From acb6931f3e4af62f92dc2ef85ef7c1ac9f7867e4 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Wed, 27 Aug 2025 20:40:30 +0900 Subject: [PATCH] app/seal: leave $DISPLAY as is on host abstract This helps work around faulty software that misinterprets unix: DISPLAY string. Signed-off-by: Ophestra --- internal/app/seal_linux.go | 4 +++- test/sandbox/case/default.nix | 1 + test/sandbox/case/device.nix | 1 + test/sandbox/case/mapuid.nix | 1 + test/sandbox/case/pdlike.nix | 1 + test/sandbox/case/preset.nix | 1 + test/sandbox/case/tty.nix | 5 +++-- 7 files changed, 11 insertions(+), 3 deletions(-) diff --git a/internal/app/seal_linux.go b/internal/app/seal_linux.go index 36984c5..1b36317 100644 --- a/internal/app/seal_linux.go +++ b/internal/app/seal_linux.go @@ -418,7 +418,9 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co } } else { seal.sys.UpdatePermType(system.EX11, socketPath.String(), acl.Read, acl.Write, acl.Execute) - d = "unix:" + socketPath.String() + if !config.Container.HostAbstract { + d = "unix:" + socketPath.String() + } } } diff --git a/test/sandbox/case/default.nix b/test/sandbox/case/default.nix index ec814aa..acf30d7 100644 --- a/test/sandbox/case/default.nix +++ b/test/sandbox/case/default.nix @@ -49,6 +49,7 @@ let mapRealUid useCommonPaths userns + hostAbstract ; enablements = { inherit (tc) x11; diff --git a/test/sandbox/case/device.nix b/test/sandbox/case/device.nix index 831b6ab..d0f6289 100644 --- a/test/sandbox/case/device.nix +++ b/test/sandbox/case/device.nix @@ -26,6 +26,7 @@ in useCommonPaths = true; userns = false; x11 = true; + hostAbstract = false; # 0, PresetStrict expectedFilter = { diff --git a/test/sandbox/case/mapuid.nix b/test/sandbox/case/mapuid.nix index d033579..c6dc848 100644 --- a/test/sandbox/case/mapuid.nix +++ b/test/sandbox/case/mapuid.nix @@ -35,6 +35,7 @@ in useCommonPaths = true; userns = false; x11 = false; + hostAbstract = false; # 0, PresetStrict expectedFilter = { diff --git a/test/sandbox/case/pdlike.nix b/test/sandbox/case/pdlike.nix index 60dcef5..3b22809 100644 --- a/test/sandbox/case/pdlike.nix +++ b/test/sandbox/case/pdlike.nix @@ -35,6 +35,7 @@ in useCommonPaths = false; userns = true; x11 = false; + hostAbstract = false; # 0, PresetExt | PresetDenyDevel expectedFilter = { diff --git a/test/sandbox/case/preset.nix b/test/sandbox/case/preset.nix index ba1ab4c..32c0d61 100644 --- a/test/sandbox/case/preset.nix +++ b/test/sandbox/case/preset.nix @@ -35,6 +35,7 @@ in useCommonPaths = false; userns = false; x11 = false; + hostAbstract = false; # 0, PresetStrict expectedFilter = { diff --git a/test/sandbox/case/tty.nix b/test/sandbox/case/tty.nix index f06a906..feb4833 100644 --- a/test/sandbox/case/tty.nix +++ b/test/sandbox/case/tty.nix @@ -35,6 +35,7 @@ in useCommonPaths = true; userns = false; x11 = true; + hostAbstract = true; # 0, PresetExt | PresetDenyNS | PresetDenyDevel expectedFilter = { @@ -45,7 +46,7 @@ in want = { env = [ "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus" - "DISPLAY=unix:/tmp/.X11-unix/X0" + "DISPLAY=:0" "HOME=/var/lib/hakurei/u0/a2" "PULSE_SERVER=unix:/run/user/65534/pulse/native" "SHELL=/run/current-system/sw/bin/bash" @@ -276,7 +277,7 @@ in seccomp = true; try_socket = "/tmp/.X11-unix/X0"; - socket_abstract = false; + socket_abstract = true; socket_pathname = true; }; }