diff --git a/cmd/hakurei/print.go b/cmd/hakurei/print.go index db183d7..07fec38 100644 --- a/cmd/hakurei/print.go +++ b/cmd/hakurei/print.go @@ -129,11 +129,8 @@ func printShowInstance( } if len(config.ExtraPerms) > 0 { t.Printf("Extra ACL\n") - for _, p := range config.ExtraPerms { - if p == nil { - continue - } - t.Printf(" %s\n", p.String()) + for i := range config.ExtraPerms { + t.Printf(" %s\n", config.ExtraPerms[i].String()) } t.Printf("\n") } diff --git a/cmd/hakurei/print_test.go b/cmd/hakurei/print_test.go index 7679c67..da2db0d 100644 --- a/cmd/hakurei/print_test.go +++ b/cmd/hakurei/print_test.go @@ -88,7 +88,7 @@ App Flags: none `, false}, - {"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfigJSON, 1)}, ExtraPerms: make([]*hst.ExtraPermConfig, 1)}, false, false, `Error: container configuration missing path to home directory! + {"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfigJSON, 1)}, ExtraPerms: make([]hst.ExtraPermConfig, 1)}, false, false, `Error: container configuration missing path to home directory! App Identity: 0 @@ -99,6 +99,7 @@ Filesystem Extra ACL + `, false}, {"config pd dbus see", nil, &hst.Config{SessionBus: &hst.BusConfig{See: []string{"org.example.test"}}}, false, false, `Error: configuration missing container state! diff --git a/cmd/hpkg/app.go b/cmd/hpkg/app.go index 87a2c47..350eaaa 100644 --- a/cmd/hpkg/app.go +++ b/cmd/hpkg/app.go @@ -100,7 +100,7 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *check.Absolute, argv [] Path: pathname, Args: argv, }, - ExtraPerms: []*hst.ExtraPermConfig{ + ExtraPerms: []hst.ExtraPermConfig{ {Path: dataHome, Execute: true}, {Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true}, }, diff --git a/cmd/hpkg/with.go b/cmd/hpkg/with.go index 5d6eb87..97f8010 100644 --- a/cmd/hpkg/with.go +++ b/cmd/hpkg/with.go @@ -28,7 +28,7 @@ func withNixDaemon( mustRunAppDropShell(ctx, msg, updateConfig(&hst.Config{ ID: app.ID, - ExtraPerms: []*hst.ExtraPermConfig{ + ExtraPerms: []hst.ExtraPermConfig{ {Path: dataHome, Execute: true}, {Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true}, }, @@ -83,7 +83,7 @@ func withCacheDir( mustRunAppDropShell(ctx, msg, &hst.Config{ ID: app.ID, - ExtraPerms: []*hst.ExtraPermConfig{ + ExtraPerms: []hst.ExtraPermConfig{ {Path: dataHome, Execute: true}, {Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true}, {Path: workDir, Execute: true}, diff --git a/hst/config.go b/hst/config.go index bc542cc..1b07755 100644 --- a/hst/config.go +++ b/hst/config.go @@ -26,8 +26,8 @@ type Config struct { // and the bare socket is made available to the container. DirectWayland bool `json:"direct_wayland,omitempty"` - // Extra acl update ops to perform before setuid. - ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"` + // Extra acl updates to perform before setuid. + ExtraPerms []ExtraPermConfig `json:"extra_perms,omitempty"` // Numerical application id, passed to hsu, used to derive init user namespace credentials. Identity int `json:"identity"` @@ -86,15 +86,21 @@ func (config *Config) Validate() error { return nil } -// ExtraPermConfig describes an acl update op. +// ExtraPermConfig describes an acl update to perform before setuid. type ExtraPermConfig struct { - Ensure bool `json:"ensure,omitempty"` - Path *check.Absolute `json:"path"` - Read bool `json:"r,omitempty"` - Write bool `json:"w,omitempty"` - Execute bool `json:"x,omitempty"` + // Whether to create Path as a directory if it does not exist. + Ensure bool `json:"ensure,omitempty"` + // Pathname to act on. + Path *check.Absolute `json:"path"` + // Whether to set ACL_READ for the target user. + Read bool `json:"r,omitempty"` + // Whether to set ACL_WRITE for the target user. + Write bool `json:"w,omitempty"` + // Whether to set ACL_EXECUTE for the target user. + Execute bool `json:"x,omitempty"` } +// String returns a checked string representation of [ExtraPermConfig]. func (e *ExtraPermConfig) String() string { if e == nil || e.Path == nil { return "" diff --git a/hst/hst.go b/hst/hst.go index 11b2b27..c1511f6 100644 --- a/hst/hst.go +++ b/hst/hst.go @@ -88,7 +88,7 @@ func Template() *Config { }, DirectWayland: false, - ExtraPerms: []*ExtraPermConfig{ + ExtraPerms: []ExtraPermConfig{ {Path: fhs.AbsVarLib.Append("hakurei/u0"), Ensure: true, Execute: true}, {Path: fhs.AbsVarLib.Append("hakurei/u0/org.chromium.Chromium"), Read: true, Write: true, Execute: true}, }, diff --git a/internal/app/outcome.go b/internal/app/outcome.go index f2c96e8..87bb1fb 100644 --- a/internal/app/outcome.go +++ b/internal/app/outcome.go @@ -156,7 +156,7 @@ type outcomeStateSys struct { // Copied from [hst.Config]. Safe for read by spWaylandOp.toSystem only. directWayland bool // Copied header from [hst.Config]. Safe for read by spFinalOp.toSystem only. - extraPerms []*hst.ExtraPermConfig + extraPerms []hst.ExtraPermConfig // Copied address from [hst.Config]. Safe for read by spDBusOp.toSystem only. sessionBus, systemBus *hst.BusConfig diff --git a/internal/app/spfinal.go b/internal/app/spfinal.go index f67d255..7e44416 100644 --- a/internal/app/spfinal.go +++ b/internal/app/spfinal.go @@ -21,8 +21,9 @@ type spFinalOp struct{} func (s spFinalOp) toSystem(state *outcomeStateSys) error { // append ExtraPerms last - for _, p := range state.extraPerms { - if p == nil || p.Path == nil { + for i := range state.extraPerms { + p := &state.extraPerms[i] + if p.Path == nil { continue }