security/hakurei
security/hakurei
5
2
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 7 Wiki Activity

app/seal: leave $DISPLAY as is on host abstract
All checks were successful
Test / Create distribution (push) Successful in 26s
Details
Test / Hakurei (push) Successful in 42s
Details
Test / Hakurei (race detector) (push) Successful in 42s
Details
Test / Sandbox (race detector) (push) Successful in 40s
Details
Test / Sandbox (push) Successful in 40s
Details
Test / Hpkg (push) Successful in 40s
Details
Test / Flake checks (push) Successful in 1m24s
Details

Browse Source 
This helps work around faulty software that misinterprets unix: DISPLAY string.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-08-27 20:40:30 +09:00
parent 9d932d1039
commit acb6931f3e
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
7 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
internal/app/seal_linux.go
View File

@ -418,9 +418,11 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
} }
} else { } else {
seal.sys.UpdatePermType(system.EX11, socketPath.String(), acl.Read, acl.Write, acl.Execute) seal.sys.UpdatePermType(system.EX11, socketPath.String(), acl.Read, acl.Write, acl.Execute)
if !config.Container.HostAbstract {
d = "unix:" + socketPath.String() d = "unix:" + socketPath.String()
} }
} }
}
seal.sys.ChangeHosts("#" + seal.user.uid.String()) seal.sys.ChangeHosts("#" + seal.user.uid.String())
seal.env[display] = d seal.env[display] = d

1
test/sandbox/case/default.nix
View File

@ -49,6 +49,7 @@ let
mapRealUid mapRealUid
useCommonPaths useCommonPaths
userns userns
hostAbstract
; ;
enablements = { enablements = {
inherit (tc) x11; inherit (tc) x11;

1
test/sandbox/case/device.nix
View File

@ -26,6 +26,7 @@ in
useCommonPaths = true; useCommonPaths = true;
userns = false; userns = false;
x11 = true; x11 = true;
hostAbstract = false;
# 0, PresetStrict # 0, PresetStrict
expectedFilter = { expectedFilter = {

1
test/sandbox/case/mapuid.nix
View File

@ -35,6 +35,7 @@ in
useCommonPaths = true; useCommonPaths = true;
userns = false; userns = false;
x11 = false; x11 = false;
hostAbstract = false;
# 0, PresetStrict # 0, PresetStrict
expectedFilter = { expectedFilter = {

1
test/sandbox/case/pdlike.nix
View File

@ -35,6 +35,7 @@ in
useCommonPaths = false; useCommonPaths = false;
userns = true; userns = true;
x11 = false; x11 = false;
hostAbstract = false;
# 0, PresetExt | PresetDenyDevel # 0, PresetExt | PresetDenyDevel
expectedFilter = { expectedFilter = {

1
test/sandbox/case/preset.nix
View File

@ -35,6 +35,7 @@ in
useCommonPaths = false; useCommonPaths = false;
userns = false; userns = false;
x11 = false; x11 = false;
hostAbstract = false;
# 0, PresetStrict # 0, PresetStrict
expectedFilter = { expectedFilter = {

5
test/sandbox/case/tty.nix
View File

@ -35,6 +35,7 @@ in
useCommonPaths = true; useCommonPaths = true;
userns = false; userns = false;
x11 = true; x11 = true;
hostAbstract = true;
# 0, PresetExt | PresetDenyNS | PresetDenyDevel # 0, PresetExt | PresetDenyNS | PresetDenyDevel
expectedFilter = { expectedFilter = {
@ -45,7 +46,7 @@ in
want = { want = {
env = [ env = [
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus" "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
"DISPLAY=unix:/tmp/.X11-unix/X0" "DISPLAY=:0"
"HOME=/var/lib/hakurei/u0/a2" "HOME=/var/lib/hakurei/u0/a2"
"PULSE_SERVER=unix:/run/user/65534/pulse/native" "PULSE_SERVER=unix:/run/user/65534/pulse/native"
"SHELL=/run/current-system/sw/bin/bash" "SHELL=/run/current-system/sw/bin/bash"
@ -276,7 +277,7 @@ in
seccomp = true; seccomp = true;
try_socket = "/tmp/.X11-unix/X0"; try_socket = "/tmp/.X11-unix/X0";
socket_abstract = false; socket_abstract = true;
socket_pathname = true; socket_pathname = true;
}; };
} }