From a3988c1a7725eb791795643e0810f03bab4572b3 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Mon, 18 Aug 2025 16:47:23 +0900 Subject: [PATCH] hst: rename net and abstract fields This makes more sense and matches the container library. Signed-off-by: Ophestra --- cmd/hakurei/print.go | 3 ++- cmd/hakurei/print_test.go | 13 ++++++++----- cmd/hpkg/app.go | 20 ++++++++++---------- cmd/hpkg/with.go | 2 +- hst/config.go | 4 ++-- hst/hst.go | 3 ++- hst/hst_test.go | 3 ++- internal/app/app_nixos_linux_test.go | 2 +- internal/app/container_linux.go | 4 ++-- internal/app/seal_linux.go | 10 +++++----- nixos.nix | 4 ++-- options.nix | 4 ++-- 12 files changed, 39 insertions(+), 33 deletions(-) diff --git a/cmd/hakurei/print.go b/cmd/hakurei/print.go index 78c34be..d163efc 100644 --- a/cmd/hakurei/print.go +++ b/cmd/hakurei/print.go @@ -98,7 +98,8 @@ func printShowInstance( } writeFlag("userns", params.Userns) writeFlag("devel", params.Devel) - writeFlag("net", params.Net) + writeFlag("net", params.HostNet) + writeFlag("abstract", params.HostAbstract) writeFlag("device", params.Device) writeFlag("tty", params.Tty) writeFlag("mapuid", params.MapRealUID) diff --git a/cmd/hakurei/print_test.go b/cmd/hakurei/print_test.go index c2f97ec..dab4b9e 100644 --- a/cmd/hakurei/print_test.go +++ b/cmd/hakurei/print_test.go @@ -41,7 +41,7 @@ func Test_printShowInstance(t *testing.T) { Groups: video, dialout, plugdev Data: /var/lib/hakurei/u0/org.chromium.Chromium Hostname: localhost - Flags: userns devel net device tty mapuid autoetc + Flags: userns devel net abstract device tty mapuid autoetc Root: /var/lib/hakurei/base/org.debian (2) Etc: /etc/ Path: /run/current-system/sw/bin/chromium @@ -120,7 +120,7 @@ App Groups: video, dialout, plugdev Data: /var/lib/hakurei/u0/org.chromium.Chromium Hostname: localhost - Flags: userns devel net device tty mapuid autoetc + Flags: userns devel net abstract device tty mapuid autoetc Root: /var/lib/hakurei/base/org.debian (2) Etc: /etc/ Path: /run/current-system/sw/bin/chromium @@ -267,7 +267,8 @@ App "seccomp_compat": true, "devel": true, "userns": true, - "net": true, + "host_net": true, + "host_abstract": true, "tty": true, "multiarch": true, "env": { @@ -415,7 +416,8 @@ App "seccomp_compat": true, "devel": true, "userns": true, - "net": true, + "host_net": true, + "host_abstract": true, "tty": true, "multiarch": true, "env": { @@ -617,7 +619,8 @@ func Test_printPs(t *testing.T) { "seccomp_compat": true, "devel": true, "userns": true, - "net": true, + "host_net": true, + "host_abstract": true, "tty": true, "multiarch": true, "env": { diff --git a/cmd/hpkg/app.go b/cmd/hpkg/app.go index 713a4fc..e35dbf9 100644 --- a/cmd/hpkg/app.go +++ b/cmd/hpkg/app.go @@ -26,9 +26,9 @@ type appInfo struct { // passed through to [hst.Config] Userns bool `json:"userns,omitempty"` // passed through to [hst.Config] - Net bool `json:"net,omitempty"` + HostNet bool `json:"net,omitempty"` // passed through to [hst.Config] - Abstract bool `json:"abstract,omitempty"` + HostAbstract bool `json:"abstract,omitempty"` // passed through to [hst.Config] Device bool `json:"dev,omitempty"` // passed through to [hst.Config] @@ -85,14 +85,14 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg Groups: app.Groups, Container: &hst.ContainerConfig{ - Hostname: formatHostname(app.Name), - Devel: app.Devel, - Userns: app.Userns, - Net: app.Net, - Abstract: app.Abstract, - Device: app.Device, - Tty: app.Tty || flagDropShell, - MapRealUID: app.MapRealUID, + Hostname: formatHostname(app.Name), + Devel: app.Devel, + Userns: app.Userns, + HostNet: app.HostNet, + HostAbstract: app.HostAbstract, + Device: app.Device, + Tty: app.Tty || flagDropShell, + MapRealUID: app.MapRealUID, Filesystem: []hst.FilesystemConfigJSON{ {FilesystemConfig: &hst.FSBind{Source: pathSet.nixPath.Append("store"), Target: pathNixStore}}, {FilesystemConfig: &hst.FSBind{Source: pathSet.metaPath, Target: hst.AbsTmp.Append("app")}}, diff --git a/cmd/hpkg/with.go b/cmd/hpkg/with.go index c6f3f22..acb503d 100644 --- a/cmd/hpkg/with.go +++ b/cmd/hpkg/with.go @@ -45,7 +45,7 @@ func withNixDaemon( Container: &hst.ContainerConfig{ Hostname: formatHostname(app.Name) + "-" + action, Userns: true, // nix sandbox requires userns - Net: net, + HostNet: net, SeccompFlags: seccomp.AllowMultiarch, Tty: dropShell, Filesystem: []hst.FilesystemConfigJSON{ diff --git a/hst/config.go b/hst/config.go index d6f07be..8226a35 100644 --- a/hst/config.go +++ b/hst/config.go @@ -78,9 +78,9 @@ type ( // allow userns creation in container Userns bool `json:"userns,omitempty"` // share host net namespace - Net bool `json:"net,omitempty"` + HostNet bool `json:"host_net,omitempty"` // share abstract unix socket scope - Abstract bool `json:"abstract,omitempty"` + HostAbstract bool `json:"host_abstract,omitempty"` // allow dangerous terminal I/O Tty bool `json:"tty,omitempty"` // allow multiarch diff --git a/hst/hst.go b/hst/hst.go index 92769a2..6e77dc9 100644 --- a/hst/hst.go +++ b/hst/hst.go @@ -79,7 +79,8 @@ func Template() *Config { Hostname: "localhost", Devel: true, Userns: true, - Net: true, + HostNet: true, + HostAbstract: true, Device: true, WaitDelay: -1, SeccompFlags: seccomp.AllowMultiarch, diff --git a/hst/hst_test.go b/hst/hst_test.go index 31b9013..a3930f4 100644 --- a/hst/hst_test.go +++ b/hst/hst_test.go @@ -90,7 +90,8 @@ func TestTemplate(t *testing.T) { "seccomp_compat": true, "devel": true, "userns": true, - "net": true, + "host_net": true, + "host_abstract": true, "tty": true, "multiarch": true, "env": { diff --git a/internal/app/app_nixos_linux_test.go b/internal/app/app_nixos_linux_test.go index 16ac2a2..2bf8f67 100644 --- a/internal/app/app_nixos_linux_test.go +++ b/internal/app/app_nixos_linux_test.go @@ -27,7 +27,7 @@ var testCasesNixos = []sealTestCase{ Shell: m("/run/current-system/sw/bin/zsh"), Container: &hst.ContainerConfig{ - Userns: true, Net: true, MapRealUID: true, Env: nil, AutoEtc: true, + Userns: true, HostNet: true, MapRealUID: true, Env: nil, AutoEtc: true, Filesystem: []hst.FilesystemConfigJSON{ f(&hst.FSBind{Source: m("/bin")}), f(&hst.FSBind{Source: m("/usr/bin/")}), diff --git a/internal/app/container_linux.go b/internal/app/container_linux.go index 7f08819..2d0a236 100644 --- a/internal/app/container_linux.go +++ b/internal/app/container_linux.go @@ -32,8 +32,8 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid SeccompFlags: s.SeccompFlags, SeccompPresets: s.SeccompPresets, RetainSession: s.Tty, - HostNet: s.Net, - HostAbstract: s.Abstract, + HostNet: s.HostNet, + HostAbstract: s.HostAbstract, // the container is canceled when shim is requested to exit or receives an interrupt or termination signal; // this behaviour is implemented in the shim diff --git a/internal/app/seal_linux.go b/internal/app/seal_linux.go index 0ae121f..23d65f9 100644 --- a/internal/app/seal_linux.go +++ b/internal/app/seal_linux.go @@ -238,11 +238,11 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co } conf := &hst.ContainerConfig{ - Userns: true, - Net: true, - Abstract: true, - Tty: true, - AutoEtc: true, + Userns: true, + HostNet: true, + HostAbstract: true, + Tty: true, + AutoEtc: true, AutoRoot: container.AbsFHSRoot, RootFlags: container.BindWritable, diff --git a/nixos.nix b/nixos.nix index eb8df5f..64bc8be 100644 --- a/nixos.nix +++ b/nixos.nix @@ -131,14 +131,14 @@ in wait_delay devel userns - net - abstract device tty multiarch env ; map_real_uid = app.mapRealUid; + host_net = app.hostNet; + host_abstract = app.hostAbstract; filesystem = let diff --git a/options.nix b/options.nix index ec2533c..91ea7c4 100644 --- a/options.nix +++ b/options.nix @@ -179,10 +179,10 @@ in tty = mkEnableOption "access to the controlling terminal"; multiarch = mkEnableOption "multiarch kernel-level support"; - net = mkEnableOption "network access" // { + hostNet = mkEnableOption "share host net namespace" // { default = true; }; - abstract = mkEnableOption "abstract unix domain socket access"; + hostAbstract = mkEnableOption "share abstract unix socket scope"; nix = mkEnableOption "nix daemon access"; mapRealUid = mkEnableOption "mapping to priv-user uid";