hst/config: hold acl struct by value

Doc comments are also reworded for clarity. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-10-14 07:02:14 +09:00 · 2025-10-14 07:02:14 +09:00 · f95e0a7568
commit f95e0a7568
parent 4c647add0d
8 changed files with 26 additions and 21 deletions
--- a/cmd/hakurei/print.go
+++ b/cmd/hakurei/print.go
@ -129,11 +129,8 @@ func printShowInstance(
 		}
 		if len(config.ExtraPerms) > 0 {
 			t.Printf("Extra ACL\n")
-			for _, p := range config.ExtraPerms {
-				if p == nil {
-					continue
-				}
-				t.Printf(" %s\n", p.String())
+			for i := range config.ExtraPerms {
+				t.Printf(" %s\n", config.ExtraPerms[i].String())
 			}
 			t.Printf("\n")
 		}
--- a/cmd/hakurei/print_test.go
+++ b/cmd/hakurei/print_test.go
@ -88,7 +88,7 @@ App
 Flags:          none

 `, false},
-		{"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfigJSON, 1)}, ExtraPerms: make([]*hst.ExtraPermConfig, 1)}, false, false, `Error: container configuration missing path to home directory!
+		{"config nil entries", nil, &hst.Config{Container: &hst.ContainerConfig{Filesystem: make([]hst.FilesystemConfigJSON, 1)}, ExtraPerms: make([]hst.ExtraPermConfig, 1)}, false, false, `Error: container configuration missing path to home directory!

 App
 Identity:       0
@ -99,6 +99,7 @@ Filesystem
 <invalid>

 Extra ACL
+ <invalid>

 `, false},
 		{"config pd dbus see", nil, &hst.Config{SessionBus: &hst.BusConfig{See: []string{"org.example.test"}}}, false, false, `Error: configuration missing container state!
--- a/cmd/hpkg/app.go
+++ b/cmd/hpkg/app.go
@ -100,7 +100,7 @@ func (app *appInfo) toHst(pathSet *appPathSet, pathname *check.Absolute, argv []
 			Path: pathname,
 			Args: argv,
 		},
-		ExtraPerms: []*hst.ExtraPermConfig{
+		ExtraPerms: []hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 		},
--- a/cmd/hpkg/with.go
+++ b/cmd/hpkg/with.go
@ -28,7 +28,7 @@ func withNixDaemon(
 	mustRunAppDropShell(ctx, msg, updateConfig(&hst.Config{
 		ID: app.ID,

-		ExtraPerms: []*hst.ExtraPermConfig{
+		ExtraPerms: []hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 		},
@ -83,7 +83,7 @@ func withCacheDir(
 	mustRunAppDropShell(ctx, msg, &hst.Config{
 		ID: app.ID,

-		ExtraPerms: []*hst.ExtraPermConfig{
+		ExtraPerms: []hst.ExtraPermConfig{
 			{Path: dataHome, Execute: true},
 			{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
 			{Path: workDir, Execute: true},
--- a/hst/config.go
+++ b/hst/config.go
@ -26,8 +26,8 @@ type Config struct {
 	// and the bare socket is made available to the container.
 	DirectWayland bool `json:"direct_wayland,omitempty"`

-	// Extra acl update ops to perform before setuid.
-	ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`
+	// Extra acl updates to perform before setuid.
+	ExtraPerms []ExtraPermConfig `json:"extra_perms,omitempty"`

 	// Numerical application id, passed to hsu, used to derive init user namespace credentials.
 	Identity int `json:"identity"`
@ -86,15 +86,21 @@ func (config *Config) Validate() error {
 	return nil
 }

-// ExtraPermConfig describes an acl update op.
+// ExtraPermConfig describes an acl update to perform before setuid.
 type ExtraPermConfig struct {
-	Ensure  bool            `json:"ensure,omitempty"`
-	Path    *check.Absolute `json:"path"`
-	Read    bool            `json:"r,omitempty"`
-	Write   bool            `json:"w,omitempty"`
-	Execute bool            `json:"x,omitempty"`
+	// Whether to create Path as a directory if it does not exist.
+	Ensure bool `json:"ensure,omitempty"`
+	// Pathname to act on.
+	Path *check.Absolute `json:"path"`
+	// Whether to set ACL_READ for the target user.
+	Read bool `json:"r,omitempty"`
+	// Whether to set ACL_WRITE for the target user.
+	Write bool `json:"w,omitempty"`
+	// Whether to set ACL_EXECUTE for the target user.
+	Execute bool `json:"x,omitempty"`
 }

+// String returns a checked string representation of [ExtraPermConfig].
 func (e *ExtraPermConfig) String() string {
 	if e == nil || e.Path == nil {
 		return "<invalid>"
--- a/hst/hst.go
+++ b/hst/hst.go
@ -88,7 +88,7 @@ func Template() *Config {
 		},
 		DirectWayland: false,

-		ExtraPerms: []*ExtraPermConfig{
+		ExtraPerms: []ExtraPermConfig{
 			{Path: fhs.AbsVarLib.Append("hakurei/u0"), Ensure: true, Execute: true},
 			{Path: fhs.AbsVarLib.Append("hakurei/u0/org.chromium.Chromium"), Read: true, Write: true, Execute: true},
 		},
--- a/internal/app/outcome.go
+++ b/internal/app/outcome.go
@ -156,7 +156,7 @@ type outcomeStateSys struct {
 	// Copied from [hst.Config]. Safe for read by spWaylandOp.toSystem only.
 	directWayland bool
 	// Copied header from [hst.Config]. Safe for read by spFinalOp.toSystem only.
-	extraPerms []*hst.ExtraPermConfig
+	extraPerms []hst.ExtraPermConfig
 	// Copied address from [hst.Config]. Safe for read by spDBusOp.toSystem only.
 	sessionBus, systemBus *hst.BusConfig

--- a/internal/app/spfinal.go
+++ b/internal/app/spfinal.go
@ -21,8 +21,9 @@ type spFinalOp struct{}

 func (s spFinalOp) toSystem(state *outcomeStateSys) error {
 	// append ExtraPerms last
-	for _, p := range state.extraPerms {
-		if p == nil || p.Path == nil {
+	for i := range state.extraPerms {
+		p := &state.extraPerms[i]
+		if p.Path == nil {
 			continue
 		}