From b32b1975a89d60beab75dfca723925131a06065b Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Sat, 2 Aug 2025 00:34:52 +0900
Subject: [PATCH] hst/container: remove cover

This was never useful, and is now completely replaced by regular FilesystemConfig being able to mount tmpfs.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 cmd/hakurei/print.go                 |  4 ----
 cmd/hakurei/print_test.go            | 34 ++++++++++++++++------------
 hst/container.go                     |  3 ---
 hst/template.go                      |  2 +-
 hst/template_test.go                 | 10 ++++----
 internal/app/app_nixos_linux_test.go |  2 --
 internal/app/container_linux.go      |  2 +-
 internal/app/seal_linux.go           |  4 ----
 8 files changed, 28 insertions(+), 33 deletions(-)

diff --git a/cmd/hakurei/print.go b/cmd/hakurei/print.go
index 807831c..1169d10 100644
--- a/cmd/hakurei/print.go
+++ b/cmd/hakurei/print.go
@@ -114,10 +114,6 @@ func printShowInstance(
 		}
 		t.Printf(" Etc:\t%s\n", etc)
 
-		if len(container.Cover) > 0 {
-			t.Printf(" Cover:\t%s\n", strings.Join(container.Cover, " "))
-		}
-
 		t.Printf(" Path:\t%s\n", config.Path)
 	}
 	if len(config.Args) > 0 {
diff --git a/cmd/hakurei/print_test.go b/cmd/hakurei/print_test.go
index 7979fb6..0a4e91b 100644
--- a/cmd/hakurei/print_test.go
+++ b/cmd/hakurei/print_test.go
@@ -44,11 +44,11 @@ func Test_printShowInstance(t *testing.T) {
  Flags:          userns devel net device tty mapuid autoetc
  Root:           /var/lib/hakurei/base/org.debian (2)
  Etc:            /etc
- Cover:          /var/run/nscd
  Path:           /run/current-system/sw/bin/chromium
  Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
 
 Filesystem
+ w+tmpfs:/tmp
  +/nix/store
  +/run/current-system
  +/run/opengl-driver
@@ -124,11 +124,11 @@ App
  Flags:          userns devel net device tty mapuid autoetc
  Root:           /var/lib/hakurei/base/org.debian (2)
  Etc:            /etc
- Cover:          /var/run/nscd
  Path:           /run/current-system/sw/bin/chromium
  Arguments:      chromium --ignore-gpu-blocklist --disable-smooth-scrolling --enable-features=UseOzonePlatform --ozone-platform=wayland
 
 Filesystem
+ w+tmpfs:/tmp
  +/nix/store
  +/run/current-system
  +/run/opengl-driver
@@ -275,6 +275,11 @@ App
       "map_real_uid": true,
       "device": true,
       "filesystem": [
+        {
+          "dst": "/tmp",
+          "src": "tmpfs",
+          "write": true
+        },
         {
           "src": "/nix/store"
         },
@@ -307,10 +312,7 @@ App
       "auto_root": "/var/lib/hakurei/base/org.debian",
       "root_flags": 2,
       "etc": "/etc",
-      "auto_etc": true,
-      "cover": [
-        "/var/run/nscd"
-      ]
+      "auto_etc": true
     }
   },
   "time": "1970-01-01T00:00:00.000000009Z"
@@ -405,6 +407,11 @@ App
     "map_real_uid": true,
     "device": true,
     "filesystem": [
+      {
+        "dst": "/tmp",
+        "src": "tmpfs",
+        "write": true
+      },
       {
         "src": "/nix/store"
       },
@@ -437,10 +444,7 @@ App
     "auto_root": "/var/lib/hakurei/base/org.debian",
     "root_flags": 2,
     "etc": "/etc",
-    "auto_etc": true,
-    "cover": [
-      "/var/run/nscd"
-    ]
+    "auto_etc": true
   }
 }
 `},
@@ -589,6 +593,11 @@ func Test_printPs(t *testing.T) {
         "map_real_uid": true,
         "device": true,
         "filesystem": [
+          {
+            "dst": "/tmp",
+            "src": "tmpfs",
+            "write": true
+          },
           {
             "src": "/nix/store"
           },
@@ -621,10 +630,7 @@ func Test_printPs(t *testing.T) {
         "auto_root": "/var/lib/hakurei/base/org.debian",
         "root_flags": 2,
         "etc": "/etc",
-        "auto_etc": true,
-        "cover": [
-          "/var/run/nscd"
-        ]
+        "auto_etc": true
       }
     },
     "time": "1970-01-01T00:00:00.000000009Z"
diff --git a/hst/container.go b/hst/container.go
index 9ca14a8..ebce07b 100644
--- a/hst/container.go
+++ b/hst/container.go
@@ -69,9 +69,6 @@ type (
 		Etc string `json:"etc,omitempty"`
 		// automatically set up /etc symlinks
 		AutoEtc bool `json:"auto_etc"`
-
-		// cover these paths or create them if they do not already exist
-		Cover []string `json:"cover"`
 	}
 
 	// FilesystemConfig is an abstract representation of a bind mount.
diff --git a/hst/template.go b/hst/template.go
index 391e58e..5758462 100644
--- a/hst/template.go
+++ b/hst/template.go
@@ -78,6 +78,7 @@ func Template() *Config {
 				"GOOGLE_DEFAULT_CLIENT_SECRET": "OTJgUOQcT7lO7GsGZq2G4IlT",
 			},
 			Filesystem: []*FilesystemConfig{
+				{Dst: "/tmp", Src: SourceTmpfs, Write: true},
 				{Src: "/nix/store"},
 				{Src: "/run/current-system"},
 				{Src: "/run/opengl-driver"},
@@ -91,7 +92,6 @@ func Template() *Config {
 			RootFlags: container.BindWritable,
 			Etc:       "/etc",
 			AutoEtc:   true,
-			Cover:     []string{"/var/run/nscd"},
 		},
 	}
 }
diff --git a/hst/template_test.go b/hst/template_test.go
index 7f0caa7..02ec774 100644
--- a/hst/template_test.go
+++ b/hst/template_test.go
@@ -97,6 +97,11 @@ func TestTemplate(t *testing.T) {
 		"map_real_uid": true,
 		"device": true,
 		"filesystem": [
+			{
+				"dst": "/tmp",
+				"src": "tmpfs",
+				"write": true
+			},
 			{
 				"src": "/nix/store"
 			},
@@ -129,10 +134,7 @@ func TestTemplate(t *testing.T) {
 		"auto_root": "/var/lib/hakurei/base/org.debian",
 		"root_flags": 2,
 		"etc": "/etc",
-		"auto_etc": true,
-		"cover": [
-			"/var/run/nscd"
-		]
+		"auto_etc": true
 	}
 }`
 
diff --git a/internal/app/app_nixos_linux_test.go b/internal/app/app_nixos_linux_test.go
index 303d535..c11fbd8 100644
--- a/internal/app/app_nixos_linux_test.go
+++ b/internal/app/app_nixos_linux_test.go
@@ -28,7 +28,6 @@ var testCasesNixos = []sealTestCase{
 					{Src: "/sys/block"}, {Src: "/sys/bus"}, {Src: "/sys/class"}, {Src: "/sys/dev"}, {Src: "/sys/devices"},
 					{Src: "/run/opengl-driver", Must: true}, {Src: "/dev/dri", Device: true},
 				},
-				Cover: []string{"/var/run/nscd"},
 			},
 			SystemBus: &dbus.Config{
 				Talk:   []string{"org.bluez", "org.freedesktop.Avahi", "org.freedesktop.UPower"},
@@ -143,7 +142,6 @@ var testCasesNixos = []sealTestCase{
 				Place(hst.Tmp+"/pulse-cookie", nil).
 				Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/bus", "/run/user/1971/bus", 0).
 				Bind("/tmp/hakurei.1971/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket", "/run/dbus/system_bus_socket", 0).
-				Tmpfs("/var/run/nscd", 8192, 0755).
 				Remount("/", syscall.MS_RDONLY),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyTTY | seccomp.PresetDenyDevel,
 			HostNet:        true,
diff --git a/internal/app/container_linux.go b/internal/app/container_linux.go
index 09909d8..ce3a515 100644
--- a/internal/app/container_linux.go
+++ b/internal/app/container_linux.go
@@ -40,7 +40,7 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 	}
 
 	{
-		ops := make(container.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover))
+		ops := make(container.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link))
 		params.Ops = &ops
 	}
 
diff --git a/internal/app/seal_linux.go b/internal/app/seal_linux.go
index b25b5c4..6bf6c09 100644
--- a/internal/app/seal_linux.go
+++ b/internal/app/seal_linux.go
@@ -474,10 +474,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 		}
 	}
 
-	for _, dest := range config.Container.Cover {
-		seal.container.Tmpfs(dest, 1<<13, 0755)
-	}
-
 	// mount root read-only as the final setup Op
 	seal.container.Remount("/", syscall.MS_RDONLY)