diff --git a/cmd/hakurei/command.go b/cmd/hakurei/command.go index 2eee5de..d706bd2 100644 --- a/cmd/hakurei/command.go +++ b/cmd/hakurei/command.go @@ -121,7 +121,7 @@ func buildCommand(out io.Writer) command.Command { log.Fatal(err.Error()) return err } else { - config.Data = a + config.Home = a } var e system.Enablement diff --git a/cmd/hakurei/print.go b/cmd/hakurei/print.go index 20bfdde..15798a2 100644 --- a/cmd/hakurei/print.go +++ b/cmd/hakurei/print.go @@ -81,8 +81,8 @@ func printShowInstance( if len(config.Groups) > 0 { t.Printf(" Groups:\t%s\n", strings.Join(config.Groups, ", ")) } - if config.Data != nil { - t.Printf(" Data:\t%s\n", config.Data) + if config.Home != nil { + t.Printf(" Home:\t%s\n", config.Home) } if config.Container != nil { params := config.Container diff --git a/cmd/hakurei/print_test.go b/cmd/hakurei/print_test.go index 6feb681..a097898 100644 --- a/cmd/hakurei/print_test.go +++ b/cmd/hakurei/print_test.go @@ -39,7 +39,7 @@ func Test_printShowInstance(t *testing.T) { Identity: 9 (org.chromium.Chromium) Enablements: wayland, dbus, pulseaudio Groups: video, dialout, plugdev - Data: /var/lib/hakurei/u0/org.chromium.Chromium + Home: /data/data/org.chromium.Chromium Hostname: localhost Flags: userns devel net abstract device tty mapuid Path: /run/current-system/sw/bin/chromium @@ -116,7 +116,7 @@ App Identity: 9 (org.chromium.Chromium) Enablements: wayland, dbus, pulseaudio Groups: video, dialout, plugdev - Data: /var/lib/hakurei/u0/org.chromium.Chromium + Home: /data/data/org.chromium.Chromium Hostname: localhost Flags: userns devel net abstract device tty mapuid Path: /run/current-system/sw/bin/chromium @@ -236,8 +236,7 @@ App }, "username": "chronos", "shell": "/run/current-system/sw/bin/zsh", - "data": "/var/lib/hakurei/u0/org.chromium.Chromium", - "dir": "/data/data/org.chromium.Chromium", + "home": "/data/data/org.chromium.Chromium", "extra_perms": [ { "ensure": true, @@ -393,8 +392,7 @@ App }, "username": "chronos", "shell": "/run/current-system/sw/bin/zsh", - "data": "/var/lib/hakurei/u0/org.chromium.Chromium", - "dir": "/data/data/org.chromium.Chromium", + "home": "/data/data/org.chromium.Chromium", "extra_perms": [ { "ensure": true, @@ -604,8 +602,7 @@ func Test_printPs(t *testing.T) { }, "username": "chronos", "shell": "/run/current-system/sw/bin/zsh", - "data": "/var/lib/hakurei/u0/org.chromium.Chromium", - "dir": "/data/data/org.chromium.Chromium", + "home": "/data/data/org.chromium.Chromium", "extra_perms": [ { "ensure": true, diff --git a/cmd/hpkg/app.go b/cmd/hpkg/app.go index 37c114c..5fd5e64 100644 --- a/cmd/hpkg/app.go +++ b/cmd/hpkg/app.go @@ -78,8 +78,7 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg Username: "hakurei", Shell: pathShell, - Data: pathSet.homeDir, - Dir: pathDataData.Append(app.ID), + Home: pathDataData.Append(app.ID), Identity: app.Identity, Groups: app.Groups, @@ -106,6 +105,7 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *container.Absolute, arg {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("class"), Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("dev"), Optional: true}}, {FilesystemConfig: &hst.FSBind{Source: container.AbsFHSSys.Append("devices"), Optional: true}}, + {FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID), Source: pathSet.homeDir, Write: true, Ensure: true}}, }, }, ExtraPerms: []*hst.ExtraPermConfig{ diff --git a/cmd/hpkg/with.go b/cmd/hpkg/with.go index 03b2e5f..1895a06 100644 --- a/cmd/hpkg/with.go +++ b/cmd/hpkg/with.go @@ -33,8 +33,7 @@ func withNixDaemon( Username: "hakurei", Shell: pathShell, - Data: pathSet.homeDir, - Dir: pathDataData.Append(app.ID), + Home: pathDataData.Append(app.ID), ExtraPerms: []*hst.ExtraPermConfig{ {Path: dataHome, Execute: true}, {Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true}, @@ -54,6 +53,7 @@ func withNixDaemon( {FilesystemConfig: &hst.FSLink{Target: pathCurrentSystem, Linkname: app.CurrentSystem.String()}}, {FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}}, {FilesystemConfig: &hst.FSLink{Target: container.AbsFHSUsrBin, Linkname: pathSwBin.String()}}, + {FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID), Source: pathSet.homeDir, Write: true, Ensure: true}}, }, }, }), dropShell, beforeFail) @@ -71,8 +71,7 @@ func withCacheDir( Username: "nixos", Shell: pathShell, - Data: pathSet.cacheDir, // this also ensures cacheDir via shim - Dir: pathDataData.Append(app.ID, "cache"), + Home: pathDataData.Append(app.ID, "cache"), ExtraPerms: []*hst.ExtraPermConfig{ {Path: dataHome, Execute: true}, {Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true}, @@ -92,6 +91,7 @@ func withCacheDir( {FilesystemConfig: &hst.FSLink{Target: pathBin, Linkname: pathSwBin.String()}}, {FilesystemConfig: &hst.FSLink{Target: container.AbsFHSUsrBin, Linkname: pathSwBin.String()}}, {FilesystemConfig: &hst.FSBind{Source: workDir, Target: hst.AbsTmp.Append("bundle")}}, + {FilesystemConfig: &hst.FSBind{Target: pathDataData.Append(app.ID, "cache"), Source: pathSet.cacheDir, Write: true, Ensure: true}}, }, }, }, dropShell, beforeFail) diff --git a/hst/config.go b/hst/config.go index 7ee2587..ee216fa 100644 --- a/hst/config.go +++ b/hst/config.go @@ -42,11 +42,10 @@ type ( Username string `json:"username,omitempty"` // absolute path to shell Shell *container.Absolute `json:"shell"` - // absolute path to home directory in the init mount namespace - Data *container.Absolute `json:"data"` - // directory to enter and use as home in the container mount namespace, nil for Data - Dir *container.Absolute `json:"dir,omitempty"` - // extra acl ops, dispatches before container init + // directory to enter and use as home in the container mount namespace + Home *container.Absolute `json:"home"` + + // extra acl ops to perform before setuid ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"` // numerical application id, used for init user namespace credentials diff --git a/hst/hst.go b/hst/hst.go index 5704904..6549450 100644 --- a/hst/hst.go +++ b/hst/hst.go @@ -65,8 +65,7 @@ func Template() *Config { Username: "chronos", Shell: container.AbsFHSRun.Append("current-system/sw/bin/zsh"), - Data: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"), - Dir: container.MustAbs("/data/data/org.chromium.Chromium"), + Home: container.MustAbs("/data/data/org.chromium.Chromium"), ExtraPerms: []*ExtraPermConfig{ {Path: container.AbsFHSVarLib.Append("hakurei/u0"), Ensure: true, Execute: true}, {Path: container.AbsFHSVarLib.Append("hakurei/u0/org.chromium.Chromium"), Read: true, Write: true, Execute: true}, diff --git a/hst/hst_test.go b/hst/hst_test.go index b36e8d2..0405721 100644 --- a/hst/hst_test.go +++ b/hst/hst_test.go @@ -61,8 +61,7 @@ func TestTemplate(t *testing.T) { }, "username": "chronos", "shell": "/run/current-system/sw/bin/zsh", - "data": "/var/lib/hakurei/u0/org.chromium.Chromium", - "dir": "/data/data/org.chromium.Chromium", + "home": "/data/data/org.chromium.Chromium", "extra_perms": [ { "ensure": true, diff --git a/internal/app/app_nixos_linux_test.go b/internal/app/app_nixos_linux_test.go index 4200aaa..fb90ee8 100644 --- a/internal/app/app_nixos_linux_test.go +++ b/internal/app/app_nixos_linux_test.go @@ -41,6 +41,7 @@ var testCasesNixos = []sealTestCase{ f(&hst.FSBind{Source: m("/run/opengl-driver")}), f(&hst.FSBind{Source: m("/dev/dri"), Device: true, Optional: true}), f(&hst.FSBind{Source: m("/etc/"), Target: m("/etc/"), Special: true}), + f(&hst.FSBind{Source: m("/var/lib/persist/module/hakurei/0/1"), Write: true, Ensure: true}), }, }, SystemBus: &dbus.Config{ @@ -64,7 +65,7 @@ var testCasesNixos = []sealTestCase{ DirectWayland: true, Username: "u0_a1", - Data: m("/var/lib/persist/module/hakurei/0/1"), + Home: m("/var/lib/persist/module/hakurei/0/1"), Identity: 1, Groups: []string{}, }, state.ID{ @@ -145,11 +146,11 @@ var testCasesNixos = []sealTestCase{ Bind(m("/run/opengl-driver"), m("/run/opengl-driver"), 0). Bind(m("/dev/dri"), m("/dev/dri"), container.BindDevice|container.BindWritable|container.BindOptional). Etc(m("/etc/"), "8e2c76b066dabe574cf073bdb46eb5c1"). + Bind(m("/var/lib/persist/module/hakurei/0/1"), m("/var/lib/persist/module/hakurei/0/1"), container.BindWritable|container.BindEnsure). Remount(m("/dev/"), syscall.MS_RDONLY). Tmpfs(m("/run/user/"), 4096, 0755). Bind(m("/tmp/hakurei.1971/runtime/1"), m("/run/user/1971"), container.BindWritable). Bind(m("/tmp/hakurei.1971/tmpdir/1"), m("/tmp/"), container.BindWritable). - Bind(m("/var/lib/persist/module/hakurei/0/1"), m("/var/lib/persist/module/hakurei/0/1"), container.BindWritable). Place(m("/etc/passwd"), []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")). Place(m("/etc/group"), []byte("hakurei:x:100:\n")). Bind(m("/run/user/1971/wayland-0"), m("/run/user/1971/wayland-0"), 0). diff --git a/internal/app/app_pd_linux_test.go b/internal/app/app_pd_linux_test.go index 8afedf1..9e4c27e 100644 --- a/internal/app/app_pd_linux_test.go +++ b/internal/app/app_pd_linux_test.go @@ -16,7 +16,7 @@ import ( var testCasesPd = []sealTestCase{ { "nixos permissive defaults no enablements", new(stubNixOS), - &hst.Config{Username: "chronos", Data: m("/home/chronos")}, + &hst.Config{Username: "chronos", Home: m("/home/chronos")}, state.ID{ 0x4a, 0x45, 0x0b, 0x65, 0x96, 0xd7, 0xbc, 0x15, @@ -56,7 +56,6 @@ var testCasesPd = []sealTestCase{ Tmpfs(m("/run/user/"), 4096, 0755). Bind(m("/tmp/hakurei.1971/runtime/0"), m("/run/user/65534"), container.BindWritable). Bind(m("/tmp/hakurei.1971/tmpdir/0"), m("/tmp/"), container.BindWritable). - Bind(m("/home/chronos"), m("/home/chronos"), container.BindWritable). Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")). Place(m("/etc/group"), []byte("hakurei:x:65534:\n")). Remount(m("/"), syscall.MS_RDONLY), @@ -75,7 +74,7 @@ var testCasesPd = []sealTestCase{ Identity: 9, Groups: []string{"video"}, Username: "chronos", - Data: m("/home/chronos"), + Home: m("/home/chronos"), SessionBus: &dbus.Config{ Talk: []string{ "org.freedesktop.Notifications", @@ -193,7 +192,6 @@ var testCasesPd = []sealTestCase{ Tmpfs(m("/run/user/"), 4096, 0755). Bind(m("/tmp/hakurei.1971/runtime/9"), m("/run/user/65534"), container.BindWritable). Bind(m("/tmp/hakurei.1971/tmpdir/9"), m("/tmp/"), container.BindWritable). - Bind(m("/home/chronos"), m("/home/chronos"), container.BindWritable). Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")). Place(m("/etc/group"), []byte("hakurei:x:65534:\n")). Bind(m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/65534/wayland-0"), 0). diff --git a/internal/app/process_linux.go b/internal/app/process_linux.go index c6df6fe..57b49ee 100644 --- a/internal/app/process_linux.go +++ b/internal/app/process_linux.go @@ -128,7 +128,6 @@ func (seal *outcome) Run(rs *RunState) error { os.Getpid(), seal.waitDelay, seal.container, - seal.user.data.String(), hlog.Load(), }) }() diff --git a/internal/app/seal_linux.go b/internal/app/seal_linux.go index c2b580b..36984c5 100644 --- a/internal/app/seal_linux.go +++ b/internal/app/seal_linux.go @@ -144,8 +144,6 @@ type hsuUser struct { // supplementary group ids supp []string - // home directory host path - data *container.Absolute // app user home directory home *container.Absolute // passwd database username @@ -161,8 +159,8 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co if config == nil { return hlog.WrapErr(syscall.EINVAL, syscall.EINVAL.Error()) } - if config.Data == nil { - return hlog.WrapErr(os.ErrInvalid, "invalid data directory") + if config.Home == nil { + return hlog.WrapErr(os.ErrInvalid, "invalid path to home directory") } { @@ -183,8 +181,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co seal.user = hsuUser{ aid: newInt(config.Identity), - data: config.Data, - home: config.Dir, + home: config.Home, username: config.Username, } if seal.user.username == "" { @@ -194,9 +191,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co return hlog.WrapErr(ErrName, fmt.Sprintf("invalid user name %q", seal.user.username)) } - if seal.user.home == nil { - seal.user.home = seal.user.data - } if u, err := sys.Uid(seal.user.aid.unwrap()); err != nil { return err } else { @@ -244,6 +238,7 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co Tty: true, Filesystem: []hst.FilesystemConfigJSON{ + // autoroot, includes the home directory {&hst.FSBind{ Target: container.AbsFHSRoot, Source: container.AbsFHSRoot, @@ -347,7 +342,6 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co if seal.user.username != "" { username = seal.user.username } - seal.container.Bind(seal.user.data, seal.user.home, container.BindWritable) seal.container.Dir = seal.user.home seal.env["HOME"] = seal.user.home.String() seal.env["USER"] = username diff --git a/internal/app/shim_linux.go b/internal/app/shim_linux.go index b1eddcb..33ede52 100644 --- a/internal/app/shim_linux.go +++ b/internal/app/shim_linux.go @@ -34,8 +34,6 @@ type shimParams struct { // finalised container params Container *container.Params - // path to outer home directory - Home string // verbosity pass through Verbose bool @@ -142,21 +140,6 @@ func ShimMain() { // not fatal } - // ensure home directory as target user - if s, err := os.Stat(params.Home); err != nil { - if os.IsNotExist(err) { - if err = os.Mkdir(params.Home, 0700); err != nil { - log.Fatalf("cannot create home directory: %v", err) - } - } else { - log.Fatalf("cannot access home directory: %v", err) - } - - // home directory is created, proceed - } else if !s.IsDir() { - log.Fatalf("path %q is not a directory", params.Home) - } - ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM) cancelContainer.Store(&stop) z := container.New(ctx) diff --git a/nixos.nix b/nixos.nix index 62e981f..e2382bc 100644 --- a/nixos.nix +++ b/nixos.nix @@ -121,7 +121,7 @@ in direct_wayland = app.insecureWayland; username = getsubname fid app.identity; - data = getsubhome fid app.identity; + home = getsubhome fid app.identity; inherit (cfg) shell; inherit (app) identity groups enablements; @@ -210,7 +210,15 @@ in linkname = config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver-32"."L+".argument; } ] - ); + ) + ++ [ + { + type = "bind"; + src = getsubhome fid app.identity; + write = true; + ensure = true; + } + ]; }; }; diff --git a/test/sandbox/case/device.nix b/test/sandbox/case/device.nix index c1a2f5f..5d607d9 100644 --- a/test/sandbox/case/device.nix +++ b/test/sandbox/case/device.nix @@ -228,10 +228,10 @@ in (ent "/" "/.hakurei/.ro-store" "rw,relatime" "overlay" "overlay" "ro,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,redirect_dir=nofollow,userxattr") (ent "/" "/.hakurei/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,upperdir=/host/tmp/.hakurei-store-rw/upper,workdir=/host/tmp/.hakurei-store-rw/work,redirect_dir=nofollow,userxattr") (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") + (ent "/var/lib/hakurei/u0/a4" "/var/lib/hakurei/u0/a4" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000004,gid=1000004") (ent "/tmp/hakurei.1000/runtime/4" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/tmp/hakurei.1000/tmpdir/4" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") - (ent "/var/lib/hakurei/u0/a4" "/var/lib/hakurei/u0/a4" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004") (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000004,gid=1000004") (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") diff --git a/test/sandbox/case/mapuid.nix b/test/sandbox/case/mapuid.nix index 3ef5f24..c18bf79 100644 --- a/test/sandbox/case/mapuid.nix +++ b/test/sandbox/case/mapuid.nix @@ -255,10 +255,10 @@ in (ent "/" "/.hakurei/.ro-store" "rw,relatime" "overlay" "overlay" "ro,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,redirect_dir=nofollow,userxattr") (ent "/" "/.hakurei/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,upperdir=/host/tmp/.hakurei-store-rw/upper,workdir=/host/tmp/.hakurei-store-rw/work,redirect_dir=nofollow,userxattr") (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") + (ent "/var/lib/hakurei/u0/a3" "/var/lib/hakurei/u0/a3" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000003,gid=1000003") (ent "/tmp/hakurei.1000/runtime/3" "/run/user/1000" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/tmp/hakurei.1000/tmpdir/3" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") - (ent "/var/lib/hakurei/u0/a3" "/var/lib/hakurei/u0/a3" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000003,gid=1000003") (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000003,gid=1000003") (ent ignore "/run/user/1000/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") diff --git a/test/sandbox/case/pd.nix b/test/sandbox/case/pd.nix index 6d58ad5..14b62b4 100644 --- a/test/sandbox/case/pd.nix +++ b/test/sandbox/case/pd.nix @@ -188,7 +188,6 @@ (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000000,gid=1000000") (ent "/tmp/hakurei.1000/runtime/0" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/tmp/hakurei.1000/tmpdir/0" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") - (ent "/var/lib/hakurei/u0/a0" "/var/lib/hakurei/u0/a0" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000000,gid=1000000") (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000000,gid=1000000") ]; diff --git a/test/sandbox/case/pdlike.nix b/test/sandbox/case/pdlike.nix index ea34147..c87ab46 100644 --- a/test/sandbox/case/pdlike.nix +++ b/test/sandbox/case/pdlike.nix @@ -250,10 +250,10 @@ in (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") + (ent "/var/lib/hakurei/u0/a5" "/var/lib/hakurei/u0/a5" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000005,gid=1000005") (ent "/tmp/hakurei.1000/runtime/5" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/tmp/hakurei.1000/tmpdir/5" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") - (ent "/var/lib/hakurei/u0/a5" "/var/lib/hakurei/u0/a5" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000005,gid=1000005") (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000005,gid=1000005") (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") diff --git a/test/sandbox/case/preset.nix b/test/sandbox/case/preset.nix index 41f612f..d8f6879 100644 --- a/test/sandbox/case/preset.nix +++ b/test/sandbox/case/preset.nix @@ -248,10 +248,10 @@ in (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") + (ent "/var/lib/hakurei/u0/a1" "/var/lib/hakurei/u0/a1" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000001,gid=1000001") (ent "/tmp/hakurei.1000/runtime/1" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/tmp/hakurei.1000/tmpdir/1" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") - (ent "/var/lib/hakurei/u0/a1" "/var/lib/hakurei/u0/a1" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000001,gid=1000001") (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000001,gid=1000001") (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") diff --git a/test/sandbox/case/tty.nix b/test/sandbox/case/tty.nix index d95cbb8..15b60ad 100644 --- a/test/sandbox/case/tty.nix +++ b/test/sandbox/case/tty.nix @@ -260,10 +260,10 @@ in (ent "/" "/.hakurei/.ro-store" "rw,relatime" "overlay" "overlay" "ro,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,redirect_dir=nofollow,userxattr") (ent "/" "/.hakurei/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,upperdir=/host/tmp/.hakurei-store-rw/upper,workdir=/host/tmp/.hakurei-store-rw/work,redirect_dir=nofollow,uuid=on,userxattr") (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") + (ent "/var/lib/hakurei/u0/a2" "/var/lib/hakurei/u0/a2" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000002,gid=1000002") (ent "/tmp/hakurei.1000/runtime/2" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/tmp/hakurei.1000/tmpdir/2" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") - (ent "/var/lib/hakurei/u0/a2" "/var/lib/hakurei/u0/a2" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002") (ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=1000002,gid=1000002") (ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")