
func (e *FSEphemeral) Target() *container.Absolute {
if e == nil {
return nil
}
return e.Dst
}
func (e *FSEphemeral) Host() []*container.Absolute { return nil }
const fsEphemeralDefaultPerm = os.FileMode(0755)
func (e *FSEphemeral) Apply(ops *container.Ops) {
if e == nil || e.Dst == nil {
return
}
size := e.Size
if size < 0 {
size = 0
}
perm := e.Perm
if perm == 0 {
perm = fsEphemeralDefaultPerm
}
if e.Write {
ops.Tmpfs(e.Dst, size, perm)
} else {
ops.Readonly(e.Dst, perm)
}
}
func (e *FSEphemeral) String() string {
if e == nil || e.Dst == nil {
return "<invalid>"
}
expr := new(strings.Builder)
expr.Grow(15 + len(FilesystemEphemeral) + len(e.Dst.String()))
if e.Write {
expr.WriteString("w")
}
expr.WriteString("+" + FilesystemEphemeral + "(")
if e.Perm != 0 {
expr.WriteString(e.Perm.String())
} else {
expr.WriteString(fsEphemeralDefaultPerm.String())
}
expr.WriteString("):" + e.Dst.String())
return expr.String()
}

50
hst/fsephemeral_test.go Normal file
View File

@ -0,0 +1,50 @@
package hst_test
import (
"syscall"
"testing"
"hakurei.app/container"
"hakurei.app/hst"
)
func TestFSEphemeral(t *testing.T) {
checkFs(t, "ephemeral", []fsTestCase{
{"nil", (*hst.FSEphemeral)(nil), nil, nil, nil, "<invalid>"},
{"full", &hst.FSEphemeral{
Dst: m("/run/user/65534"),
Write: true,
Size: 1 << 10,
Perm: 0700,
}, container.Ops{&container.MountTmpfsOp{
FSName: "ephemeral",
Path: m("/run/user/65534"),
Flags: syscall.MS_NOSUID | syscall.MS_NODEV,
Size: 1 << 10,
Perm: 0700,
}}, m("/run/user/65534"), nil,
"w+ephemeral(-rwx------):/run/user/65534"},
{"cover ro", &hst.FSEphemeral{Dst: m("/run/nscd")},
container.Ops{&container.MountTmpfsOp{
FSName: "readonly",
Path: m("/run/nscd"),
Flags: syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_RDONLY,
Perm: 0755,
}}, m("/run/nscd"), nil,
"+ephemeral(-rwxr-xr-x):/run/nscd"},
{"negative size", &hst.FSEphemeral{
Dst: hst.AbsTmp,
Write: true,
Size: -1,
}, container.Ops{&container.MountTmpfsOp{
FSName: "ephemeral",
Path: hst.AbsTmp,
Flags: syscall.MS_NOSUID | syscall.MS_NODEV,
Perm: 0755,
}}, hst.AbsTmp, nil,
"w+ephemeral(-rwxr-xr-x):/.hakurei"},
})
}

17
hst/template.go
View File

@ -77,15 +77,14 @@ func Template() *Config {
"GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com", "GOOGLE_DEFAULT_CLIENT_ID": "77185425430.apps.googleusercontent.com",
"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT", "GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT",
}, },
Filesystem: []FilesystemConfig{ Filesystem: []FilesystemConfigJSON{
{Dst: container.AbsFHSTmp, Src: container.AbsNonexistent, Write: true}, {&FSEphemeral{Dst: container.AbsFHSTmp, Write: true, Perm: 0755}},
{Src: container.MustAbs("/nix/store")}, {&FSBind{Src: container.MustAbs("/nix/store")}},
{Src: container.AbsFHSRun.Append("current-system")}, {&FSBind{Src: container.AbsFHSRun.Append("current-system")}},
{Src: container.AbsFHSRun.Append("opengl-driver")}, {&FSBind{Src: container.AbsFHSRun.Append("opengl-driver")}},
{Src: container.AbsFHSVar.Append("db/nix-channels")}, {&FSBind{Src: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"),
{Src: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"), Dst: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true}},
Dst: container.MustAbs("/data/data/org.chromium.Chromium"), Write: true, Must: true}, {&FSBind{Src: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}},
{Src: container.AbsFHSDev.Append("dri"), Device: true},
}, },
Link: []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}}, Link: []LinkConfig{{container.AbsFHSRunUser.Append("65534"), container.FHSRunUser + "150"}},
AutoRoot: container.AbsFHSVarLib.Append("hakurei/base/org.debian"), AutoRoot: container.AbsFHSVarLib.Append("hakurei/base/org.debian"),

19
hst/template_test.go
View File

@ -98,31 +98,34 @@ func TestTemplate(t *testing.T) {
"device": true, "device": true,
"filesystem": [ "filesystem": [
{ {
"type": "ephemeral",
"dst": "/tmp/", "dst": "/tmp/",
"src": "/proc/nonexistent", "write": true,
"write": true "perm": 493
}, },
{ {
"type": "bind",
"src": "/nix/store" "src": "/nix/store"
}, },
{ {
"type": "bind",
"src": "/run/current-system" "src": "/run/current-system"
}, },
{ {
"type": "bind",
"src": "/run/opengl-driver" "src": "/run/opengl-driver"
}, },
{ {
"src": "/var/db/nix-channels" "type": "bind",
},
{
"dst": "/data/data/org.chromium.Chromium", "dst": "/data/data/org.chromium.Chromium",
"src": "/var/lib/hakurei/u0/org.chromium.Chromium", "src": "/var/lib/hakurei/u0/org.chromium.Chromium",
"write": true, "write": true
"require": true
}, },
{ {
"type": "bind",
"src": "/dev/dri", "src": "/dev/dri",
"dev": true "dev": true,
"optional": true
} }
], ],
"symlink": [ "symlink": [

20
internal/app/app_nixos_linux_test.go
View File

@ -13,6 +13,9 @@ import (
) )
func m(pathname string) *container.Absolute { return container.MustAbs(pathname) } func m(pathname string) *container.Absolute { return container.MustAbs(pathname) }
func f(c hst.FilesystemConfig) hst.FilesystemConfigJSON {
return hst.FilesystemConfigJSON{FilesystemConfig: c}
}
var testCasesNixos = []sealTestCase{ var testCasesNixos = []sealTestCase{
{ {
@ -25,11 +28,18 @@ var testCasesNixos = []sealTestCase{
Container: &hst.ContainerConfig{ Container: &hst.ContainerConfig{
Userns: true, Net: true, MapRealUID: true, Env: nil, AutoEtc: true, Userns: true, Net: true, MapRealUID: true, Env: nil, AutoEtc: true,
Filesystem: []hst.FilesystemConfig{ Filesystem: []hst.FilesystemConfigJSON{
{Src: m("/bin"), Must: true}, {Src: m("/usr/bin/"), Must: true}, f(&hst.FSBind{Src: m("/bin")}),
{Src: m("/nix/store"), Must: true}, {Src: m("/run/current-system"), Must: true}, f(&hst.FSBind{Src: m("/usr/bin/")}),
{Src: m("/sys/block")}, {Src: m("/sys/bus")}, {Src: m("/sys/class")}, {Src: m("/sys/dev")}, {Src: m("/sys/devices")}, f(&hst.FSBind{Src: m("/nix/store")}),
{Src: m("/run/opengl-driver"), Must: true}, {Src: m("/dev/dri"), Device: true}, f(&hst.FSBind{Src: m("/run/current-system")}),
f(&hst.FSBind{Src: m("/sys/block"), Optional: true}),
f(&hst.FSBind{Src: m("/sys/bus"), Optional: true}),
f(&hst.FSBind{Src: m("/sys/class"), Optional: true}),
f(&hst.FSBind{Src: m("/sys/dev"), Optional: true}),
f(&hst.FSBind{Src: m("/sys/devices"), Optional: true}),
f(&hst.FSBind{Src: m("/run/opengl-driver")}),
f(&hst.FSBind{Src: m("/dev/dri"), Device: true, Optional: true}),
}, },
}, },
SystemBus: &dbus.Config{ SystemBus: &dbus.Config{

93
internal/app/container_linux.go
View File

@ -6,7 +6,6 @@ import (
"io/fs" "io/fs"
"maps" "maps"
"path" "path"
"slices"
"syscall" "syscall"
"hakurei.app/container" "hakurei.app/container"
@ -126,73 +125,63 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
return nil, nil, err return nil, nil, err
} }
} }
// evaluated path, input path
hidePathSource := make([][2]string, 0, len(s.Filesystem)) var hidePathSourceCount int
for i, c := range s.Filesystem {
if !c.Valid() {
return nil, nil, fmt.Errorf("invalid filesystem at index %d", i)
}
c.Apply(params.Ops)
// fs counter
hidePathSourceCount += len(c.Host())
}
// AutoRoot is a collection of many BindMountOp internally // AutoRoot is a collection of many BindMountOp internally
var autoRootEntries []fs.DirEntry
if s.AutoRoot != nil { if s.AutoRoot != nil {
if d, err := os.ReadDir(s.AutoRoot.String()); err != nil { if d, err := os.ReadDir(s.AutoRoot.String()); err != nil {
return nil, nil, err return nil, nil, err
} else { } else {
hidePathSource = slices.Grow(hidePathSource, len(d)) // autoroot counter
for _, ent := range d { hidePathSourceCount += len(d)
name := ent.Name() autoRootEntries = d
if container.IsAutoRootBindable(name) { }
name = path.Join(s.AutoRoot.String(), name) }
srcP := [2]string{name, name}
if err = evalSymlinks(os, &srcP[0]); err != nil { hidePathSource := make([]*container.Absolute, 0, hidePathSourceCount)
return nil, nil, err
} // fs append
hidePathSource = append(hidePathSource, srcP) for _, c := range s.Filesystem {
} // all entries already checked above
hidePathSource = append(hidePathSource, c.Host()...)
}
// autoroot append
if s.AutoRoot != nil {
for _, ent := range autoRootEntries {
name := ent.Name()
if container.IsAutoRootBindable(name) {
hidePathSource = append(hidePathSource, s.AutoRoot.Append(name))
} }
} }
} }
for i, c := range s.Filesystem { // evaluated path, input path
if c.Src == nil { hidePathSourceEval := make([][2]string, len(hidePathSource))
return nil, nil, fmt.Errorf("invalid filesystem at index %d", i) for i, a := range hidePathSource {
if a == nil {
// unreachable
return nil, nil, syscall.ENOTRECOVERABLE
} }
// special filesystems hidePathSourceEval[i] = [2]string{a.String(), a.String()}
switch c.Src.String() { if err := evalSymlinks(os, &hidePathSourceEval[i][0]); err != nil {
case container.Nonexistent:
if c.Dst == nil {
return nil, nil, errors.New("tmpfs dst must not be nil")
}
if c.Write {
params.Tmpfs(c.Dst, hst.TmpfsSize, hst.TmpfsPerm)
} else {
params.Readonly(c.Dst, hst.TmpfsPerm)
}
continue
}
dst := c.Dst
if dst == nil {
dst = c.Src
}
p := [2]string{c.Src.String(), c.Src.String()}
if err := evalSymlinks(os, &p[0]); err != nil {
return nil, nil, err return nil, nil, err
} }
hidePathSource = append(hidePathSource, p)
var flags int
if c.Write {
flags |= container.BindWritable
}
if c.Device {
flags |= container.BindDevice | container.BindWritable
}
if !c.Must {
flags |= container.BindOptional
}
params.Bind(c.Src, dst, flags)
} }
for _, p := range hidePathSource { for _, p := range hidePathSourceEval {
for i := range hidePaths { for i := range hidePaths {
// skip matched entries // skip matched entries
if hidePathMatch[i] { if hidePathMatch[i] {

6
internal/app/seal_linux.go
View File

@ -248,15 +248,15 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
// bind GPU stuff // bind GPU stuff
if config.Enablements&(system.EX11|system.EWayland) != 0 { if config.Enablements&(system.EX11|system.EWayland) != 0 {
conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfig{Src: container.AbsFHSDev.Append("dri"), Device: true}) conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("dri"), Device: true, Optional: true}})
} }
// opportunistically bind kvm // opportunistically bind kvm
conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfig{Src: container.AbsFHSDev.Append("kvm"), Device: true}) conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{Src: container.AbsFHSDev.Append("kvm"), Device: true, Optional: true}})
// hide nscd from container if present // hide nscd from container if present
nscd := container.AbsFHSVar.Append("run/nscd") nscd := container.AbsFHSVar.Append("run/nscd")
if _, err := sys.Stat(nscd.String()); !errors.Is(err, fs.ErrNotExist) { if _, err := sys.Stat(nscd.String()); !errors.Is(err, fs.ErrNotExist) {
conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfig{Dst: nscd, Src: container.AbsNonexistent}) conf.Filesystem = append(conf.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSEphemeral{Dst: nscd}})
} }
config.Container = conf config.Container = conf

44
nixos.nix
View File

@ -142,36 +142,42 @@ in
filesystem = filesystem =
let let
bind = src: { inherit src; }; bind = src: {
mustBind = src: { type = "bind";
inherit src; inherit src;
require = true;
}; };
devBind = src: { optBind = src: {
type = "bind";
inherit src;
optional = true;
};
optDevBind = src: {
type = "bind";
inherit src; inherit src;
dev = true; dev = true;
optional = true;
}; };
in in
[ [
(mustBind "/bin") (bind "/bin")
(mustBind "/usr/bin") (bind "/usr/bin")
(mustBind "/nix/store") (bind "/nix/store")
(bind "/sys/block") (optBind "/sys/block")
(bind "/sys/bus") (optBind "/sys/bus")
(bind "/sys/class") (optBind "/sys/class")
(bind "/sys/dev") (optBind "/sys/dev")
(bind "/sys/devices") (optBind "/sys/devices")
] ]
++ optionals app.nix [ ++ optionals app.nix [
(mustBind "/nix/var") (bind "/nix/var")
] ]
++ optionals isGraphical [ ++ optionals isGraphical [
(devBind "/dev/dri") (optDevBind "/dev/dri")
(devBind "/dev/nvidiactl") (optDevBind "/dev/nvidiactl")
(devBind "/dev/nvidia-modeset") (optDevBind "/dev/nvidia-modeset")
(devBind "/dev/nvidia-uvm") (optDevBind "/dev/nvidia-uvm")
(devBind "/dev/nvidia-uvm-tools") (optDevBind "/dev/nvidia-uvm-tools")
(devBind "/dev/nvidia0") (optDevBind "/dev/nvidia0")
] ]
++ optionals app.useCommonPaths cfg.commonPaths ++ optionals app.useCommonPaths cfg.commonPaths
++ app.extraPaths; ++ app.extraPaths;

11
options.nix
View File

@ -7,6 +7,7 @@ let
mountPoint = mountPoint =
let let
inherit (types) inherit (types)
enum
str str
submodule submodule
nullOr nullOr
@ -15,6 +16,14 @@ let
in in
listOf (submodule { listOf (submodule {
options = { options = {
type = mkOption {
type = enum [ "bind" ];
default = "bind";
description = ''
Type of the mount point;
'';
};
dst = mkOption { dst = mkOption {
type = nullOr str; type = nullOr str;
default = null; default = null;
@ -32,7 +41,7 @@ let
write = mkEnableOption "mounting path as writable"; write = mkEnableOption "mounting path as writable";
dev = mkEnableOption "use of device files"; dev = mkEnableOption "use of device files";
require = mkEnableOption "start failure if the bind mount cannot be established for any reason"; optional = mkEnableOption "ignore nonexistent source path";
}; };
}); });
in in