internal/wayland: check pathname size

This avoids passing a truncated pathname to the kernel.

Signed-off-by: Ophestra <cat@gensokyo.uk>

.clang-format

@@ -0,0 +1 @@
+ColumnLimit: 0

cmd/hakurei/command.go

@@ -17,10 +17,10 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
+	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/env"
 	"hakurei.app/internal/info"
 	"hakurei.app/internal/outcome"
-	"hakurei.app/internal/system/dbus"
 	"hakurei.app/message"
 )
 

container/seccomp/libseccomp-helper.c

@@ -9,7 +9,8 @@
 
 #define LEN(arr) (sizeof(arr) / sizeof((arr)[0]))
 
-int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p,
+int32_t hakurei_scmp_make_filter(
+    int *ret_p, uintptr_t allocate_p,
     uint32_t arch, uint32_t multiarch,
     struct hakurei_syscall_rule *rules,
     size_t rules_sz, hakurei_export_flag flags) {
@@ -72,11 +73,9 @@ int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p,
     assert(rule->m_errno == EPERM || rule->m_errno == ENOSYS);
 
     if (rule->arg)
-      *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno),
+      *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno), rule->syscall, 1, *rule->arg);
-                                rule->syscall, 1, *rule->arg);
     else
-      *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno),
+      *ret_p = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(rule->m_errno), rule->syscall, 0);
-                                rule->syscall, 0);
 
     if (*ret_p == -EFAULT) {
       res = 4;
@@ -93,22 +92,17 @@ int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p,
   last_allowed_family = -1;
   for (i = 0; i < LEN(socket_family_allowlist); i++) {
     if (socket_family_allowlist[i].flags_mask != 0 &&
-        (socket_family_allowlist[i].flags_mask & flags) !=
+        (socket_family_allowlist[i].flags_mask & flags) != socket_family_allowlist[i].flags_mask)
-            socket_family_allowlist[i].flags_mask)
       continue;
 
-    for (disallowed = last_allowed_family + 1;
+    for (disallowed = last_allowed_family + 1; disallowed < socket_family_allowlist[i].family; disallowed++) {
-         disallowed < socket_family_allowlist[i].family; disallowed++) {
       /* Blocklist the in-between valid families */
-      seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT),
+      seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_EQ, disallowed));
-                             SCMP_SYS(socket), 1,
-                             SCMP_A0(SCMP_CMP_EQ, disallowed));
     }
     last_allowed_family = socket_family_allowlist[i].family;
   }
   /* Blocklist the rest */
-  seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
+  seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, SCMP_A0(SCMP_CMP_GE, last_allowed_family + 1));
-                         SCMP_A0(SCMP_CMP_GE, last_allowed_family + 1));
 
   if (allocate_p == 0) {
     *ret_p = seccomp_load(ctx);

container/seccomp/libseccomp-helper.h

@@ -19,7 +19,8 @@ struct hakurei_syscall_rule {
 };
 
 extern void *hakurei_scmp_allocate(uintptr_t f, size_t len);
-int32_t hakurei_scmp_make_filter(int *ret_p, uintptr_t allocate_p,
+int32_t hakurei_scmp_make_filter(
+    int *ret_p, uintptr_t allocate_p,
     uint32_t arch, uint32_t multiarch,
     struct hakurei_syscall_rule *rules,
     size_t rules_sz, hakurei_export_flag flags);

flake.nix

@@ -114,7 +114,7 @@
             inherit (pkgs)
               # passthru.buildInputs
               go
-              gcc
+              clang
 
               # nativeBuildInputs
               pkg-config
@@ -129,6 +129,10 @@
               zstd
               gnutar
               coreutils
+
+              # for check
+              util-linux
+              nettools
               ;
           };
           hsu = pkgs.callPackage ./cmd/hsu/package.nix { inherit (self.packages.${system}) hakurei; };
@@ -144,7 +148,7 @@
                 && chmod -R +w .
 
             export HAKUREI_VERSION="v${hakurei.version}"
-            ./dist/release.sh && mkdir $out && cp -v "dist/hakurei-$HAKUREI_VERSION.tar.gz"* $out
+            CC="clang -O3 -Werror" ./dist/release.sh && mkdir $out && cp -v "dist/hakurei-$HAKUREI_VERSION.tar.gz"* $out
           '';
         }
       );

internal/acl/acl_test.go

@@ -13,7 +13,7 @@ import (
 	"strconv"
 	"testing"
 
-	"hakurei.app/internal/system/acl"
+	"hakurei.app/internal/acl"
 )
 
 const testFileName = "acl.test"

internal/acl/perms_test.go

@@ -3,7 +3,7 @@ package acl_test
 import (
 	"testing"
 
-	"hakurei.app/internal/system/acl"
+	"hakurei.app/internal/acl"
 )
 
 func TestPerms(t *testing.T) {

internal/dbus/address_test.go

@@ -5,7 +5,7 @@ import (
 	"reflect"
 	"testing"
 
-	"hakurei.app/internal/system/dbus"
+	"hakurei.app/internal/dbus"
 )
 
 func TestParse(t *testing.T) {

internal/dbus/config_test.go

@@ -7,7 +7,7 @@ import (
 	"testing"
 
 	"hakurei.app/hst"
-	"hakurei.app/internal/system/dbus"
+	"hakurei.app/internal/dbus"
 )
 
 func TestConfigArgs(t *testing.T) {

internal/dbus/dbus_test.go

@@ -11,8 +11,8 @@ import (
 	"testing"
 	"time"
 
+	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/helper"
-	"hakurei.app/internal/system/dbus"
 	"hakurei.app/message"
 )
 

internal/outcome/dispatcher.go

@@ -14,8 +14,8 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
+	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/info"
-	"hakurei.app/internal/system/dbus"
 	"hakurei.app/message"
 )
 

internal/outcome/outcome.go

@@ -9,9 +9,9 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
 	"hakurei.app/internal/env"
 	"hakurei.app/internal/system"
-	"hakurei.app/internal/system/acl"
 	"hakurei.app/message"
 )
 

internal/outcome/run_test.go

@@ -21,9 +21,9 @@ import (
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
 	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
+	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/system"
-	"hakurei.app/internal/system/acl"
-	"hakurei.app/internal/system/dbus"
 	"hakurei.app/message"
 )
 

internal/outcome/shim-signal.c

@@ -38,7 +38,7 @@ static void hakurei_shim_sigaction(int sig, siginfo_t *si, void *ucontext) {
 
 void hakurei_shim_setup_cont_signal(pid_t ppid, int fd) {
   if (hakurei_shim_param_ppid != -1 || hakurei_shim_fd != -1)
-    *(int *)NULL = 0; /* unreachable */
+    *(volatile int *)NULL = 0; /* unreachable */
 
   struct sigaction new_action = {0}, old_action = {0};
   if (sigaction(SIGCONT, NULL, &old_action) != 0)

internal/outcome/spcontainer.go

@@ -16,9 +16,9 @@ import (
 	"hakurei.app/container/seccomp"
 	"hakurei.app/container/std"
 	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
+	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/system"
-	"hakurei.app/internal/system/acl"
-	"hakurei.app/internal/system/dbus"
 	"hakurei.app/internal/validate"
 	"hakurei.app/message"
 )

internal/outcome/spcontainer_test.go

@@ -14,9 +14,9 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
+	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/system"
-	"hakurei.app/internal/system/acl"
-	"hakurei.app/internal/system/dbus"
 )
 
 func TestSpParamsOp(t *testing.T) {

internal/outcome/spdbus.go

@@ -5,8 +5,8 @@ import (
 
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
-	"hakurei.app/internal/system/acl"
+	"hakurei.app/internal/acl"
-	"hakurei.app/internal/system/dbus"
+	"hakurei.app/internal/dbus"
 )
 
 func init() { gob.Register(new(spDBusOp)) }

internal/outcome/spdbus_test.go

@@ -7,10 +7,10 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
+	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/helper"
 	"hakurei.app/internal/system"
-	"hakurei.app/internal/system/acl"
-	"hakurei.app/internal/system/dbus"
 	"hakurei.app/message"
 )
 

internal/outcome/sppulse_test.go

@@ -11,8 +11,8 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
 	"hakurei.app/internal/system"
-	"hakurei.app/internal/system/acl"
 )
 
 func TestSpPulseOp(t *testing.T) {

internal/outcome/spruntime.go

@@ -7,8 +7,8 @@ import (
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/std"
 	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
 	"hakurei.app/internal/system"
-	"hakurei.app/internal/system/acl"
 )
 
 const (

internal/outcome/spruntime_test.go

@@ -8,8 +8,8 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
 	"hakurei.app/internal/system"
-	"hakurei.app/internal/system/acl"
 )
 
 func TestSpRuntimeOp(t *testing.T) {

internal/outcome/sptmpdir.go

@@ -7,8 +7,8 @@ import (
 	"hakurei.app/container/fhs"
 	"hakurei.app/container/std"
 	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
 	"hakurei.app/internal/system"
-	"hakurei.app/internal/system/acl"
 )
 
 func init() { gob.Register(spTmpdirOp{}) }

internal/outcome/sptmpdir_test.go

@@ -8,8 +8,8 @@ import (
 	"hakurei.app/container/std"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
 	"hakurei.app/internal/system"
-	"hakurei.app/internal/system/acl"
 )
 
 func TestSpTmpdirOp(t *testing.T) {

internal/outcome/spwayland.go

@@ -5,8 +5,8 @@ import (
 
 	"hakurei.app/container/check"
 	"hakurei.app/hst"
-	"hakurei.app/internal/system/acl"
+	"hakurei.app/internal/acl"
-	"hakurei.app/internal/system/wayland"
+	"hakurei.app/internal/wayland"
 )
 
 func init() { gob.Register(new(spWaylandOp)) }

internal/outcome/spwayland_test.go

@@ -6,9 +6,9 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
+	"hakurei.app/internal/acl"
 	"hakurei.app/internal/system"
-	"hakurei.app/internal/system/acl"
+	"hakurei.app/internal/wayland"
-	"hakurei.app/internal/system/wayland"
 )
 
 func TestSpWaylandOp(t *testing.T) {

internal/outcome/spx11.go

@@ -11,7 +11,7 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
-	"hakurei.app/internal/system/acl"
+	"hakurei.app/internal/acl"
 )
 
 var absX11SocketDir = fhs.AbsTmp.Append(".X11-unix")

internal/outcome/spx11_test.go

@@ -7,7 +7,7 @@ import (
 	"hakurei.app/container"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
-	"hakurei.app/internal/system/acl"
+	"hakurei.app/internal/acl"
 )
 
 func TestSpX11Op(t *testing.T) {

internal/system/acl.go

@@ -8,7 +8,7 @@ import (
 
 	"hakurei.app/container/check"
 	"hakurei.app/hst"
-	"hakurei.app/internal/system/acl"
+	"hakurei.app/internal/acl"
 )
 
 // UpdatePerm calls UpdatePermType with the [Process] criteria.

internal/system/acl_test.go

@@ -7,7 +7,7 @@ import (
 
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
-	"hakurei.app/internal/system/acl"
+	"hakurei.app/internal/acl"
 )
 
 func TestACLUpdateOp(t *testing.T) {

internal/system/dbus.go

@@ -13,7 +13,7 @@ import (
 
 	"hakurei.app/container"
 	"hakurei.app/hst"
-	"hakurei.app/internal/system/dbus"
+	"hakurei.app/internal/dbus"
 )
 
 // ErrDBusConfig is returned when a required [hst.BusConfig] argument is nil.

internal/system/dbus_test.go

@@ -11,8 +11,8 @@ import (
 
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
+	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/helper"
-	"hakurei.app/internal/system/dbus"
 )
 
 func TestDBusProxyOp(t *testing.T) {

internal/system/dispatcher.go

@@ -6,10 +6,12 @@ import (
 	"log"
 	"os"
 
+	"hakurei.app/container/check"
 	"hakurei.app/hst"
-	"hakurei.app/internal/system/acl"
+	"hakurei.app/internal/acl"
-	"hakurei.app/internal/system/dbus"
+	"hakurei.app/internal/dbus"
-	"hakurei.app/internal/system/xcb"
+	"hakurei.app/internal/wayland"
+	"hakurei.app/internal/xcb"
 )
 
 type osFile interface {
@@ -45,6 +47,8 @@ type syscallDispatcher interface {
 	// aclUpdate provides [acl.Update].
 	aclUpdate(name string, uid int, perms ...acl.Perm) error
 
+	waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (*wayland.SecurityContext, error)
+
 	// xcbChangeHosts provides [xcb.ChangeHosts].
 	xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error
 
@@ -76,6 +80,10 @@ func (k direct) aclUpdate(name string, uid int, perms ...acl.Perm) error {
 	return acl.Update(name, uid, perms...)
 }
 
+func (k direct) waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (*wayland.SecurityContext, error) {
+	return wayland.New(displayPath, bindPath, appID, instanceID)
+}
+
 func (k direct) xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error {
 	return xcb.ChangeHosts(mode, family, address)
 }

internal/system/dispatcher_test.go

@@ -8,11 +8,13 @@ import (
 	"testing"
 	"unsafe"
 
+	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
-	"hakurei.app/internal/system/acl"
+	"hakurei.app/internal/acl"
-	"hakurei.app/internal/system/dbus"
+	"hakurei.app/internal/dbus"
-	"hakurei.app/internal/system/xcb"
+	"hakurei.app/internal/wayland"
+	"hakurei.app/internal/xcb"
 )
 
 // call initialises a [stub.Call].
@@ -268,6 +270,15 @@ func (k *kstub) aclUpdate(name string, uid int, perms ...acl.Perm) error {
 		stub.CheckArgReflect(k.Stub, "perms", perms, 2))
 }
 
+func (k *kstub) waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (*wayland.SecurityContext, error) {
+	k.Helper()
+	return nil, k.Expects("waylandNew").Error(
+		stub.CheckArgReflect(k.Stub, "displayPath", displayPath, 0),
+		stub.CheckArgReflect(k.Stub, "bindPath", bindPath, 1),
+		stub.CheckArg(k.Stub, "appID", appID, 2),
+		stub.CheckArg(k.Stub, "instanceID", instanceID, 3))
+}
+
 func (k *kstub) xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error {
 	k.Helper()
 	return k.Expects("xcbChangeHosts").Error(

internal/system/output.go

@@ -40,6 +40,10 @@ func (e *OpError) Error() string {
 }
 
 func (e *OpError) Message() string {
+	if m, ok := message.GetMessage(e.Err); ok {
+		return m
+	}
+
 	switch {
 	case e.Msg != "":
 		return e.Error()

internal/system/system_test.go

@@ -11,7 +11,7 @@ import (
 	"hakurei.app/container/check"
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
-	"hakurei.app/internal/system/xcb"
+	"hakurei.app/internal/xcb"
 	"hakurei.app/message"
 )
 

internal/system/wayland.go

@@ -7,84 +7,75 @@ import (
 
 	"hakurei.app/container/check"
 	"hakurei.app/hst"
-	"hakurei.app/internal/system/acl"
+	"hakurei.app/internal/acl"
-	"hakurei.app/internal/system/wayland"
+	"hakurei.app/internal/wayland"
 )
 
-type waylandConn interface {
-	Attach(p string) (err error)
-	Bind(pathname, appID, instanceID string) (*os.File, error)
-	Close() error
-}
-
 // Wayland maintains a wayland socket with security-context-v1 attached via [wayland].
 // The socket stops accepting connections once the pipe referred to by sync is closed.
 // The socket is pathname only and is destroyed on revert.
 func (sys *I) Wayland(dst, src *check.Absolute, appID, instanceID string) *I {
 	sys.ops = append(sys.ops, &waylandOp{nil,
-		dst.String(), src.String(),
+		dst, src, appID, instanceID})
-		appID, instanceID,
-		new(wayland.Conn)})
 	return sys
 }
 
 // waylandOp implements [I.Wayland].
 type waylandOp struct {
-	sync              *os.File
+	ctx               *wayland.SecurityContext
-	dst, src          string
+	dst, src          *check.Absolute
 	appID, instanceID string
-
-	conn waylandConn
 }
 
 func (w *waylandOp) Type() hst.Enablement { return Process }
 
-func (w *waylandOp) apply(sys *I) error {
+func (w *waylandOp) apply(sys *I) (err error) {
-	if err := w.conn.Attach(w.src); err != nil {
+	if w.ctx, err = sys.waylandNew(w.src, w.dst, w.appID, w.instanceID); err != nil {
 		return newOpError("wayland", err, false)
 	} else {
-		sys.msg.Verbosef("wayland attached on %q", w.src)
+		sys.msg.Verbosef("wayland pathname socket on %q via %q", w.dst, w.src)
+
+		if err = sys.chmod(w.dst.String(), 0); err != nil {
+			if closeErr := w.ctx.Close(); closeErr != nil {
+				return newOpError("wayland", errors.Join(err, closeErr), false)
+			}
+			return newOpError("wayland", err, false)
 		}
 
-	if sp, err := w.conn.Bind(w.dst, w.appID, w.instanceID); err != nil {
+		if err = sys.aclUpdate(w.dst.String(), sys.uid, acl.Read, acl.Write, acl.Execute); err != nil {
-		return newOpError("wayland", err, false)
+			if closeErr := w.ctx.Close(); closeErr != nil {
-	} else {
+				return newOpError("wayland", errors.Join(err, closeErr), false)
-		w.sync = sp
+			}
-		sys.msg.Verbosef("wayland listening on %q", w.dst)
-		if err = sys.chmod(w.dst, 0); err != nil {
 			return newOpError("wayland", err, false)
 		}
-		return newOpError("wayland", sys.aclUpdate(w.dst, sys.uid, acl.Read, acl.Write, acl.Execute), false)
+
+		return nil
 	}
 }
 
 func (w *waylandOp) revert(sys *I, _ *Criteria) error {
 	var (
 		hangupErr error
-		closeErr  error
 		removeErr error
 	)
 
-	sys.msg.Verbosef("detaching from wayland on %q", w.src)
+	sys.msg.Verbosef("hanging up wayland socket on %q", w.dst)
-	if w.sync != nil {
+	if w.ctx != nil {
-		hangupErr = w.sync.Close()
+		hangupErr = w.ctx.Close()
 	}
-	closeErr = w.conn.Close()
+	if err := sys.remove(w.dst.String()); err != nil && !errors.Is(err, os.ErrNotExist) {
-
-	sys.msg.Verbosef("removing wayland socket on %q", w.dst)
-	if err := sys.remove(w.dst); err != nil && !errors.Is(err, os.ErrNotExist) {
 		removeErr = err
 	}
 
-	return newOpError("wayland", errors.Join(hangupErr, closeErr, removeErr), true)
+	return newOpError("wayland", errors.Join(hangupErr, removeErr), true)
 }
 
 func (w *waylandOp) Is(o Op) bool {
 	target, ok := o.(*waylandOp)
 	return ok && w != nil && target != nil &&
-		w.dst == target.dst && w.src == target.src &&
+		w.dst.Is(target.dst) && w.src.Is(target.src) &&
 		w.appID == target.appID && w.instanceID == target.instanceID
 }
 
-func (w *waylandOp) Path() string   { return w.dst }
+func (w *waylandOp) Path() string   { return w.dst.String() }
 func (w *waylandOp) String() string { return fmt.Sprintf("wayland socket at %q", w.dst) }

internal/system/wayland/conn.go

@@ -1,122 +0,0 @@
-package wayland
-
-import (
-	"errors"
-	"net"
-	"os"
-	"runtime"
-	"sync"
-	"syscall"
-)
-
-// Conn represents a connection to the wayland display server.
-type Conn struct {
-	conn *net.UnixConn
-
-	done     chan struct{}
-	doneOnce sync.Once
-
-	mu sync.Mutex
-}
-
-// Attach connects Conn to a wayland socket.
-func (c *Conn) Attach(p string) (err error) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-
-	if c.conn != nil {
-		return errors.New("socket already attached")
-	}
-
-	c.conn, err = net.DialUnix("unix", nil, &net.UnixAddr{Name: p, Net: "unix"})
-	return
-}
-
-// Close releases resources and closes the connection to the wayland compositor.
-func (c *Conn) Close() error {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-
-	if c.done == nil {
-		return errors.New("no socket bound")
-	}
-
-	c.doneOnce.Do(func() {
-		c.done <- struct{}{}
-		<-c.done
-	})
-
-	// closed by wayland
-	runtime.SetFinalizer(c.conn, nil)
-	return nil
-}
-
-// Bind binds the new socket to pathname.
-func (c *Conn) Bind(pathname, appID, instanceID string) (*os.File, error) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-
-	if c.conn == nil {
-		return nil, errors.New("socket not attached")
-	}
-	if c.done != nil {
-		return nil, errors.New("socket already bound")
-	}
-
-	if rc, err := c.conn.SyscallConn(); err != nil {
-		// unreachable
-		return nil, err
-	} else {
-		c.done = make(chan struct{})
-		return bindRawConn(c.done, rc, pathname, appID, instanceID)
-	}
-}
-
-func bindRawConn(done chan struct{}, rc syscall.RawConn, p, appID, instanceID string) (*os.File, error) {
-	var syncPipe [2]*os.File
-
-	if r, w, err := os.Pipe(); err != nil {
-		return nil, err
-	} else {
-		syncPipe[0] = r
-		syncPipe[1] = w
-	}
-
-	setupDone := make(chan error, 1) // does not block with c.done
-
-	go func() {
-		if err := rc.Control(func(fd uintptr) {
-			// prevent runtime from closing the read end of sync fd
-			runtime.SetFinalizer(syncPipe[0], nil)
-
-			// allow the Bind method to return after setup
-			setupDone <- bind(fd, p, appID, instanceID, syncPipe[0].Fd())
-			close(setupDone)
-
-			// keep socket alive until done is requested
-			<-done
-			runtime.KeepAlive(syncPipe[1])
-		}); err != nil {
-			setupDone <- err
-		}
-
-		// notify Close that rc.Control has returned
-		close(done)
-	}()
-
-	// return write end of the pipe
-	return syncPipe[1], <-setupDone
-}
-
-func bind(fd uintptr, p, appID, instanceID string, syncFd uintptr) error {
-	// ensure p is available
-	if f, err := os.Create(p); err != nil {
-		return err
-	} else if err = f.Close(); err != nil {
-		return err
-	} else if err = os.Remove(p); err != nil {
-		return err
-	}
-
-	return bindWaylandFd(p, fd, appID, instanceID, syncFd)
-}

internal/system/wayland/wayland-client-helper.h

@@ -1,4 +0,0 @@
-#include <stdint.h>
-
-int32_t hakurei_bind_wayland_fd(char *socket_path, int fd, const char *app_id,
-                                const char *instance_id, int sync_fd);

internal/system/wayland/wayland.go

@@ -1,48 +0,0 @@
-// Package wayland implements Wayland security_context_v1 protocol.
-package wayland
-
-//go:generate sh -c "wayland-scanner client-header `pkg-config --variable=datarootdir wayland-protocols`/wayland-protocols/staging/security-context/security-context-v1.xml security-context-v1-protocol.h"
-//go:generate sh -c "wayland-scanner private-code `pkg-config --variable=datarootdir wayland-protocols`/wayland-protocols/staging/security-context/security-context-v1.xml security-context-v1-protocol.c"
-
-/*
-#cgo linux pkg-config: --static wayland-client
-#cgo freebsd openbsd LDFLAGS: -lwayland-client
-
-#include "wayland-client-helper.h"
-*/
-import "C"
-import (
-	"errors"
-	"strings"
-	"syscall"
-)
-
-const (
-	// Display contains the name of the server socket
-	// (https://gitlab.freedesktop.org/wayland/wayland/-/blob/1.23.1/src/wayland-client.c#L1147)
-	// which is concatenated with XDG_RUNTIME_DIR
-	// (https://gitlab.freedesktop.org/wayland/wayland/-/blob/1.23.1/src/wayland-client.c#L1171)
-	// or used as-is if absolute
-	// (https://gitlab.freedesktop.org/wayland/wayland/-/blob/1.23.1/src/wayland-client.c#L1176).
-	Display = "WAYLAND_DISPLAY"
-
-	// FallbackName is used as the wayland socket name if WAYLAND_DISPLAY is unset
-	// (https://gitlab.freedesktop.org/wayland/wayland/-/blob/1.23.1/src/wayland-client.c#L1149).
-	FallbackName = "wayland-0"
-)
-
-var resErr = [...]error{
-	0: nil,
-	1: errors.New("wl_display_connect_to_fd() failed"),
-	2: errors.New("wp_security_context_v1 not available"),
-}
-
-func bindWaylandFd(socketPath string, fd uintptr, appID, instanceID string, syncFd uintptr) error {
-	if hasNull(appID) || hasNull(instanceID) {
-		return syscall.EINVAL
-	}
-	res := C.hakurei_bind_wayland_fd(C.CString(socketPath), C.int(fd), C.CString(appID), C.CString(instanceID), C.int(syncFd))
-	return resErr[int32(res)]
-}
-
-func hasNull(s string) bool { return strings.IndexByte(s, 0) > -1 }

internal/system/wayland_test.go

@@ -6,197 +6,63 @@ import (
 	"testing"
 
 	"hakurei.app/container/stub"
-	"hakurei.app/internal/system/acl"
+	"hakurei.app/internal/acl"
-	"hakurei.app/internal/system/wayland"
 )
 
-type stubWaylandConn struct {
-	t *testing.T
-
-	wantAttach string
-	attachErr  error
-	attached   bool
-
-	wantBind [3]string
-	bindErr  error
-	bound    bool
-
-	closeErr error
-	closed   bool
-}
-
-func (conn *stubWaylandConn) Attach(p string) (err error) {
-	conn.t.Helper()
-
-	if conn.attached {
-		conn.t.Fatal("Attach called twice")
-	}
-	conn.attached = true
-
-	err = conn.attachErr
-	if p != conn.wantAttach {
-		conn.t.Errorf("Attach: p = %q, want %q", p, conn.wantAttach)
-		err = stub.ErrCheck
-	}
-	return
-}
-
-func (conn *stubWaylandConn) Bind(pathname, appID, instanceID string) (*os.File, error) {
-	conn.t.Helper()
-
-	if !conn.attached {
-		conn.t.Fatal("Bind called before Attach")
-	}
-
-	if conn.bound {
-		conn.t.Fatal("Bind called twice")
-	}
-	conn.bound = true
-
-	if pathname != conn.wantBind[0] {
-		conn.t.Errorf("Attach: pathname = %q, want %q", pathname, conn.wantBind[0])
-		return nil, stub.ErrCheck
-	}
-	if appID != conn.wantBind[1] {
-		conn.t.Errorf("Attach: appID = %q, want %q", appID, conn.wantBind[1])
-		return nil, stub.ErrCheck
-	}
-	if instanceID != conn.wantBind[2] {
-		conn.t.Errorf("Attach: instanceID = %q, want %q", instanceID, conn.wantBind[2])
-		return nil, stub.ErrCheck
-	}
-	return nil, conn.bindErr
-}
-
-func (conn *stubWaylandConn) Close() error {
-	conn.t.Helper()
-
-	if !conn.attached {
-		conn.t.Fatal("Close called before Attach")
-	}
-	if !conn.bound {
-		conn.t.Fatal("Close called before Bind")
-	}
-
-	if conn.closed {
-		conn.t.Fatal("Close called twice")
-	}
-	conn.closed = true
-	return conn.closeErr
-}
-
 func TestWaylandOp(t *testing.T) {
 	t.Parallel()
 
 	checkOpBehaviour(t, []opBehaviourTestCase{
-		{"attach", 0xbeef, 0xff, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
-			"org.chromium.Chromium",
-			"ebf083d1b175911782d413369b64ce7c",
-			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
-				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"},
-				attachErr: stub.UniqueError(5)},
-		}, nil, &OpError{Op: "wayland", Err: stub.UniqueError(5)}, nil, nil},
-
-		{"bind", 0xbeef, 0xff, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
-			"org.chromium.Chromium",
-			"ebf083d1b175911782d413369b64ce7c",
-			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
-				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"},
-				bindErr: stub.UniqueError(4)},
-		}, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
-		}, &OpError{Op: "wayland", Err: stub.UniqueError(4)}, nil, nil},
-
 		{"chmod", 0xbeef, 0xff, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
-			"/run/user/1971/wayland-0",
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
-				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}},
 		}, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
+			call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil),
 			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, stub.UniqueError(3)),
-		}, &OpError{Op: "wayland", Err: stub.UniqueError(3)}, nil, nil},
+		}, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(3), os.ErrInvalid)}, nil, nil},
 
 		{"aclUpdate", 0xbeef, 0xff, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
-			"/run/user/1971/wayland-0",
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
-				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}},
 		}, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
+			call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil),
 			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
 			call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, stub.UniqueError(2)),
-		}, &OpError{Op: "wayland", Err: stub.UniqueError(2)}, nil, nil},
+		}, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(2), os.ErrInvalid)}, nil, nil},
 
 		{"remove", 0xbeef, 0xff, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
-			"/run/user/1971/wayland-0",
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
-				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}},
 		}, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
+			call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil),
 			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
 			call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
 		}, nil, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"detaching from wayland on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"hanging up wayland socket on %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland")}}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"removing wayland socket on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
 			call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, stub.UniqueError(1)),
 		}, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(1)), Revert: true}},
 
-		{"close", 0xbeef, 0xff, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-			"/run/user/1971/wayland-0",
-			"org.chromium.Chromium",
-			"ebf083d1b175911782d413369b64ce7c",
-			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
-				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"},
-				closeErr: stub.UniqueError(0)},
-		}, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
-			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
-			call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
-		}, nil, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"detaching from wayland on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"removing wayland socket on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
-			call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, nil),
-		}, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(0)), Revert: true}},
-
 		{"success", 0xbeef, 0xff, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
-			"/run/user/1971/wayland-0",
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			&stubWaylandConn{t: t, wantAttach: "/run/user/1971/wayland-0", wantBind: [3]string{
-				"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
-				"org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}},
 		}, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"wayland attached on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
+			call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"wayland listening on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil),
 			call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
 			call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
 		}, nil, []stub.Call{
-			call("verbosef", stub.ExpectArgs{"detaching from wayland on %q", []any{"/run/user/1971/wayland-0"}}, nil, nil),
+			call("verbosef", stub.ExpectArgs{"hanging up wayland socket on %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland")}}, nil, nil),
-			call("verbosef", stub.ExpectArgs{"removing wayland socket on %q", []any{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}}, nil, nil),
 			call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, nil),
 		}, nil},
 	})
@@ -210,93 +76,81 @@ func TestWaylandOp(t *testing.T) {
 				"ebf083d1b175911782d413369b64ce7c",
 			)
 		}, []Op{&waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
-			"/run/user/1971/wayland-0",
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}}, stub.Expect{}},
 	})
 
 	checkOpIs(t, []opIsTestCase{
 		{"dst differs", &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7d/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7d/wayland"),
-			"/run/user/1971/wayland-0",
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
-			"/run/user/1971/wayland-0",
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, false},
 
 		{"src differs", &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
-			"/run/user/1971/wayland-1",
+			m("/run/user/1971/wayland-1"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
-			"/run/user/1971/wayland-0",
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, false},
 
 		{"appID differs", &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
-			"/run/user/1971/wayland-0",
+			m("/run/user/1971/wayland-0"),
 			"org.chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
-			"/run/user/1971/wayland-0",
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, false},
 
 		{"instanceID differs", &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
-			"/run/user/1971/wayland-0",
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7d",
-			new(wayland.Conn),
 		}, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
-			"/run/user/1971/wayland-0",
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, false},
 
 		{"equals", &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
-			"/run/user/1971/wayland-0",
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
-			"/run/user/1971/wayland-0",
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, true},
 	})
 
 	checkOpMeta(t, []opMetaTestCase{
 		{"chromium", &waylandOp{nil,
-			"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
+			m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
-			"/run/user/1971/wayland-0",
+			m("/run/user/1971/wayland-0"),
 			"org.chromium.Chromium",
 			"ebf083d1b175911782d413369b64ce7c",
-			new(wayland.Conn),
 		}, Process, "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland",
 			`wayland socket at "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"`},
 	})

internal/system/xhost.go

@@ -2,7 +2,7 @@ package system
 
 import (
 	"hakurei.app/hst"
-	"hakurei.app/internal/system/xcb"
+	"hakurei.app/internal/xcb"
 )
 
 // ChangeHosts inserts the target user into X11 hosts and deletes it once its [Enablement] is no longer satisfied.

internal/system/xhost_test.go

@@ -5,7 +5,7 @@ import (
 
 	"hakurei.app/container/stub"
 	"hakurei.app/hst"
-	"hakurei.app/internal/system/xcb"
+	"hakurei.app/internal/xcb"
 )
 
 func TestXHostOp(t *testing.T) {

internal/wayland/conn.go

@@ -0,0 +1,94 @@
+package wayland
+
+import (
+	"errors"
+	"os"
+	"syscall"
+
+	"hakurei.app/container/check"
+)
+
+// SecurityContext holds resources associated with a Wayland security_context.
+type SecurityContext struct {
+	// Pipe with its write end passed to security-context-v1.
+	closeFds [2]int
+}
+
+// Close releases any resources held by [SecurityContext], and prevents further
+// connections to its associated socket.
+func (sc *SecurityContext) Close() error {
+	if sc == nil {
+		return os.ErrInvalid
+	}
+	return errors.Join(
+		syscall.Close(sc.closeFds[1]),
+		syscall.Close(sc.closeFds[0]),
+	)
+}
+
+// New creates a new security context on the Wayland display at displayPath
+// and associates it with a new socket bound to bindPath.
+//
+// New does not attach a finalizer to the resulting [SecurityContext] struct.
+// The caller is responsible for calling [SecurityContext.Close].
+//
+// A non-nil error unwraps to concrete type [Error].
+func New(displayPath, bindPath *check.Absolute, appID, instanceID string) (*SecurityContext, error) {
+	// ensure bindPath is available
+	if f, err := os.Create(bindPath.String()); err != nil {
+		return nil, &Error{RCreate, bindPath.String(), displayPath.String(), err}
+	} else if err = f.Close(); err != nil {
+		return nil, &Error{RCreate, bindPath.String(), displayPath.String(), err}
+	} else if err = os.Remove(bindPath.String()); err != nil {
+		return nil, &Error{RCreate, bindPath.String(), displayPath.String(), err}
+	}
+
+	if fd, err := syscall.Socket(syscall.AF_UNIX, syscall.SOCK_STREAM|syscall.SOCK_CLOEXEC, 0); err != nil {
+		return nil, &Error{RHostSocket, bindPath.String(), displayPath.String(), err}
+	} else if err = syscall.Connect(fd, &syscall.SockaddrUnix{Name: displayPath.String()}); err != nil {
+		_ = syscall.Close(fd)
+		return nil, &Error{RHostConnect, bindPath.String(), displayPath.String(), err}
+	} else {
+		closeFds, bindErr := securityContextBindPipe(fd, bindPath, appID, instanceID)
+		if bindErr != nil {
+			// do not leak the pipe and socket
+			err = errors.Join(bindErr, // already wrapped
+				syscall.Close(closeFds[1]),
+				syscall.Close(closeFds[0]),
+				syscall.Close(fd),
+			)
+		}
+		return &SecurityContext{closeFds}, err
+	}
+}
+
+// securityContextBindPipe binds a socket associated to a security context created on serverFd,
+// returning the pipe file descriptors used for security-context-v1 close_fd.
+//
+// A non-nil error unwraps to concrete type [Error].
+func securityContextBindPipe(
+	serverFd int,
+	bindPath *check.Absolute,
+	appID, instanceID string,
+) ([2]int, error) {
+	// write end passed to security-context-v1 close_fd
+	var closeFds [2]int
+	if err := syscall.Pipe2(closeFds[0:], syscall.O_CLOEXEC); err != nil {
+		return closeFds, err
+	}
+
+	// returned error is already wrapped
+	if err := securityContextBind(
+		bindPath.String(),
+		serverFd,
+		appID, instanceID,
+		closeFds[1],
+	); err != nil {
+		return closeFds, errors.Join(err,
+			syscall.Close(closeFds[1]),
+			syscall.Close(closeFds[0]),
+		)
+	} else {
+		return closeFds, nil
+	}
+}

internal/wayland/conn_test.go

@@ -0,0 +1,54 @@
+package wayland
+
+import (
+	"errors"
+	"os"
+	"reflect"
+	"syscall"
+	"testing"
+
+	"hakurei.app/container/check"
+)
+
+func TestSecurityContextClose(t *testing.T) {
+	t.Parallel()
+
+	if err := (*SecurityContext)(nil).Close(); !reflect.DeepEqual(err, os.ErrInvalid) {
+		t.Fatalf("Close: error = %v", err)
+	}
+
+	var ctx SecurityContext
+	if err := syscall.Pipe2(ctx.closeFds[0:], syscall.O_CLOEXEC); err != nil {
+		t.Fatalf("Pipe: error = %v", err)
+	}
+	t.Cleanup(func() { _ = syscall.Close(ctx.closeFds[0]); _ = syscall.Close(ctx.closeFds[1]) })
+
+	if err := ctx.Close(); err != nil {
+		t.Fatalf("Close: error = %v", err)
+	}
+
+	wantErr := errors.Join(syscall.EBADF, syscall.EBADF)
+	if err := ctx.Close(); !reflect.DeepEqual(err, wantErr) {
+		t.Fatalf("Close: error = %#v, want %#v", err, wantErr)
+	}
+}
+
+func TestNewEnsure(t *testing.T) {
+	existingDirPath := check.MustAbs(t.TempDir()).Append("dir")
+	if err := os.MkdirAll(existingDirPath.String(), 0700); err != nil {
+		t.Fatal(err)
+	}
+	nonexistent := check.MustAbs("/proc/nonexistent")
+
+	wantErr := &Error{RCreate, existingDirPath.String(), nonexistent.String(), &os.PathError{
+		Op:   "open",
+		Path: existingDirPath.String(),
+		Err:  syscall.EISDIR,
+	}}
+	if _, err := New(
+		nonexistent,
+		existingDirPath, "", "",
+	); !reflect.DeepEqual(err, wantErr) {
+		t.Fatalf("New: error = %#v, want %#v", err, wantErr)
+	}
+}

internal/wayland/wayland-client-helper.c

@@ -3,23 +3,25 @@
 #include <stdlib.h>
 #include <string.h>
 #include <sys/socket.h>
-#include <sys/un.h>
 #include <unistd.h>
 
 #include "security-context-v1-protocol.h"
 #include <wayland-client.h>
 
-static void registry_handle_global(void *data, struct wl_registry *registry,
+static void registry_handle_global(
-                                   uint32_t name, const char *interface,
+    void *data,
+    struct wl_registry *registry,
+    uint32_t name,
+    const char *interface,
     uint32_t version) {
   struct wp_security_context_manager_v1 **out = data;
 
   if (strcmp(interface, wp_security_context_manager_v1_interface.name) == 0)
-    *out = wl_registry_bind(registry, name,
+    *out = wl_registry_bind(registry, name, &wp_security_context_manager_v1_interface, 1);
-                            &wp_security_context_manager_v1_interface, 1);
 }
 
-static void registry_handle_global_remove(void *data,
+static void registry_handle_global_remove(
+    void *data,
     struct wl_registry *registry,
     uint32_t name) {} /* no-op */
 
@@ -28,65 +30,84 @@ static const struct wl_registry_listener registry_listener = {
     .global_remove = registry_handle_global_remove,
 };
 
-int32_t hakurei_bind_wayland_fd(char *socket_path, int fd, const char *app_id,
+hakurei_wayland_res hakurei_security_context_bind(
-                                const char *instance_id, int sync_fd) {
+    char *socket_path,
-  int32_t res = 0; /* refer to resErr for corresponding Go error */
+    int server_fd,
+    const char *app_id,
+    const char *instance_id,
+    int close_fd) {
+  hakurei_wayland_res res = HAKUREI_WAYLAND_SUCCESS; /* see wayland.go for handling */
 
-  struct wl_display *display;
+  struct wl_display *display = NULL;
-  display = wl_display_connect_to_fd(fd);
+  struct wl_registry *registry;
-  if (!display) {
+  struct wp_security_context_manager_v1 *security_context_manager = NULL;
-    res = 1;
+  int event_cnt;
+  int listen_fd = -1;
+  struct sockaddr_un sockaddr = {0};
+  struct wp_security_context_v1 *security_context;
+
+  display = wl_display_connect_to_fd(server_fd);
+  if (display == NULL) {
+    res = HAKUREI_WAYLAND_CONNECT;
     goto out;
   };
 
-  struct wl_registry *registry;
   registry = wl_display_get_registry(display);
-
+  if (wl_registry_add_listener(registry, &registry_listener, &security_context_manager) < 0) {
-  struct wp_security_context_manager_v1 *security_context_manager = NULL;
+    res = HAKUREI_WAYLAND_LISTENER;
-  wl_registry_add_listener(registry, &registry_listener,
-                           &security_context_manager);
-  int ret;
-  ret = wl_display_roundtrip(display);
-  wl_registry_destroy(registry);
-  if (ret < 0)
     goto out;
-
+  }
-  if (!security_context_manager) {
+  event_cnt = wl_display_roundtrip(display);
-    res = 2;
+  wl_registry_destroy(registry);
+  if (event_cnt < 0) {
+    res = HAKUREI_WAYLAND_ROUNDTRIP;
     goto out;
   }
 
-  int listen_fd = -1;
+  if (security_context_manager == NULL) {
-  listen_fd = socket(AF_UNIX, SOCK_STREAM, 0);
+    res = HAKUREI_WAYLAND_NOT_AVAIL;
-  if (listen_fd < 0)
     goto out;
+  }
+
+  listen_fd = socket(AF_UNIX, SOCK_STREAM, 0);
+  if (listen_fd < 0) {
+    res = HAKUREI_WAYLAND_SOCKET;
+    goto out;
+  }
 
-  struct sockaddr_un sockaddr = {0};
   sockaddr.sun_family = AF_UNIX;
   snprintf(sockaddr.sun_path, sizeof(sockaddr.sun_path), "%s", socket_path);
-  if (bind(listen_fd, (struct sockaddr *)&sockaddr, sizeof(sockaddr)) != 0)
+  if (bind(listen_fd, (struct sockaddr *)&sockaddr, sizeof(sockaddr)) != 0) {
+    res = HAKUREI_WAYLAND_BIND;
     goto out;
+  }
 
-  if (listen(listen_fd, 0) != 0)
+  if (listen(listen_fd, 0) != 0) {
+    res = HAKUREI_WAYLAND_LISTEN;
     goto out;
+  }
 
-  struct wp_security_context_v1 *security_context;
+  security_context = wp_security_context_manager_v1_create_listener(security_context_manager, listen_fd, close_fd);
-  security_context = wp_security_context_manager_v1_create_listener(
+  if (security_context == NULL) { /* not reached */
-      security_context_manager, listen_fd, sync_fd);
+    res = HAKUREI_WAYLAND_NOT_AVAIL;
+    goto out;
+  }
   wp_security_context_v1_set_sandbox_engine(security_context, "app.hakurei");
   wp_security_context_v1_set_app_id(security_context, app_id);
   wp_security_context_v1_set_instance_id(security_context, instance_id);
   wp_security_context_v1_commit(security_context);
   wp_security_context_v1_destroy(security_context);
-  if (wl_display_roundtrip(display) < 0)
+  if (wl_display_roundtrip(display) < 0) {
+    res = HAKUREI_WAYLAND_ROUNDTRIP;
     goto out;
+  }
 
 out:
   if (listen_fd >= 0)
     close(listen_fd);
-  if (security_context_manager)
+  if (security_context_manager != NULL)
     wp_security_context_manager_v1_destroy(security_context_manager);
-  if (display)
+  if (display != NULL)
     wl_display_disconnect(display);
 
   free((void *)socket_path);

internal/wayland/wayland-client-helper.h

@@ -0,0 +1,40 @@
+#include <stdbool.h>
+#include <sys/un.h>
+
+typedef enum {
+  HAKUREI_WAYLAND_SUCCESS,
+  /* wl_display_connect_to_fd failed, errno */
+  HAKUREI_WAYLAND_CONNECT,
+  /* wl_registry_add_listener failed, errno */
+  HAKUREI_WAYLAND_LISTENER,
+  /* wl_display_roundtrip failed, errno */
+  HAKUREI_WAYLAND_ROUNDTRIP,
+  /* compositor does not implement wp_security_context_v1 */
+  HAKUREI_WAYLAND_NOT_AVAIL,
+  /* socket failed, errno */
+  HAKUREI_WAYLAND_SOCKET,
+  /* bind failed, errno */
+  HAKUREI_WAYLAND_BIND,
+  /* listen failed, errno */
+  HAKUREI_WAYLAND_LISTEN,
+
+  /* ensure pathname failed, implemented in conn.go */
+  HAKUREI_WAYLAND_CREAT,
+  /* socket for host server failed, implemented in conn.go */
+  HAKUREI_WAYLAND_HOST_SOCKET,
+  /* connect for host server failed, implemented in conn.go */
+  HAKUREI_WAYLAND_HOST_CONNECT,
+} hakurei_wayland_res;
+
+hakurei_wayland_res hakurei_security_context_bind(
+    char *socket_path,
+    int server_fd,
+    const char *app_id,
+    const char *instance_id,
+    int close_fd);
+
+/* returns whether the specified size fits in the sun_path field of sockaddr_un */
+static inline bool hakurei_is_valid_size_sun_path(size_t sz) {
+  struct sockaddr_un sockaddr;
+  return sz <= sizeof(sockaddr.sun_path);
+};

internal/wayland/wayland.go

@@ -0,0 +1,161 @@
+// Package wayland implements Wayland security_context_v1 protocol.
+package wayland
+
+//go:generate sh -c "wayland-scanner client-header `pkg-config --variable=datarootdir wayland-protocols`/wayland-protocols/staging/security-context/security-context-v1.xml security-context-v1-protocol.h"
+//go:generate sh -c "wayland-scanner private-code `pkg-config --variable=datarootdir wayland-protocols`/wayland-protocols/staging/security-context/security-context-v1.xml security-context-v1-protocol.c"
+
+/*
+#cgo linux pkg-config: --static wayland-client
+#cgo freebsd openbsd LDFLAGS: -lwayland-client
+
+#include "wayland-client-helper.h"
+*/
+import "C"
+import (
+	"errors"
+	"strings"
+)
+
+const (
+	// Display contains the name of the server socket
+	// (https://gitlab.freedesktop.org/wayland/wayland/-/blob/1.23.1/src/wayland-client.c#L1147)
+	// which is concatenated with XDG_RUNTIME_DIR
+	// (https://gitlab.freedesktop.org/wayland/wayland/-/blob/1.23.1/src/wayland-client.c#L1171)
+	// or used as-is if absolute
+	// (https://gitlab.freedesktop.org/wayland/wayland/-/blob/1.23.1/src/wayland-client.c#L1176).
+	Display = "WAYLAND_DISPLAY"
+
+	// FallbackName is used as the wayland socket name if WAYLAND_DISPLAY is unset
+	// (https://gitlab.freedesktop.org/wayland/wayland/-/blob/1.23.1/src/wayland-client.c#L1149).
+	FallbackName = "wayland-0"
+)
+
+type (
+	// Res is the outcome of a call to [New].
+	Res = C.hakurei_wayland_res
+
+	// An Error represents a failure during [New].
+	Error struct {
+		// Where the failure occurred.
+		Cause Res
+		// Attempted pathname socket.
+		Path string
+		// Pathname socket to host server. Omitted for libwayland errors.
+		Host string
+		// Global errno value set during the fault.
+		Errno error
+	}
+)
+
+// withPrefix returns prefix suffixed with errno description if available.
+func (e *Error) withPrefix(prefix string) string {
+	if e.Errno == nil {
+		return prefix
+	}
+	return prefix + ": " + e.Errno.Error()
+}
+
+const (
+	// RSuccess is returned on a successful call.
+	RSuccess Res = C.HAKUREI_WAYLAND_SUCCESS
+	// RConnect is returned if wl_display_connect_to_fd failed. The global errno is set.
+	RConnect Res = C.HAKUREI_WAYLAND_CONNECT
+	// RListener is returned if wl_registry_add_listener failed. The global errno is set.
+	RListener Res = C.HAKUREI_WAYLAND_LISTENER
+	// RRoundtrip is returned if wl_display_roundtrip failed. The global errno is set.
+	RRoundtrip Res = C.HAKUREI_WAYLAND_ROUNDTRIP
+	// RNotAvail is returned if compositor does not implement wp_security_context_v1.
+	RNotAvail Res = C.HAKUREI_WAYLAND_NOT_AVAIL
+	// RSocket is returned if socket failed. The global errno is set.
+	RSocket Res = C.HAKUREI_WAYLAND_SOCKET
+	// RBind is returned if bind failed. The global errno is set.
+	RBind Res = C.HAKUREI_WAYLAND_BIND
+	// RListen is returned if listen failed. The global errno is set.
+	RListen Res = C.HAKUREI_WAYLAND_LISTEN
+
+	// RCreate is returned if ensuring pathname availability failed. Returned by [New].
+	RCreate Res = C.HAKUREI_WAYLAND_CREAT
+	// RHostSocket is returned if socket failed for host server. Returned by [New].
+	RHostSocket Res = C.HAKUREI_WAYLAND_HOST_SOCKET
+	// RHostConnect is returned if connect failed for host server. Returned by [New].
+	RHostConnect Res = C.HAKUREI_WAYLAND_HOST_CONNECT
+)
+
+func (e *Error) Unwrap() error   { return e.Errno }
+func (e *Error) Message() string { return e.Error() }
+func (e *Error) Error() string {
+	switch e.Cause {
+	case RSuccess:
+		if e.Errno == nil {
+			return "success"
+		}
+		return e.Errno.Error()
+
+	case RConnect:
+		return e.withPrefix("wl_display_connect_to_fd failed")
+	case RListener:
+		return e.withPrefix("wl_registry_add_listener failed")
+	case RRoundtrip:
+		return e.withPrefix("wl_display_roundtrip failed")
+	case RNotAvail:
+		return "compositor does not implement security_context_v1"
+
+	case RSocket:
+		if e.Errno == nil {
+			return "socket operation failed"
+		}
+		return "socket: " + e.Errno.Error()
+	case RBind:
+		return e.withPrefix("cannot bind " + e.Path)
+	case RListen:
+		return e.withPrefix("cannot listen on " + e.Path)
+
+	case RCreate:
+		if e.Errno == nil {
+			return "cannot ensure wayland pathname socket"
+		}
+		return e.Errno.Error()
+	case RHostSocket:
+		return e.withPrefix("socket")
+	case RHostConnect:
+		return e.withPrefix("cannot connect to " + e.Host)
+
+	default:
+		return e.withPrefix("impossible outcome") /* not reached */
+	}
+}
+
+// securityContextBind calls hakurei_security_context_bind.
+//
+// A non-nil error has concrete type [Error].
+func securityContextBind(
+	socketPath string,
+	serverFd int,
+	appID, instanceID string,
+	closeFd int,
+) error {
+	if hasNull(socketPath) || hasNull(appID) || hasNull(instanceID) {
+		return &Error{Cause: RBind, Path: socketPath, Errno: errors.New("argument contains NUL character")}
+	}
+	if !C.hakurei_is_valid_size_sun_path(C.size_t(len(socketPath))) {
+		return &Error{Cause: RBind, Path: socketPath, Errno: errors.New("socket pathname too long")}
+	}
+
+	var e Error
+	e.Cause, e.Errno = C.hakurei_security_context_bind(
+		C.CString(socketPath),
+		C.int(serverFd),
+		C.CString(appID),
+		C.CString(instanceID),
+		C.int(closeFd),
+	)
+
+	if e.Cause == RSuccess {
+		return nil
+	}
+	e.Path = socketPath
+	return &e
+}
+
+// hasNull returns whether s contains the NUL character.
+func hasNull(s string) bool { return strings.IndexByte(s, 0) > -1 }

internal/wayland/wayland_test.go

@@ -0,0 +1,137 @@
+package wayland
+
+import (
+	"errors"
+	"os"
+	"reflect"
+	"syscall"
+	"testing"
+
+	"hakurei.app/container/stub"
+)
+
+func TestError(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name string
+		err  Error
+		want string
+	}{
+		{"success", Error{
+			Cause: RSuccess,
+		}, "success"},
+
+		{"success errno", Error{
+			Cause: RSuccess,
+			Errno: stub.UniqueError(0),
+		}, "unique error 0 injected by the test suite"},
+
+		{"wl_display_connect_to_fd", Error{
+			Cause: RConnect,
+			Errno: stub.UniqueError(1),
+		}, "wl_display_connect_to_fd failed: unique error 1 injected by the test suite"},
+
+		{"wl_registry_add_listener", Error{
+			Cause: RListener,
+			Errno: stub.UniqueError(2),
+		}, "wl_registry_add_listener failed: unique error 2 injected by the test suite"},
+
+		{"wl_display_roundtrip", Error{
+			Cause: RRoundtrip,
+			Errno: stub.UniqueError(3),
+		}, "wl_display_roundtrip failed: unique error 3 injected by the test suite"},
+
+		{"not available", Error{
+			Cause: RNotAvail,
+		}, "compositor does not implement security_context_v1"},
+
+		{"not available errno", Error{
+			Cause: RNotAvail,
+			Errno: syscall.EAGAIN,
+		}, "compositor does not implement security_context_v1"},
+
+		{"socket", Error{
+			Cause: RSocket,
+			Errno: stub.UniqueError(4),
+		}, "socket: unique error 4 injected by the test suite"},
+
+		{"bind", Error{
+			Cause: RBind,
+			Path:  "/hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland",
+			Errno: stub.UniqueError(5),
+		}, "cannot bind /hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland: unique error 5 injected by the test suite"},
+
+		{"listen", Error{
+			Cause: RListen,
+			Path:  "/hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland",
+			Errno: stub.UniqueError(6),
+		}, "cannot listen on /hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland: unique error 6 injected by the test suite"},
+
+		{"socket invalid", Error{
+			Cause: RSocket,
+		}, "socket operation failed"},
+
+		{"create", Error{
+			Cause: RCreate,
+		}, "cannot ensure wayland pathname socket"},
+
+		{"create path", Error{
+			Cause: RCreate,
+			Errno: &os.PathError{Op: "create", Path: "/proc/nonexistent", Err: syscall.EEXIST},
+		}, "create /proc/nonexistent: file exists"},
+
+		{"host socket", Error{
+			Cause: RHostSocket,
+			Errno: stub.UniqueError(7),
+		}, "socket: unique error 7 injected by the test suite"},
+
+		{"host connect", Error{
+			Cause: RHostConnect,
+			Host:  "/run/user/1971/wayland-1",
+			Errno: stub.UniqueError(8),
+		}, "cannot connect to /run/user/1971/wayland-1: unique error 8 injected by the test suite"},
+
+		{"invalid", Error{
+			Cause: 0xbad,
+		}, "impossible outcome"},
+
+		{"invalid errno", Error{
+			Cause: 0xbad,
+			Errno: stub.UniqueError(9),
+		}, "impossible outcome: unique error 9 injected by the test suite"},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			if got := tc.err.Message(); got != tc.want {
+				t.Errorf("Message: %q, want %q", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestSecurityContextBindValidate(t *testing.T) {
+	t.Parallel()
+
+	t.Run("NUL", func(t *testing.T) {
+		t.Parallel()
+
+		want := &Error{Cause: RBind, Path: "\x00", Errno: errors.New("argument contains NUL character")}
+		if got := securityContextBind("\x00", -1, "\x00", "\x00", -1); !reflect.DeepEqual(got, want) {
+			t.Fatalf("securityContextBind: error = %#v, want %#v", got, want)
+		}
+	})
+
+	t.Run("long", func(t *testing.T) {
+		t.Parallel()
+		// 256 bytes
+		const oversizedPath = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+
+		want := &Error{Cause: RBind, Path: oversizedPath, Errno: errors.New("socket pathname too long")}
+		if got := securityContextBind(oversizedPath, -1, "", "", -1); !reflect.DeepEqual(got, want) {
+			t.Fatalf("securityContextBind: error = %#v, want %#v", got, want)
+		}
+	})
+}

package.nix

@@ -20,7 +20,7 @@
 
   # for passthru.buildInputs
   go,
-  gcc,
+  clang,
 
   # for check
   util-linux,
@@ -81,8 +81,13 @@ buildGoModule rec {
         hsuPath = "/run/wrappers/bin/hsu";
       };
 
+  env = {
+    # use clang instead of gcc
+    CC = "clang -O3 -Werror";
+
     # nix build environment does not allow acls
-  env.GO_TEST_SKIP_ACL = 1;
+    GO_TEST_SKIP_ACL = 1;
+  };
 
   buildInputs = [
     libffi
@@ -135,7 +140,7 @@ buildGoModule rec {
 
   passthru.targetPkgs = [
     go
-    gcc
+    clang
     xorg.xorgproto
     util-linux
 

system/acl/deprecated.go

@@ -1,4 +1,4 @@
-// Package acl exposes the internal/system/acl package.
+// Package acl exposes the internal/acl package.
 //
 // Deprecated: This package will be removed in 0.4.
 package acl
@@ -6,7 +6,7 @@ package acl
 import (
 	_ "unsafe" // for go:linkname
 
-	"hakurei.app/internal/system/acl"
+	"hakurei.app/internal/acl"
 )
 
 type Perm = acl.Perm
@@ -19,7 +19,7 @@ const (
 
 // Update replaces ACL_USER entry with qualifier uid.
 //
-//go:linkname Update hakurei.app/internal/system/acl.Update
+//go:linkname Update hakurei.app/internal/acl.Update
 func Update(name string, uid int, perms ...Perm) error
 
 type Perms = acl.Perms

system/dbus/deprecated.go

@@ -1,4 +1,4 @@
-// Package dbus exposes the internal/system/dbus package.
+// Package dbus exposes the internal/dbus package.
 //
 // Deprecated: This package will be removed in 0.4.
 package dbus
@@ -9,7 +9,7 @@ import (
 	_ "unsafe" // for go:linkname
 
 	"hakurei.app/hst"
-	"hakurei.app/internal/system/dbus"
+	"hakurei.app/internal/dbus"
 	"hakurei.app/message"
 )
 
@@ -17,13 +17,13 @@ type AddrEntry = dbus.AddrEntry
 
 // EqualAddrEntries returns whether two slices of [AddrEntry] are equal.
 //
-//go:linkname EqualAddrEntries hakurei.app/internal/system/dbus.EqualAddrEntries
+//go:linkname EqualAddrEntries hakurei.app/internal/dbus.EqualAddrEntries
 func EqualAddrEntries(entries, target []AddrEntry) bool
 
 // Parse parses D-Bus address according to
 // https://dbus.freedesktop.org/doc/dbus-specification.html#addresses
 //
-//go:linkname Parse hakurei.app/internal/system/dbus.Parse
+//go:linkname Parse hakurei.app/internal/dbus.Parse
 func Parse(addr []byte) ([]AddrEntry, error)
 
 type ParseError = dbus.ParseError
@@ -46,12 +46,12 @@ type ProxyPair = dbus.ProxyPair
 
 // Args returns the xdg-dbus-proxy arguments equivalent of [hst.BusConfig].
 //
-//go:linkname Args hakurei.app/internal/system/dbus.Args
+//go:linkname Args hakurei.app/internal/dbus.Args
 func Args(c *hst.BusConfig, bus ProxyPair) (args []string)
 
 // NewConfig returns the address of a new [hst.BusConfig] with optional defaults.
 //
-//go:linkname NewConfig hakurei.app/internal/system/dbus.NewConfig
+//go:linkname NewConfig hakurei.app/internal/dbus.NewConfig
 func NewConfig(id string, defaults, mpris bool) *hst.BusConfig
 
 const (
@@ -89,13 +89,13 @@ const (
 // Address returns the session and system bus addresses copied from environment,
 // or appropriate fallback values if they are not set.
 //
-//go:linkname Address hakurei.app/internal/system/dbus.Address
+//go:linkname Address hakurei.app/internal/dbus.Address
 func Address() (session, system string)
 
 // ProxyName is the file name or path to the proxy program.
 // Overriding ProxyName will only affect Proxy instance created after the change.
 //
-//go:linkname ProxyName hakurei.app/internal/system/dbus.ProxyName
+//go:linkname ProxyName hakurei.app/internal/dbus.ProxyName
 var ProxyName string
 
 // Proxy holds the state of a xdg-dbus-proxy process, and should never be copied.
@@ -106,10 +106,10 @@ type Final = dbus.Final
 
 // Finalise creates a checked argument writer for [Proxy].
 //
-//go:linkname Finalise hakurei.app/internal/system/dbus.Finalise
+//go:linkname Finalise hakurei.app/internal/dbus.Finalise
 func Finalise(sessionBus, systemBus ProxyPair, session, system *hst.BusConfig) (final *Final, err error)
 
 // New returns a new instance of [Proxy].
 //
-//go:linkname New hakurei.app/internal/system/dbus.New
+//go:linkname New hakurei.app/internal/dbus.New
 func New(ctx context.Context, msg message.Msg, final *Final, output io.Writer) *Proxy

system/wayland/deprecated.go

@@ -1,16 +1,133 @@
-// Package wayland exposes the internal/system/wayland package.
+// Package wayland exposes the internal/wayland package.
 //
 // Deprecated: This package will be removed in 0.4.
 package wayland
 
 import (
+	"errors"
+	"net"
+	"os"
+	"runtime"
+	"sync"
+	"syscall"
 	_ "unsafe" // for go:linkname
 
-	"hakurei.app/internal/system/wayland"
+	"hakurei.app/internal/wayland"
 )
 
+//go:linkname bindWaylandFd hakurei.app/internal/wayland.bindWaylandFd
+func bindWaylandFd(socketPath string, fd uintptr, appID, instanceID string, syncFd uintptr) error
+
 // Conn represents a connection to the wayland display server.
-type Conn = wayland.Conn
+//
+// Deprecated: this interface is being replaced.
+// Additionally, the package it belongs to will be removed in 0.4.
+type Conn struct {
+	conn *net.UnixConn
+
+	done     chan struct{}
+	doneOnce sync.Once
+
+	mu sync.Mutex
+}
+
+// Attach connects Conn to a wayland socket.
+func (c *Conn) Attach(p string) (err error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if c.conn != nil {
+		return errors.New("socket already attached")
+	}
+
+	c.conn, err = net.DialUnix("unix", nil, &net.UnixAddr{Name: p, Net: "unix"})
+	return
+}
+
+// Close releases resources and closes the connection to the wayland compositor.
+func (c *Conn) Close() error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if c.done == nil {
+		return errors.New("no socket bound")
+	}
+
+	c.doneOnce.Do(func() {
+		c.done <- struct{}{}
+		<-c.done
+	})
+
+	// closed by wayland
+	runtime.SetFinalizer(c.conn, nil)
+	return nil
+}
+
+// Bind binds the new socket to pathname.
+func (c *Conn) Bind(pathname, appID, instanceID string) (*os.File, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if c.conn == nil {
+		return nil, errors.New("socket not attached")
+	}
+	if c.done != nil {
+		return nil, errors.New("socket already bound")
+	}
+
+	if rc, err := c.conn.SyscallConn(); err != nil {
+		// unreachable
+		return nil, err
+	} else {
+		c.done = make(chan struct{})
+		if closeFds, err := bindRawConn(c.done, rc, pathname, appID, instanceID); err != nil {
+			return nil, err
+		} else {
+			return os.NewFile(uintptr(closeFds[1]), "close_fd"), nil
+		}
+	}
+}
+
+func bindRawConn(done chan struct{}, rc syscall.RawConn, p, appID, instanceID string) ([2]int, error) {
+	var closeFds [2]int
+	if err := syscall.Pipe2(closeFds[0:], syscall.O_CLOEXEC); err != nil {
+		return closeFds, err
+	}
+
+	setupDone := make(chan error, 1) // does not block with c.done
+
+	go func() {
+		if err := rc.Control(func(fd uintptr) {
+			// allow the Bind method to return after setup
+			setupDone <- bind(fd, p, appID, instanceID, uintptr(closeFds[1]))
+			close(setupDone)
+
+			// keep socket alive until done is requested
+			<-done
+		}); err != nil {
+			setupDone <- err
+		}
+
+		// notify Close that rc.Control has returned
+		close(done)
+	}()
+
+	// return write end of the pipe
+	return closeFds, <-setupDone
+}
+
+func bind(fd uintptr, p, appID, instanceID string, syncFd uintptr) error {
+	// ensure p is available
+	if f, err := os.Create(p); err != nil {
+		return err
+	} else if err = f.Close(); err != nil {
+		return err
+	} else if err = os.Remove(p); err != nil {
+		return err
+	}
+
+	return bindWaylandFd(p, fd, appID, instanceID, syncFd)
+}
 
 const (
 	// WaylandDisplay contains the name of the server socket

test/default.nix

@@ -44,7 +44,7 @@ nixosTest {
 
           cd ${self.packages.${system}.hakurei.src}
           ${fhs}/bin/hakurei-fhs -c \
-            'go test ${if withRace then "-race" else "-count 16"} ./...' \
+            'CC="clang -O3 -Werror" go test ${if withRace then "-race" else "-count 16"} ./...' \
             &> /tmp/hakurei-test.log && \
             touch /tmp/hakurei-test-ok
           touch /tmp/hakurei-test-done