From d5fb179012e36436a81761502948c91d44d21cc3 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Mon, 8 Dec 2025 22:29:41 +0900
Subject: [PATCH] cmd/hakurei: exec instead of fork/exec from shell

There is no reason to keep the shell process around.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 cmd/hakurei/command.go       | 2 +-
 nixos.nix                    | 2 +-
 test/interactive/hakurei.nix | 2 +-
 test/test.py                 | 1 +
 4 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/cmd/hakurei/command.go b/cmd/hakurei/command.go
index 8f20c8e..ca68579 100644
--- a/cmd/hakurei/command.go
+++ b/cmd/hakurei/command.go
@@ -191,7 +191,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			if flagPulse {
 				config.Container.Filesystem = append(config.Container.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSDaemon{
 					Target: fhs.AbsRunUser.Append(strconv.Itoa(container.OverflowUid(msg)), "pulse/native"),
-					Exec:   shell, Args: []string{"-lc", "pipewire-pulse"},
+					Exec:   shell, Args: []string{"-lc", "exec pipewire-pulse"},
 				}})
 			}
 
diff --git a/nixos.nix b/nixos.nix
index 2f238ee..2b2b42f 100644
--- a/nixos.nix
+++ b/nixos.nix
@@ -202,7 +202,7 @@ in
                           path = cfg.shell;
                           args = [
                             "-lc"
-                            "pipewire-pulse"
+                            "exec pipewire-pulse"
                           ];
                         }
                         ++ [
diff --git a/test/interactive/hakurei.nix b/test/interactive/hakurei.nix
index 96f014c..eb24c7e 100644
--- a/test/interactive/hakurei.nix
+++ b/test/interactive/hakurei.nix
@@ -37,7 +37,7 @@
             path = "/bin/sh";
             args = [
               "-lc"
-              "sleep 1 && false"
+              "sleep 1 && exec false"
             ];
           }
         ];
diff --git a/test/test.py b/test/test.py
index d1edca4..9b06a8f 100644
--- a/test/test.py
+++ b/test/test.py
@@ -233,6 +233,7 @@ collect_state_ui("pipewire_wayland")
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot", timeout=5)
 # Test PipeWire SecurityContext:
+machine.succeed("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 hakurei -v run --pulse pactl info")
 machine.fail("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 hakurei -v run --pulse pactl set-sink-mute @DEFAULT_SINK@ toggle")
 
 # Test XWayland (foot does not support X):