security/hakurei
security/hakurei
6
3
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases 9 Wiki Activity

Compare commits

base: security:81430987e7755bc42f438b9b00f8adfca2c81612
Branches Tags
security:master
security:wip-pipewire-native
security:staging
security:develop
security:v0.3.1
security:v0.3.0
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0
..
compare: security:2a6c8ba51b1b89208f1f25ef903b784ac6329cce
Branches Tags
security:wip-pipewire-native
security:staging
security:develop
security:master
security:v0.3.1
security:v0.3.0
security:v0.2.2
security:v0.2.1
security:v0.2.0
security:v0.1.3
security:v0.1.2
security:v0.1.1
security:v0.1.0

2 Commits
81430987e7 ... 2a6c8ba51b

Author SHA1 Message Date
Ophestra
2a6c8ba51b
internal/pipewire: integrate pw_security_context
All checks were successful
Test / Create distribution (pull_request) Successful in 28s
Details
Test / Sandbox (pull_request) Successful in 50s
Details
Test / Hakurei (pull_request) Successful in 1m49s
Details
Test / Hpkg (pull_request) Successful in 2m36s
Details
Test / Sandbox (race detector) (pull_request) Successful in 2m48s
Details
Test / Hakurei (race detector) (pull_request) Successful in 3m36s
Details
Test / Flake checks (pull_request) Successful in 1m33s
Details
Test / Create distribution (push) Successful in 26s
Details
Test / Sandbox (push) Successful in 39s
Details
Test / Sandbox (race detector) (push) Successful in 39s
Details
Test / Hakurei (push) Successful in 43s
Details
Test / Hakurei (race detector) (push) Successful in 43s
Details
Test / Hpkg (push) Successful in 40s
Details
Test / Flake checks (push) Successful in 1m28s
Details 
This is required for securely providing access to PipeWire.

This change has already been manually tested and confirmed to work correctly.

This unfortunately cannot be upstreamed in its current state as libpipewire-0.3 breaks static linking.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-18 22:43:23 +09:00
Ophestra
1f10717480
treewide: drop static linking requirement
All checks were successful
Test / Create distribution (push) Successful in 34s
Details
Test / Sandbox (push) Successful in 2m16s
Details
Test / Hakurei (push) Successful in 3m20s
Details
Test / Hpkg (push) Successful in 4m13s
Details
Test / Sandbox (race detector) (push) Successful in 4m19s
Details
Test / Hakurei (race detector) (push) Successful in 5m10s
Details
Test / Flake checks (push) Successful in 1m26s
Details 
This will likely not be merged, but is required for linking libpipewire-0.3.

This breaks the dist tarball.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-18 22:33:36 +09:00
7 changed files with 30 additions and 84 deletions
Show Stats Expand all files Collapse all files

4
internal/system/wayland.go
View File

@ -3,6 +3,7 @@ package system
import (
"errors"
"fmt"
"os"
"hakurei.app/container/check"
"hakurei.app/hst"
@ -62,6 +63,9 @@ func (w *waylandOp) revert(sys *I, _ *Criteria) error {
if w.ctx != nil {
hangupErr = w.ctx.Close()
}
if err := sys.remove(w.dst.String()); err != nil && !errors.Is(err, os.ErrNotExist) {
removeErr = err
}
return newOpError("wayland", errors.Join(hangupErr, removeErr), true)
}

16
internal/system/wayland_test.go
View File

@ -36,6 +36,21 @@ func TestWaylandOp(t *testing.T) {
call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, stub.UniqueError(2)),
}, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(2), os.ErrInvalid)}, nil, nil},
{"remove", 0xbeef, 0xff, &waylandOp{nil,
m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
m("/run/user/1971/wayland-0"),
"org.chromium.Chromium",
"ebf083d1b175911782d413369b64ce7c",
}, []stub.Call{
call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil),
call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil),
call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
}, nil, []stub.Call{
call("verbosef", stub.ExpectArgs{"hanging up wayland socket on %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland")}}, nil, nil),
call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, stub.UniqueError(1)),
}, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(1)), Revert: true}},
{"success", 0xbeef, 0xff, &waylandOp{nil,
m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
m("/run/user/1971/wayland-0"),
@ -48,6 +63,7 @@ func TestWaylandOp(t *testing.T) {
call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
}, nil, []stub.Call{
call("verbosef", stub.ExpectArgs{"hanging up wayland socket on %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland")}}, nil, nil),
call("remove", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"}, nil, nil),
}, nil},
})

29
internal/wayland/conn.go
View File

@ -12,32 +12,18 @@ import (
type SecurityContext struct {
// Pipe with its write end passed to security-context-v1.
closeFds [2]int
// Absolute pathname the socket was bound to.
bindPath *check.Absolute
}
// Close releases any resources held by [SecurityContext], and prevents further
// connections to its associated socket.
//
// A non-nil error has the concrete type [Error].
func (sc *SecurityContext) Close() error {
if sc == nil || sc.bindPath == nil {
if sc == nil {
return os.ErrInvalid
}
e := Error{RCleanup, sc.bindPath.String(), "", errors.Join(
return errors.Join(
syscall.Close(sc.closeFds[1]),
syscall.Close(sc.closeFds[0]),
// there is still technically a TOCTOU here but this is internal
// and has access to the privileged wayland socket, so it only
// receives trusted input (e.g. from cmd/hakurei) anyway
os.Remove(sc.bindPath.String()),
)}
if e.Errno != nil {
return &e
}
return nil
)
}
// New creates a new security context on the Wayland display at displayPath
@ -65,19 +51,12 @@ func New(displayPath, bindPath *check.Absolute, appID, instanceID string) (*Secu
} else {
closeFds, bindErr := securityContextBindPipe(fd, bindPath, appID, instanceID)
if bindErr != nil {
// securityContextBindPipe does not try to remove the socket during cleanup
closeErr := os.Remove(bindPath.String())
if closeErr != nil && errors.Is(closeErr, os.ErrNotExist) {
closeErr = nil
}
err = errors.Join(bindErr, // already wrapped
closeErr,
// do not leak the socket
syscall.Close(fd),
)
}
return &SecurityContext{closeFds, bindPath}, err
return &SecurityContext{closeFds}, err
}
}

16
internal/wayland/conn_test.go
View File

@ -3,7 +3,6 @@ package wayland
import (
"errors"
"os"
"path"
"reflect"
"syscall"
"testing"
@ -12,18 +11,13 @@ import (
)
func TestSecurityContextClose(t *testing.T) {
// do not parallel: fd test not thread safe
t.Parallel()
if err := (*SecurityContext)(nil).Close(); !reflect.DeepEqual(err, os.ErrInvalid) {
t.Fatalf("Close: error = %v", err)
}
var ctx SecurityContext
if f, err := os.Create(path.Join(t.TempDir(), "remove")); err != nil {
t.Fatal(err)
} else {
ctx.bindPath = check.MustAbs(f.Name())
}
if err := syscall.Pipe2(ctx.closeFds[0:], syscall.O_CLOEXEC); err != nil {
t.Fatalf("Pipe: error = %v", err)
}
@ -31,15 +25,9 @@ func TestSecurityContextClose(t *testing.T) {
if err := ctx.Close(); err != nil {
t.Fatalf("Close: error = %v", err)
} else if _, err = os.Stat(ctx.bindPath.String()); err == nil || !errors.Is(err, os.ErrNotExist) {
t.Fatalf("Did not remove %q", ctx.bindPath)
}
wantErr := &Error{Cause: RCleanup, Path: ctx.bindPath.String(), Errno: errors.Join(syscall.EBADF, syscall.EBADF, &os.PathError{
Op: "remove",
Path: ctx.bindPath.String(),
Err: syscall.ENOENT,
})}
wantErr := errors.Join(syscall.EBADF, syscall.EBADF)
if err := ctx.Close(); !reflect.DeepEqual(err, wantErr) {
t.Fatalf("Close: error = %#v, want %#v", err, wantErr)
}

2
internal/wayland/wayland-client-helper.h
View File

@ -24,8 +24,6 @@ typedef enum {
HAKUREI_WAYLAND_HOST_SOCKET,
/* connect for host server failed, implemented in conn.go */
HAKUREI_WAYLAND_HOST_CONNECT,
/* cleanup failed, implemented in conn.go */
HAKUREI_WAYLAND_CLEANUP,
} hakurei_wayland_res;
hakurei_wayland_res hakurei_security_context_bind(

18
internal/wayland/wayland.go
View File

@ -14,9 +14,7 @@ package wayland
import "C"
import (
"errors"
"os"
"strings"
"syscall"
)
const (
@ -85,9 +83,6 @@ const (
RHostSocket Res = C.HAKUREI_WAYLAND_HOST_SOCKET
// RHostConnect is returned if connect failed for host server. Returned by [New].
RHostConnect Res = C.HAKUREI_WAYLAND_HOST_CONNECT
// RCleanup is returned if cleanup fails. Returned by [SecurityContext.Close].
RCleanup Res = C.HAKUREI_WAYLAND_CLEANUP
)
func (e *Error) Unwrap() error { return e.Errno }
@ -129,19 +124,6 @@ func (e *Error) Error() string {
case RHostConnect:
return e.withPrefix("cannot connect to " + e.Host)
case RCleanup:
var pathError *os.PathError
if errors.As(e.Errno, &pathError) && pathError != nil {
return pathError.Error()
}
var errno syscall.Errno
if errors.As(e.Errno, &errno) && errno != 0 {
return "cannot close wayland close_fd pipe: " + errno.Error()
}
return e.withPrefix("cannot hang up wayland security_context")
default:
return e.withPrefix("impossible outcome") /* not reached */
}

29
internal/wayland/wayland_test.go
View File

@ -58,15 +58,15 @@ func TestError(t *testing.T) {
{"bind", Error{
Cause: RBind,
Path: "/tmp/hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland",
Path: "/hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland",
Errno: stub.UniqueError(5),
}, "cannot bind /tmp/hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland: unique error 5 injected by the test suite"},
}, "cannot bind /hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland: unique error 5 injected by the test suite"},
{"listen", Error{
Cause: RListen,
Path: "/tmp/hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland",
Path: "/hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland",
Errno: stub.UniqueError(6),
}, "cannot listen on /tmp/hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland: unique error 6 injected by the test suite"},
}, "cannot listen on /hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland: unique error 6 injected by the test suite"},
{"socket invalid", Error{
Cause: RSocket,
@ -92,27 +92,6 @@ func TestError(t *testing.T) {
Errno: stub.UniqueError(8),
}, "cannot connect to /run/user/1971/wayland-1: unique error 8 injected by the test suite"},
{"cleanup", Error{
Cause: RCleanup,
Path: "/tmp/hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland",
}, "cannot hang up wayland security_context"},
{"cleanup PathError", Error{
Cause: RCleanup,
Path: "/tmp/hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland",
Errno: errors.Join(syscall.EINVAL, &os.PathError{
Op: "remove",
Path: "/tmp/hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland",
Err: stub.UniqueError(9),
}),
}, "remove /tmp/hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland: unique error 9 injected by the test suite"},
{"cleanup errno", Error{
Cause: RCleanup,
Path: "/tmp/hakurei.0/18783d07791f2460dbbcffb76c24c9e6/wayland",
Errno: errors.Join(syscall.EINVAL),
}, "cannot close wayland close_fd pipe: invalid argument"},
{"invalid", Error{
Cause: 0xbad,
}, "impossible outcome"},