security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 6 Wiki Activity

app/seal: leave $DISPLAY as is on host abstract
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Hakurei (push) Successful in 42s
Details
Test / Hakurei (race detector) (push) Successful in 42s
Details
Test / Sandbox (race detector) (push) Successful in 40s
Details
Test / Sandbox (push) Successful in 40s
Details
Test / Hpkg (push) Successful in 40s
Details
Test / Flake checks (push) Successful in 1m24s
Details

Browse Source 
This helps work around faulty software that misinterprets unix: DISPLAY string.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-08-27 20:40:30 +09:00
parent 9d932d1039
commit acb6931f3e
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
7 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
internal/app/seal_linux.go
View File

@ -418,7 +418,9 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
}
} else {
seal.sys.UpdatePermType(system.EX11, socketPath.String(), acl.Read, acl.Write, acl.Execute)
d = "unix:" + socketPath.String()
if !config.Container.HostAbstract {
d = "unix:" + socketPath.String()
}
}
}

1
test/sandbox/case/default.nix
View File

@ -49,6 +49,7 @@ let
mapRealUid
useCommonPaths
userns
hostAbstract
;
enablements = {
inherit (tc) x11;

1
test/sandbox/case/device.nix
View File

@ -26,6 +26,7 @@ in
useCommonPaths = true;
userns = false;
x11 = true;
hostAbstract = false;
# 0, PresetStrict
expectedFilter = {

1
test/sandbox/case/mapuid.nix
View File

@ -35,6 +35,7 @@ in
useCommonPaths = true;
userns = false;
x11 = false;
hostAbstract = false;
# 0, PresetStrict
expectedFilter = {

1
test/sandbox/case/pdlike.nix
View File

@ -35,6 +35,7 @@ in
useCommonPaths = false;
userns = true;
x11 = false;
hostAbstract = false;
# 0, PresetExt | PresetDenyDevel
expectedFilter = {

1
test/sandbox/case/preset.nix
View File

@ -35,6 +35,7 @@ in
useCommonPaths = false;
userns = false;
x11 = false;
hostAbstract = false;
# 0, PresetStrict
expectedFilter = {

5
test/sandbox/case/tty.nix
View File

@ -35,6 +35,7 @@ in
useCommonPaths = true;
userns = false;
x11 = true;
hostAbstract = true;
# 0, PresetExt | PresetDenyNS | PresetDenyDevel
expectedFilter = {
@ -45,7 +46,7 @@ in
want = {
env = [
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
"DISPLAY=unix:/tmp/.X11-unix/X0"
"DISPLAY=:0"
"HOME=/var/lib/hakurei/u0/a2"
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
"SHELL=/run/current-system/sw/bin/bash"
@ -276,7 +277,7 @@ in
seccomp = true;
try_socket = "/tmp/.X11-unix/X0";
socket_abstract = false;
socket_abstract = true;
socket_pathname = true;
};
}