security/hakurei
6
3
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

Compare commits

base: security:master
Branches Tags
security:master security:develop security:staging
security:v0.3.3 security:v0.3.2 security:v0.3.1 security:v0.3.0 security:v0.2.2 security:v0.2.1 security:v0.2.0 security:v0.1.3 security:v0.1.2 security:v0.1.1 security:v0.1.0
..
compare: security:df389e239f577f136953acaeb286942e62c878aa
Branches Tags
security:develop security:staging security:master
security:v0.3.3 security:v0.3.2 security:v0.3.1 security:v0.3.0 security:v0.2.2 security:v0.2.1 security:v0.2.0 security:v0.1.3 security:v0.1.2 security:v0.1.1 security:v0.1.0

2 Commits
master ... df389e239f

Author SHA1 Message Date
Ophestra
df389e239f internal/pipewire: integrate pw_security_context
All checks were successful
Test / Create distribution (push) Successful in 41s
Details
Test / Create distribution (pull_request) Successful in 36s
Details
Test / Sandbox (pull_request) Successful in 2m28s
Details
Test / Sandbox (push) Successful in 2m36s
Details
Test / Hakurei (push) Successful in 3m21s
Details
Test / Hakurei (pull_request) Successful in 3m15s
Details
Test / Hpkg (pull_request) Successful in 4m6s
Details
Test / Hpkg (push) Successful in 4m16s
Details
Test / Sandbox (race detector) (push) Successful in 4m35s
Details
Test / Sandbox (race detector) (pull_request) Successful in 4m31s
Details
Test / Hakurei (race detector) (push) Successful in 5m12s
Details
Test / Hakurei (race detector) (pull_request) Successful in 5m10s
Details
Test / Flake checks (push) Successful in 1m36s
Details
Test / Flake checks (pull_request) Successful in 1m37s
Details 
This is required for securely providing access to PipeWire.

This change has already been manually tested and confirmed to work correctly.

This unfortunately cannot be upstreamed in its current state as libpipewire-0.3 breaks static linking.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-19 06:56:32 +09:00
Ophestra
5af08cb9bf treewide: drop static linking requirement 
This will likely not be merged, but is required for linking libpipewire-0.3.

This breaks the dist tarball.

Signed-off-by: Ophestra <cat@gensokyo.uk>
 2025-11-19 06:37:30 +09:00
109 changed files with 1085 additions and 8436 deletions
Expand all files Collapse all files

1
.gitea/workflows/test.yml
View File

@@ -2,6 +2,7 @@ name: Test
on:
- push
- pull_request
jobs:
hakurei:

10
cmd/hakurei/command.go
View File

@@ -91,7 +91,7 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
flagPrivateRuntime, flagPrivateTmpdir bool
flagWayland, flagX11, flagDBus, flagPipeWire, flagPulse bool
flagWayland, flagX11, flagDBus, flagPulse bool
)
c.NewCommand("run", "Configure and start a permissive container", func(args []string) error {
@@ -146,8 +146,8 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
if flagDBus {
et |= hst.EDBus
}
if flagPipeWire || flagPulse {
et |= hst.EPipeWire
if flagPulse {
et |= hst.EPulse
}
config := &hst.Config{
@@ -297,10 +297,8 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
"Enable direct connection to X11").
Flag(&flagDBus, "dbus", command.BoolFlag(false),
"Enable proxied connection to D-Bus").
Flag(&flagPipeWire, "pipewire", command.BoolFlag(false),
"Enable connection to PipeWire via SecurityContext").
Flag(&flagPulse, "pulse", command.BoolFlag(false),
"Enable PulseAudio compatibility daemon")
"Enable direct connection to PulseAudio")
}
{

6
cmd/hakurei/command_test.go
View File

@@ -36,7 +36,7 @@ Commands:
},
{
"run", []string{"run", "-h"}, `
Usage: hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
Usage: hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pulse] COMMAND [OPTIONS]
Flags:
-X Enable direct connection to X11
@@ -58,14 +58,12 @@ Flags:
Reverse-DNS style Application identifier, leave empty to inherit instance identifier
-mpris
Allow owning MPRIS D-Bus path, has no effect if custom config is available
-pipewire
Enable connection to PipeWire via SecurityContext
-private-runtime
Do not share XDG_RUNTIME_DIR between containers under the same identity
-private-tmpdir
Do not share TMPDIR between containers under the same identity
-pulse
Enable PulseAudio compatibility daemon
Enable direct connection to PulseAudio
-u string
Passwd user name within sandbox (default "chronos")
-wayland

2
cmd/hakurei/print.go
View File

@@ -28,12 +28,12 @@ func printShowSystem(output io.Writer, short, flagJSON bool) {
return
}
t.Printf("Version:\t%s (libwayland %s)\n", hi.Version, hi.WaylandVersion)
t.Printf("User:\t%d\n", hi.User)
t.Printf("TempDir:\t%s\n", hi.TempDir)
t.Printf("SharePath:\t%s\n", hi.SharePath)
t.Printf("RuntimePath:\t%s\n", hi.RuntimePath)
t.Printf("RunDirPath:\t%s\n", hi.RunDirPath)
t.Printf("Version:\t%s (libwayland %s) (pipewire %s)\n", hi.Version, hi.WaylandVersion, hi.PipeWireVersion)
}
// printShowInstance writes a representation of [hst.State] or [hst.Config] to output.

14
cmd/hakurei/print_test.go
View File

@@ -32,7 +32,7 @@ var (
PID: 0xbeef,
ShimPID: 0xcafe,
Config: &hst.Config{
Enablements: hst.NewEnablements(hst.EWayland | hst.EPipeWire),
Enablements: hst.NewEnablements(hst.EWayland | hst.EPulse),
Identity: 1,
Container: &hst.ContainerConfig{
Shell: check.MustAbs("/bin/sh"),
@@ -62,7 +62,7 @@ func TestPrintShowInstance(t *testing.T) {
{"nil", nil, nil, false, false, "Error: invalid configuration!\n\n", false},
{"config", nil, hst.Template(), false, false, `App
Identity: 9 (org.chromium.Chromium)
Enablements: wayland, dbus, pipewire
Enablements: wayland, dbus, pulseaudio
Groups: video, dialout, plugdev
Flags: multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
Home: /data/data/org.chromium.Chromium
@@ -159,7 +159,7 @@ Session bus
App
Identity: 9 (org.chromium.Chromium)
Enablements: wayland, dbus, pipewire
Enablements: wayland, dbus, pulseaudio
Groups: video, dialout, plugdev
Flags: multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
Home: /data/data/org.chromium.Chromium
@@ -215,7 +215,7 @@ App
"enablements": {
"wayland": true,
"dbus": true,
"pipewire": true
"pulse": true
},
"session_bus": {
"see": null,
@@ -366,7 +366,7 @@ App
"enablements": {
"wayland": true,
"dbus": true,
"pipewire": true
"pulse": true
},
"session_bus": {
"see": null,
@@ -564,7 +564,7 @@ func TestPrintPs(t *testing.T) {
"enablements": {
"wayland": true,
"dbus": true,
"pipewire": true
"pulse": true
},
"session_bus": {
"see": null,
@@ -715,7 +715,7 @@ func TestPrintPs(t *testing.T) {
"shim_pid": 51966,
"enablements": {
"wayland": true,
"pipewire": true
"pulse": true
},
"identity": 1,
"groups": null,

4
cmd/hpkg/build.nix
View File

@@ -45,7 +45,7 @@
allow_wayland ? true,
allow_x11 ? false,
allow_dbus ? true,
allow_audio ? true,
allow_pulse ? true,
gpu ? allow_wayland || allow_x11,
}:
@@ -175,7 +175,7 @@ let
wayland = allow_wayland;
x11 = allow_x11;
dbus = allow_dbus;
pipewire = allow_audio;
pulse = allow_pulse;
};
mesa = if gpu then mesaWrappers else null;

4
cmd/hpkg/test/default.nix
View File

@@ -1,5 +1,5 @@
{
testers,
nixosTest,
callPackage,
system,
@@ -8,7 +8,7 @@
let
buildPackage = self.buildPackage.${system};
in
testers.nixosTest {
nixosTest {
name = "hpkg";
nodes.machine = {
environment.etc = {

8
cmd/hpkg/test/test.py
View File

@@ -90,13 +90,13 @@ wait_for_window("hakurei@machine-foot")
machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
machine.wait_for_file("/tmp/hakurei.0/tmpdir/2/success-client")
collect_state_ui("app_wayland")
check_state("foot", {"wayland": True, "dbus": True, "pipewire": True})
check_state("foot", {"wayland": True, "dbus": True, "pulse": True})
# Verify acl on XDG_RUNTIME_DIR:
print(machine.succeed("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002"))
print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002"))
machine.send_chars("exit\n")
machine.wait_until_fails("pgrep foot")
# Verify acl cleanup on XDG_RUNTIME_DIR:
machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002")
machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002")
# Exit Sway and verify process exit status 0:
swaymsg("exit", succeed=False)
@@ -107,4 +107,4 @@ print(machine.succeed("find /tmp/hakurei.0 "
+ "-path '/tmp/hakurei.0/runtime/*/*' -prune -o "
+ "-path '/tmp/hakurei.0/tmpdir/*/*' -prune -o "
+ "-print"))
print(machine.fail("ls /run/user/1000/hakurei"))
print(machine.succeed("find /run/user/1000/hakurei"))

1
container/autoetc.go
View File

@@ -59,7 +59,6 @@ func (e *AutoEtcOp) apply(state *setupState, k syscallDispatcher) error {
return nil
}
func (e *AutoEtcOp) late(*setupState, syscallDispatcher) error { return nil }
func (e *AutoEtcOp) hostPath() *check.Absolute { return fhs.AbsEtc.Append(e.hostRel()) }
func (e *AutoEtcOp) hostRel() string { return ".host/" + e.Prefix }

1
container/autoroot.go
View File

@@ -69,7 +69,6 @@ func (r *AutoRootOp) apply(state *setupState, k syscallDispatcher) error {
}
return nil
}
func (r *AutoRootOp) late(*setupState, syscallDispatcher) error { return nil }
func (r *AutoRootOp) Is(op Op) bool {
vr, ok := op.(*AutoRootOp)

2
container/autoroot_test.go
View File

@@ -202,7 +202,7 @@ func TestIsAutoRootBindable(t *testing.T) {
t.Parallel()
var msg message.Msg
if tc.log {
msg = &kstub{nil, nil, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { panic("unreachable") }, stub.Expect{Calls: []stub.Call{
msg = &kstub{nil, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { panic("unreachable") }, stub.Expect{Calls: []stub.Call{
call("verbose", stub.ExpectArgs{[]any{"got unexpected root entry"}}, nil, nil),
}})}
}

23
container/dispatcher_test.go
View File

@@ -162,8 +162,7 @@ func checkSimple(t *testing.T, fname string, testCases []simpleTestCase) {
t.Parallel()
wait4signal := make(chan struct{})
lockNotify := make(chan struct{})
k := &kstub{wait4signal, lockNotify, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{wait4signal, lockNotify, s} }, tc.want)}
k := &kstub{wait4signal, stub.New(t, func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{wait4signal, s} }, tc.want)}
defer stub.HandleExit(t)
if err := tc.f(k); !reflect.DeepEqual(err, tc.wantErr) {
t.Errorf("%s: error = %v, want %v", fname, err, tc.wantErr)
@@ -201,8 +200,8 @@ func checkOpBehaviour(t *testing.T, testCases []opBehaviourTestCase) {
t.Helper()
t.Parallel()
k := &kstub{nil, nil, stub.New(t,
func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{nil, nil, s} },
k := &kstub{nil, stub.New(t,
func(s *stub.Stub[syscallDispatcher]) syscallDispatcher { return &kstub{nil, s} },
stub.Expect{Calls: slices.Concat(tc.early, []stub.Call{{Name: stub.CallSeparator}}, tc.apply)},
)}
state := &setupState{Params: tc.params, Msg: k}
@@ -323,19 +322,12 @@ const (
type kstub struct {
wait4signal chan struct{}
lockNotify chan struct{}
*stub.Stub[syscallDispatcher]
}
func (k *kstub) new(f func(k syscallDispatcher)) { k.Helper(); k.New(f) }
func (k *kstub) lockOSThread() {
k.Helper()
expect := k.Expects("lockOSThread")
if k.lockNotify != nil && expect.Ret == magicWait4Signal {
<-k.lockNotify
}
}
func (k *kstub) lockOSThread() { k.Helper(); k.Expects("lockOSThread") }
func (k *kstub) setPtracer(pid uintptr) error {
k.Helper()
@@ -480,10 +472,6 @@ func (k *kstub) notify(c chan<- os.Signal, sig ...os.Signal) {
k.FailNow()
}
if k.lockNotify != nil && expect.Ret == magicWait4Signal {
defer close(k.lockNotify)
}
// export channel for external instrumentation
if chanf, ok := expect.Args[0].(func(c chan<- os.Signal)); ok && chanf != nil {
chanf(c)
@@ -771,8 +759,7 @@ func (k *kstub) checkMsg(msg message.Msg) {
}
func (k *kstub) GetLogger() *log.Logger { panic("unreachable") }
func (k *kstub) IsVerbose() bool { k.Helper(); return k.Expects("isVerbose").Ret.(bool) }
func (k *kstub) IsVerbose() bool { panic("unreachable") }
func (k *kstub) SwapVerbose(verbose bool) bool {
k.Helper()

35
container/errors.go
View File

@@ -7,36 +7,31 @@ import (
"hakurei.app/container/check"
"hakurei.app/container/vfs"
"hakurei.app/message"
)
// messageFromError returns a printable error message for a supported concrete type.
func messageFromError(err error) (m string, ok bool) {
if m, ok = messagePrefixP[MountError]("cannot ", err); ok {
return
func messageFromError(err error) (string, bool) {
if m, ok := messagePrefixP[MountError]("cannot ", err); ok {
return m, ok
}
if m, ok = messagePrefixP[os.PathError]("cannot ", err); ok {
return
if m, ok := messagePrefixP[os.PathError]("cannot ", err); ok {
return m, ok
}
if m, ok = messagePrefixP[check.AbsoluteError](zeroString, err); ok {
return
if m, ok := messagePrefixP[check.AbsoluteError]("", err); ok {
return m, ok
}
if m, ok = messagePrefix[OpRepeatError](zeroString, err); ok {
return
if m, ok := messagePrefix[OpRepeatError]("", err); ok {
return m, ok
}
if m, ok = messagePrefix[OpStateError](zeroString, err); ok {
return
if m, ok := messagePrefix[OpStateError]("", err); ok {
return m, ok
}
if m, ok = messagePrefixP[vfs.DecoderError]("cannot ", err); ok {
return
if m, ok := messagePrefixP[vfs.DecoderError]("cannot ", err); ok {
return m, ok
}
if m, ok = messagePrefix[TmpfsSizeError](zeroString, err); ok {
return
}
if m, ok = message.GetMessage(err); ok {
return
if m, ok := messagePrefix[TmpfsSizeError]("", err); ok {
return m, ok
}
return zeroString, false

196
container/init.go
View File

@@ -1,7 +1,6 @@
package container
import (
"context"
"errors"
"fmt"
"log"
@@ -10,8 +9,6 @@ import (
"path"
"slices"
"strconv"
"sync"
"sync/atomic"
. "syscall"
"time"
@@ -21,28 +18,24 @@ import (
)
const (
/* intermediateHostPath is the pathname of the intermediate tmpfs mount point.
/* intermediate tmpfs mount point
This path might seem like a weird choice, however there are many good reasons to use it:
- The contents of this path is never exposed to the container:
The tmpfs root established here effectively becomes anonymous after pivot_root.
- It is safe to assume this path exists and is a directory:
This program will not work correctly without a proper /proc and neither will most others.
- This path belongs to the container init:
The container init is not any more privileged or trusted than the rest of the container.
- This path is only accessible by init and root:
The container init sets SUID_DUMP_DISABLE and terminates if that fails.
this path might seem like a weird choice, however there are many good reasons to use it:
- the contents of this path is never exposed to the container:
the tmpfs root established here effectively becomes anonymous after pivot_root
- it is safe to assume this path exists and is a directory:
this program will not work correctly without a proper /proc and neither will most others
- this path belongs to the container init:
the container init is not any more privileged or trusted than the rest of the container
- this path is only accessible by init and root:
the container init sets SUID_DUMP_DISABLE and terminates if that fails;
It should be noted that none of this should become relevant at any point since the resulting
intermediate root tmpfs should be effectively anonymous. */
it should be noted that none of this should become relevant at any point since the resulting
intermediate root tmpfs should be effectively anonymous */
intermediateHostPath = fhs.Proc + "self/fd"
// setupEnv is the name of the environment variable holding the string representation of
// the read end file descriptor of the setup params pipe.
// setup params file descriptor
setupEnv = "HAKUREI_SETUP"
// exitUnexpectedWait4 is the exit code if wait4 returns an unexpected errno.
exitUnexpectedWait4 = 2
)
type (
@@ -56,8 +49,6 @@ type (
early(state *setupState, k syscallDispatcher) error
// apply is called in intermediate root.
apply(state *setupState, k syscallDispatcher) error
// late is called right before starting the initial process.
late(state *setupState, k syscallDispatcher) error
// prefix returns a log message prefix, and whether this Op prints no identifying message on its own.
prefix() (string, bool)
@@ -70,29 +61,11 @@ type (
// setupState persists context between Ops.
setupState struct {
nonrepeatable uintptr
// Whether early reaping has concluded. Must only be accessed in the wait4 loop.
processConcluded bool
// Process to syscall.WaitStatus populated in the wait4 loop. Freed after early reaping concludes.
process map[int]WaitStatus
// Synchronises access to process.
processMu sync.RWMutex
*Params
context.Context
message.Msg
}
)
// terminated returns whether the specified pid has been reaped, and its
// syscall.WaitStatus if it had. This is only usable by [Op].
func (state *setupState) terminated(pid int) (wstatus WaitStatus, ok bool) {
state.processMu.RLock()
wstatus, ok = state.process[pid]
state.processMu.RUnlock()
return
}
// Grow grows the slice Ops points to using [slices.Grow].
func (f *Ops) Grow(n int) { *f = slices.Grow(*f, n) }
@@ -207,9 +180,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
k.fatalf(msg, "cannot make / rslave: %v", optionalErrorUnwrap(err))
}
ctx, cancel := context.WithCancel(context.Background())
state := &setupState{process: make(map[int]WaitStatus), Params: &params.Params, Msg: msg, Context: ctx}
defer cancel()
state := &setupState{Params: &params.Params, Msg: msg}
/* early is called right before pivot_root into intermediate root;
this step is mostly for gathering information that would otherwise be difficult to obtain
@@ -359,97 +330,6 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
}
k.umask(oldmask)
// winfo represents an exited process from wait4.
type winfo struct {
wpid int
wstatus WaitStatus
}
// info is closed as the wait4 thread terminates
// when there are no longer any processes left to reap
info := make(chan winfo, 1)
// whether initial process has started
var initialProcessStarted atomic.Bool
k.new(func(k syscallDispatcher) {
k.lockOSThread()
wait4:
var (
err error
wpid = -2
wstatus WaitStatus
// whether initial process has started
started bool
)
// keep going until no child process is left
for wpid != -1 {
if err != nil {
break
}
if wpid != -2 {
if !state.processConcluded {
state.processMu.Lock()
if state.process == nil {
// early reaping has already concluded at this point
state.processConcluded = true
info <- winfo{wpid, wstatus}
} else {
// initial process has not yet been created, and the
// info channel is not yet being received from
state.process[wpid] = wstatus
}
state.processMu.Unlock()
} else {
info <- winfo{wpid, wstatus}
}
}
if !started {
started = initialProcessStarted.Load()
}
err = EINTR
for errors.Is(err, EINTR) {
wpid, err = k.wait4(-1, &wstatus, 0, nil)
}
}
if !errors.Is(err, ECHILD) {
k.printf(msg, "unexpected wait4 response: %v", err)
} else if !started {
// initial process has not yet been reached and all daemons
// terminated or none were started in the first place
time.Sleep(500 * time.Microsecond)
goto wait4
}
close(info)
})
// called right before startup of initial process, all state changes to the
// current process is prohibited during late
for i, op := range *params.Ops {
// ops already checked during early setup
if err := op.late(state, k); err != nil {
if m, ok := messageFromError(err); ok {
k.fatal(msg, m)
} else if errors.Is(err, context.DeadlineExceeded) {
k.fatalf(msg, "%s deadline exceeded", op.String())
} else {
k.fatalf(msg, "cannot complete op at index %d: %v", i, err)
}
}
}
// early reaping has concluded, this must happen before initial process is created
state.processMu.Lock()
state.process = nil
state.processMu.Unlock()
if err := closeSetup(); err != nil {
k.fatalf(msg, "cannot close setup pipe: %v", err)
}
@@ -461,11 +341,50 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
cmd.ExtraFiles = extraFiles
cmd.Dir = params.Dir.String()
msg.Verbosef("starting initial process %s", params.Path)
msg.Verbosef("starting initial program %s", params.Path)
if err := k.start(cmd); err != nil {
k.fatalf(msg, "%v", err)
}
initialProcessStarted.Store(true)
type winfo struct {
wpid int
wstatus WaitStatus
}
// info is closed as the wait4 thread terminates
// when there are no longer any processes left to reap
info := make(chan winfo, 1)
k.new(func(k syscallDispatcher) {
k.lockOSThread()
var (
err error
wpid = -2
wstatus WaitStatus
)
// keep going until no child process is left
for wpid != -1 {
if err != nil {
break
}
if wpid != -2 {
info <- winfo{wpid, wstatus}
}
err = EINTR
for errors.Is(err, EINTR) {
wpid, err = k.wait4(-1, &wstatus, 0, nil)
}
}
if !errors.Is(err, ECHILD) {
k.printf(msg, "unexpected wait4 response: %v", err)
}
close(info)
})
// handle signals to dump withheld messages
sig := make(chan os.Signal, 2)
@@ -475,7 +394,7 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
// closed after residualProcessTimeout has elapsed after initial process death
timeout := make(chan struct{})
r := exitUnexpectedWait4
r := 2
for {
select {
case s := <-sig:
@@ -507,9 +426,6 @@ func initEntrypoint(k syscallDispatcher, msg message.Msg) {
}
if w.wpid == cmd.Process.Pid {
// cancel Op context early
cancel()
// start timeout early
go func() { time.Sleep(params.AdoptWaitDelay); close(timeout) }()

51
container/init_test.go
View File

@@ -1983,20 +1983,11 @@ func TestInitEntrypoint(t *testing.T) {
call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
call("umask", stub.ExpectArgs{022}, 0, nil),
call("New", stub.ExpectArgs{}, nil, nil),
call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(13)}}, nil, nil),
call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, nil, stub.UniqueError(12)),
call("fatalf", stub.ExpectArgs{"%v", []any{stub.UniqueError(12)}}, nil, nil),
},
/* wait4 */
Tracks: []stub.Expect{{Calls: []stub.Call{
call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
call("wait4", stub.ExpectArgs{-1, nil, 0, nil, stub.PanicExit}, 0, syscall.ECHILD),
}}},
}, nil},
{"lowlastcap signaled cancel forward error", func(k *kstub) error { initEntrypoint(k, k); return nil }, stub.Expect{
@@ -2071,11 +2062,11 @@ func TestInitEntrypoint(t *testing.T) {
call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
call("umask", stub.ExpectArgs{022}, 0, nil),
call("New", stub.ExpectArgs{}, nil, nil),
call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(10)}}, nil, nil),
call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- CancelSignal }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
call("New", stub.ExpectArgs{}, nil, nil),
call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- CancelSignal }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
call("verbose", stub.ExpectArgs{[]any{"forwarding context cancellation"}}, nil, nil),
// magicWait4Signal as ret causes wait4 stub to unblock
call("signal", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent", os.Interrupt}, magicWait4Signal, stub.UniqueError(9)),
@@ -2090,7 +2081,7 @@ func TestInitEntrypoint(t *testing.T) {
/* wait4 */
Tracks: []stub.Expect{{Calls: []stub.Call{
call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
// magicWait4Signal as args[4] causes this to block until simulated signal is delivered
call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xfade01ce), 0, nil, magicWait4Signal}, 0xbad, nil),
@@ -2171,11 +2162,11 @@ func TestInitEntrypoint(t *testing.T) {
call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
call("umask", stub.ExpectArgs{022}, 0, nil),
call("New", stub.ExpectArgs{}, nil, nil),
call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(7)}}, nil, nil),
call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- syscall.SIGQUIT }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
call("New", stub.ExpectArgs{}, nil, nil),
call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- syscall.SIGQUIT }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
call("verbosef", stub.ExpectArgs{"got %s, forwarding to initial process", []any{"quit"}}, nil, nil),
// magicWait4Signal as ret causes wait4 stub to unblock
call("signal", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent", syscall.SIGQUIT}, magicWait4Signal, stub.UniqueError(0xfe)),
@@ -2190,7 +2181,7 @@ func TestInitEntrypoint(t *testing.T) {
/* wait4 */
Tracks: []stub.Expect{{Calls: []stub.Call{
call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
// magicWait4Signal as args[4] causes this to block until simulated signal is delivered
call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xfade01ce), 0, nil, magicWait4Signal}, 0xbad, nil),
@@ -2271,11 +2262,11 @@ func TestInitEntrypoint(t *testing.T) {
call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
call("umask", stub.ExpectArgs{022}, 0, nil),
call("New", stub.ExpectArgs{}, nil, nil),
call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(7)}}, nil, nil),
call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- os.Interrupt }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
call("New", stub.ExpectArgs{}, nil, nil),
call("notify", stub.ExpectArgs{func(c chan<- os.Signal) { c <- os.Interrupt }, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
call("verbosef", stub.ExpectArgs{"got %s", []any{"interrupt"}}, nil, nil),
call("beforeExit", stub.ExpectArgs{}, nil, nil),
call("exit", stub.ExpectArgs{0}, nil, nil),
@@ -2283,7 +2274,7 @@ func TestInitEntrypoint(t *testing.T) {
/* wait4 */
Tracks: []stub.Expect{{Calls: []stub.Call{
call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
call("wait4", stub.ExpectArgs{-1, nil, 0, nil, stub.PanicExit}, 0, syscall.ECHILD),
@@ -2362,11 +2353,11 @@ func TestInitEntrypoint(t *testing.T) {
call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
call("umask", stub.ExpectArgs{022}, 0, nil),
call("New", stub.ExpectArgs{}, nil, nil),
call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(5)}}, nil, nil),
call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
call("New", stub.ExpectArgs{}, nil, nil),
call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
call("verbosef", stub.ExpectArgs{"initial process exited with signal %s", []any{syscall.Signal(0x4e)}}, nil, nil),
@@ -2377,7 +2368,7 @@ func TestInitEntrypoint(t *testing.T) {
/* wait4 */
Tracks: []stub.Expect{{Calls: []stub.Call{
call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
call("wait4", stub.ExpectArgs{-1, syscall.WaitStatus(0xfade01ce), 0, nil}, 0xbad, nil),
// this terminates the goroutine at the call, preventing it from leaking while preserving behaviour
@@ -2457,11 +2448,11 @@ func TestInitEntrypoint(t *testing.T) {
call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
call("umask", stub.ExpectArgs{022}, 0, nil),
call("New", stub.ExpectArgs{}, nil, nil),
call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(3)}}, nil, nil),
call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
call("New", stub.ExpectArgs{}, nil, nil),
call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
call("verbosef", stub.ExpectArgs{"initial process exited with signal %s", []any{syscall.Signal(0x4e)}}, nil, nil),
@@ -2471,7 +2462,7 @@ func TestInitEntrypoint(t *testing.T) {
/* wait4 */
Tracks: []stub.Expect{{Calls: []stub.Call{
call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
@@ -2595,11 +2586,11 @@ func TestInitEntrypoint(t *testing.T) {
call("newFile", stub.ExpectArgs{uintptr(0x3a), "extra file 0"}, (*os.File)(nil), nil),
call("newFile", stub.ExpectArgs{uintptr(0x3b), "extra file 1"}, (*os.File)(nil), nil),
call("umask", stub.ExpectArgs{022}, 0, nil),
call("New", stub.ExpectArgs{}, nil, nil),
call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(1)}}, nil, nil),
call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/run/current-system/sw/bin/bash")}}, nil, nil),
call("start", stub.ExpectArgs{"/run/current-system/sw/bin/bash", []string{"bash", "-c", "false"}, ([]string)(nil), "/.hakurei/nonexistent"}, &os.Process{Pid: 0xbad}, nil),
call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
call("New", stub.ExpectArgs{}, nil, nil),
call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
call("verbosef", stub.ExpectArgs{"initial process exited with code %d", []any{1}}, nil, nil),
@@ -2609,7 +2600,7 @@ func TestInitEntrypoint(t *testing.T) {
/* wait4 */
Tracks: []stub.Expect{{Calls: []stub.Call{
call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
@@ -2737,11 +2728,11 @@ func TestInitEntrypoint(t *testing.T) {
call("newFile", stub.ExpectArgs{uintptr(11), "extra file 1"}, (*os.File)(nil), nil),
call("newFile", stub.ExpectArgs{uintptr(12), "extra file 2"}, (*os.File)(nil), nil),
call("umask", stub.ExpectArgs{022}, 0, nil),
call("New", stub.ExpectArgs{}, nil, nil),
call("fatalf", stub.ExpectArgs{"cannot close setup pipe: %v", []any{stub.UniqueError(0)}}, nil, nil),
call("verbosef", stub.ExpectArgs{"starting initial program %s", []any{check.MustAbs("/bin/zsh")}}, nil, nil),
call("start", stub.ExpectArgs{"/bin/zsh", []string{"zsh", "-c", "exec vim"}, []string{"DISPLAY=:0"}, "/.hakurei"}, &os.Process{Pid: 0xcafe}, nil),
call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, magicWait4Signal, nil),
call("New", stub.ExpectArgs{}, nil, nil),
call("notify", stub.ExpectArgs{nil, []os.Signal{CancelSignal, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT}}, nil, nil),
call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
call("verbose", stub.ExpectArgs{[]any{os.ErrInvalid.Error()}}, nil, nil),
@@ -2752,7 +2743,7 @@ func TestInitEntrypoint(t *testing.T) {
/* wait4 */
Tracks: []stub.Expect{{Calls: []stub.Call{
call("lockOSThread", stub.ExpectArgs{}, magicWait4Signal, nil),
call("lockOSThread", stub.ExpectArgs{}, nil, nil),
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),
call("wait4", stub.ExpectArgs{-1, nil, 0, nil}, 0, syscall.EINTR),

1
container/initbind.go
View File

@@ -90,7 +90,6 @@ func (b *BindMountOp) apply(state *setupState, k syscallDispatcher) error {
}
return k.bindMount(state, source, target, flags)
}
func (b *BindMountOp) late(*setupState, syscallDispatcher) error { return nil }
func (b *BindMountOp) Is(op Op) bool {
vb, ok := op.(*BindMountOp)

134
container/initdaemon.go
View File

@@ -1,134 +0,0 @@
package container
import (
"context"
"encoding/gob"
"errors"
"fmt"
"os"
"os/exec"
"slices"
"strconv"
"syscall"
"time"
"hakurei.app/container/check"
"hakurei.app/container/fhs"
)
func init() { gob.Register(new(DaemonOp)) }
const (
// daemonTimeout is the duration a [DaemonOp] is allowed to block before the
// [DaemonOp.Target] marker becomes available.
daemonTimeout = 5 * time.Second
)
// Daemon appends an [Op] that starts a daemon in the container and blocks until
// [DaemonOp.Target] appears.
func (f *Ops) Daemon(target, path *check.Absolute, args ...string) *Ops {
*f = append(*f, &DaemonOp{target, path, args})
return f
}
// DaemonOp starts a daemon in the container and blocks until Target appears.
type DaemonOp struct {
// Pathname indicating readiness of daemon.
Target *check.Absolute
// Absolute pathname passed to [exec.Cmd].
Path *check.Absolute
// Arguments (excl. first) passed to [exec.Cmd].
Args []string
}
// earlyTerminationError is returned by [DaemonOp] when a daemon terminates
// before [DaemonOp.Target] appears.
type earlyTerminationError struct {
// Returned by [DaemonOp.String].
op string
// Copied from wait4 loop.
wstatus syscall.WaitStatus
}
func (e *earlyTerminationError) Error() string {
res := ""
switch {
case e.wstatus.Exited():
res = "exit status " + strconv.Itoa(e.wstatus.ExitStatus())
case e.wstatus.Signaled():
res = "signal: " + e.wstatus.Signal().String()
case e.wstatus.Stopped():
res = "stop signal: " + e.wstatus.StopSignal().String()
if e.wstatus.StopSignal() == syscall.SIGTRAP && e.wstatus.TrapCause() != 0 {
res += " (trap " + strconv.Itoa(e.wstatus.TrapCause()) + ")"
}
case e.wstatus.Continued():
res = "continued"
}
if e.wstatus.CoreDump() {
res += " (core dumped)"
}
return res
}
func (e *earlyTerminationError) Message() string { return e.op + " " + e.Error() }
func (d *DaemonOp) Valid() bool { return d != nil && d.Target != nil && d.Path != nil }
func (d *DaemonOp) early(*setupState, syscallDispatcher) error { return nil }
func (d *DaemonOp) apply(*setupState, syscallDispatcher) error { return nil }
func (d *DaemonOp) late(state *setupState, k syscallDispatcher) error {
cmd := exec.CommandContext(state.Context, d.Path.String(), d.Args...)
cmd.Env = state.Env
cmd.Dir = fhs.Root
if state.IsVerbose() {
cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr
}
// WaitDelay: left unset because lifetime is bound by AdoptWaitDelay on cancellation
cmd.Cancel = func() error { return cmd.Process.Signal(syscall.SIGTERM) }
state.Verbosef("starting %s", d.String())
if err := k.start(cmd); err != nil {
return err
}
deadline := time.Now().Add(daemonTimeout)
var wstatusErr error
for {
if _, err := k.stat(d.Target.String()); err != nil {
if !errors.Is(err, os.ErrNotExist) {
_ = k.signal(cmd, os.Kill)
return err
}
if time.Now().After(deadline) {
_ = k.signal(cmd, os.Kill)
return context.DeadlineExceeded
}
if wstatusErr != nil {
return wstatusErr
}
if wstatus, ok := state.terminated(cmd.Process.Pid); ok {
// check once again: process could have satisfied Target between stat and the lookup
wstatusErr = &earlyTerminationError{d.String(), wstatus}
continue
}
time.Sleep(500 * time.Microsecond)
continue
}
state.Verbosef("daemon process %d ready", cmd.Process.Pid)
return nil
}
}
func (d *DaemonOp) Is(op Op) bool {
vd, ok := op.(*DaemonOp)
return ok && d.Valid() && vd.Valid() &&
d.Target.Is(vd.Target) && d.Path.Is(vd.Path) &&
slices.Equal(d.Args, vd.Args)
}
func (*DaemonOp) prefix() (string, bool) { return zeroString, false }
func (d *DaemonOp) String() string { return fmt.Sprintf("daemon providing %q", d.Target) }

127
container/initdaemon_test.go
View File

@@ -1,127 +0,0 @@
package container
import (
"os"
"testing"
"hakurei.app/container/check"
"hakurei.app/container/stub"
"hakurei.app/message"
)
func TestEarlyTerminationError(t *testing.T) {
t.Parallel()
testCases := []struct {
name string
err error
want string
msg string
}{
{"exited", &earlyTerminationError{
`daemon providing "/run/user/1971/pulse/native"`, 127 << 8,
}, "exit status 127", `daemon providing "/run/user/1971/pulse/native" exit status 127`},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
if got := tc.err.Error(); got != tc.want {
t.Errorf("Error: %q, want %q", got, tc.want)
}
if got := tc.err.(message.Error).Message(); got != tc.msg {
t.Errorf("Message: %s, want %s", got, tc.msg)
}
})
}
}
func TestDaemonOp(t *testing.T) {
t.Parallel()
checkSimple(t, "DaemonOp.late", []simpleTestCase{
{"success", func(k *kstub) error {
state := setupState{Params: &Params{Env: []string{"\x00"}}, Context: t.Context(), Msg: k}
return (&DaemonOp{
Target: check.MustAbs("/run/user/1971/pulse/native"),
Path: check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
Args: []string{"-v"},
}).late(&state, k)
}, stub.Expect{Calls: []stub.Call{
call("isVerbose", stub.ExpectArgs{}, true, nil),
call("verbosef", stub.ExpectArgs{"starting %s", []any{`daemon providing "/run/user/1971/pulse/native"`}}, nil, nil),
call("start", stub.ExpectArgs{"/run/current-system/sw/bin/pipewire-pulse", []string{"/run/current-system/sw/bin/pipewire-pulse", "-v"}, []string{"\x00"}, "/"}, &os.Process{Pid: 0xcafe}, nil),
call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), os.ErrNotExist),
call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), os.ErrNotExist),
call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), os.ErrNotExist),
call("stat", stub.ExpectArgs{"/run/user/1971/pulse/native"}, isDirFi(false), nil),
call("verbosef", stub.ExpectArgs{"daemon process %d ready", []any{0xcafe}}, nil, nil),
}}, nil},
})
checkOpsValid(t, []opValidTestCase{
{"nil", (*DaemonOp)(nil), false},
{"zero", new(DaemonOp), false},
{"valid", &DaemonOp{
Target: check.MustAbs("/run/user/1971/pulse/native"),
Path: check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
Args: []string{"-v"},
}, true},
})
checkOpsBuilder(t, []opsBuilderTestCase{
{"pipewire-pulse", new(Ops).Daemon(
check.MustAbs("/run/user/1971/pulse/native"),
check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"), "-v",
), Ops{
&DaemonOp{
Target: check.MustAbs("/run/user/1971/pulse/native"),
Path: check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
Args: []string{"-v"},
},
}},
})
checkOpIs(t, []opIsTestCase{
{"zero", new(DaemonOp), new(DaemonOp), false},
{"args differs", &DaemonOp{
Target: check.MustAbs("/run/user/1971/pulse/native"),
Path: check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
Args: []string{"-v"},
}, &DaemonOp{
Target: check.MustAbs("/run/user/1971/pulse/native"),
Path: check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
}, false},
{"path differs", &DaemonOp{
Target: check.MustAbs("/run/user/1971/pulse/native"),
Path: check.MustAbs("/run/current-system/sw/bin/pipewire"),
}, &DaemonOp{
Target: check.MustAbs("/run/user/1971/pulse/native"),
Path: check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
}, false},
{"target differs", &DaemonOp{
Target: check.MustAbs("/run/user/65534/pulse/native"),
Path: check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
}, &DaemonOp{
Target: check.MustAbs("/run/user/1971/pulse/native"),
Path: check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
}, false},
{"equals", &DaemonOp{
Target: check.MustAbs("/run/user/1971/pulse/native"),
Path: check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
}, &DaemonOp{
Target: check.MustAbs("/run/user/1971/pulse/native"),
Path: check.MustAbs("/run/current-system/sw/bin/pipewire-pulse"),
}, true},
})
checkOpMeta(t, []opMetaTestCase{
{"pipewire-pulse", &DaemonOp{
Target: check.MustAbs("/run/user/1971/pulse/native"),
}, zeroString, `daemon providing "/run/user/1971/pulse/native"`},
})
}

1
container/initdev.go
View File

@@ -126,7 +126,6 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
}
return k.mountTmpfs(SourceTmpfs, devShmPath, MS_NOSUID|MS_NODEV, 0, 01777)
}
func (d *MountDevOp) late(*setupState, syscallDispatcher) error { return nil }
func (d *MountDevOp) Is(op Op) bool {
vd, ok := op.(*MountDevOp)

1
container/initmkdir.go
View File

@@ -27,7 +27,6 @@ func (m *MkdirOp) early(*setupState, syscallDispatcher) error { return nil }
func (m *MkdirOp) apply(_ *setupState, k syscallDispatcher) error {
return k.mkdirAll(toSysroot(m.Path.String()), m.Perm)
}
func (m *MkdirOp) late(*setupState, syscallDispatcher) error { return nil }
func (m *MkdirOp) Is(op Op) bool {
vm, ok := op.(*MkdirOp)

2
container/initoverlay.go
View File

@@ -205,8 +205,6 @@ func (o *MountOverlayOp) apply(state *setupState, k syscallDispatcher) error {
return k.mount(SourceOverlay, target, FstypeOverlay, 0, strings.Join(options, check.SpecialOverlayOption))
}
func (o *MountOverlayOp) late(*setupState, syscallDispatcher) error { return nil }
func (o *MountOverlayOp) Is(op Op) bool {
vo, ok := op.(*MountOverlayOp)
return ok && o.Valid() && vo.Valid() &&

1
container/initplace.go
View File

@@ -57,7 +57,6 @@ func (t *TmpfileOp) apply(state *setupState, k syscallDispatcher) error {
}
return nil
}
func (t *TmpfileOp) late(*setupState, syscallDispatcher) error { return nil }
func (t *TmpfileOp) Is(op Op) bool {
vt, ok := op.(*TmpfileOp)

1
container/initproc.go
View File

@@ -28,7 +28,6 @@ func (p *MountProcOp) apply(state *setupState, k syscallDispatcher) error {
}
return k.mount(SourceProc, target, FstypeProc, MS_NOSUID|MS_NOEXEC|MS_NODEV, zeroString)
}
func (p *MountProcOp) late(*setupState, syscallDispatcher) error { return nil }
func (p *MountProcOp) Is(op Op) bool {
vp, ok := op.(*MountProcOp)

1
container/initremount.go
View File

@@ -26,7 +26,6 @@ func (*RemountOp) early(*setupState, syscallDispatcher) error { return nil }
func (r *RemountOp) apply(state *setupState, k syscallDispatcher) error {
return k.remount(state, toSysroot(r.Target.String()), r.Flags)
}
func (r *RemountOp) late(*setupState, syscallDispatcher) error { return nil }
func (r *RemountOp) Is(op Op) bool {
vr, ok := op.(*RemountOp)

2
container/initsymlink.go
View File

@@ -50,8 +50,6 @@ func (l *SymlinkOp) apply(state *setupState, k syscallDispatcher) error {
return k.symlink(l.LinkName, target)
}
func (l *SymlinkOp) late(*setupState, syscallDispatcher) error { return nil }
func (l *SymlinkOp) Is(op Op) bool {
vl, ok := op.(*SymlinkOp)
return ok && l.Valid() && vl.Valid() &&

1
container/inittmpfs.go
View File

@@ -48,7 +48,6 @@ func (t *MountTmpfsOp) apply(_ *setupState, k syscallDispatcher) error {
}
return k.mountTmpfs(t.FSName, toSysroot(t.Path.String()), t.Flags, t.Size, t.Perm)
}
func (t *MountTmpfsOp) late(*setupState, syscallDispatcher) error { return nil }
func (t *MountTmpfsOp) Is(op Op) bool {
vt, ok := op.(*MountTmpfsOp)

3
dist/comp/_hakurei vendored
View File

@@ -17,8 +17,7 @@ _hakurei_run() {
'--wayland[Enable connection to Wayland via security-context-v1]' \
'-X[Enable direct connection to X11]' \
'--dbus[Enable proxied connection to D-Bus]' \
'--pipewire[Enable connection to PipeWire via SecurityContext]' \
'--pulse[Enable PulseAudio compatibility daemon]' \
'--pulse[Enable direct connection to PulseAudio]' \
'--dbus-config[Path to session bus proxy config file]: :_files -g "*.json"' \
'--dbus-system[Path to system bus proxy config file]: :_files -g "*.json"' \
'--mpris[Allow owning MPRIS D-Bus path]' \

2
dist/release.sh vendored
View File

@@ -9,7 +9,7 @@ cp -v "README.md" "dist/hsurc.default" "dist/install.sh" "${out}"
cp -rv "dist/comp" "${out}"
go generate ./...
go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid=''
-X hakurei.app/internal/info.buildVersion=${VERSION}
-X hakurei.app/internal/info.hakureiPath=/usr/bin/hakurei
-X hakurei.app/internal/info.hsuPath=/usr/bin/hsu

16
flake.lock generated
View File

@@ -7,32 +7,32 @@
]
},
"locked": {
"lastModified": 1765384171,
"narHash": "sha256-FuFtkJrW1Z7u+3lhzPRau69E0CNjADku1mLQQflUORo=",
"lastModified": 1756679287,
"narHash": "sha256-Xd1vOeY9ccDf5VtVK12yM0FS6qqvfUop8UQlxEB+gTQ=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "44777152652bc9eacf8876976fa72cc77ca8b9d8",
"rev": "07fc025fe10487dd80f2ec694f1cd790e752d0e8",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.11",
"ref": "release-25.05",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1765311797,
"narHash": "sha256-mSD5Ob7a+T2RNjvPvOA1dkJHGVrNVl8ZOrAwBjKBDQo=",
"lastModified": 1757020766,
"narHash": "sha256-PLoSjHRa2bUbi1x9HoXgTx2AiuzNXs54c8omhadyvp0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "09eb77e94fa25202af8f3e81ddc7353d9970ac1b",
"rev": "fe83bbdde2ccdc2cb9573aa846abe8363f79a97a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}

10
flake.nix
View File

@@ -2,10 +2,10 @@
description = "hakurei container tool and nixos module";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
home-manager = {
url = "github:nix-community/home-manager/release-25.11";
url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs";
};
};
@@ -110,7 +110,7 @@
in
{
default = hakurei;
hakurei = pkgs.pkgsStatic.callPackage ./package.nix {
hakurei = pkgs.callPackage ./package.nix {
inherit (pkgs)
# passthru.buildInputs
go
@@ -185,13 +185,13 @@
hakurei =
let
# this is used for interactive vm testing during development, where tests might be broken
package = self.packages.${pkgs.stdenv.hostPlatform.system}.hakurei.override {
package = self.packages.${pkgs.system}.hakurei.override {
buildGoModule = previousArgs: pkgs.pkgsStatic.buildGoModule (previousArgs // { doCheck = false; });
};
in
{
inherit package;
hsuPackage = self.packages.${pkgs.stdenv.hostPlatform.system}.hsu.override { hakurei = package; };
hsuPackage = self.packages.${pkgs.system}.hsu.override { hakurei = package; };
};
};
}

53
hst/config.go
View File

@@ -23,54 +23,9 @@ type Config struct {
// System D-Bus proxy configuration.
// If set to nil, system bus proxy is disabled.
SystemBus *BusConfig `json:"system_bus,omitempty"`
// Direct access to wayland socket, no attempt is made to attach security-context-v1
// and the bare socket is made available to the container.
//
// This option is unsupported and most likely enables full control over the Wayland
// session. Do not set this to true unless you are sure you know what you are doing.
DirectWayland bool `json:"direct_wayland,omitempty"`
// Direct access to the PipeWire socket established via SecurityContext::Create, no
// attempt is made to start the pipewire-pulse server.
//
// The SecurityContext machinery is fatally flawed, it blindly sets read and execute
// bits on all objects for clients with the lowest achievable privilege level (by
// setting PW_KEY_ACCESS to "restricted"). This enables them to call any method
// targeting any object, and since Registry::Destroy checks for the read and execute bit,
// allows the destruction of any object other than PW_ID_CORE as well. This behaviour
// is implemented separately in media-session and wireplumber, with the wireplumber
// implementation in Lua via an embedded Lua vm. In all known setups, wireplumber is
// in use, and there is no known way to change its behaviour and set permissions
// differently without replacing the Lua script. Also, since PipeWire relies on these
// permissions to work, reducing them is not possible.
//
// Currently, the only other sandboxed use case is flatpak, which is not aware of
// PipeWire and blindly exposes the bare PulseAudio socket to the container (behaves
// like DirectPulse). This socket is backed by the pipewire-pulse compatibility daemon,
// which obtains client pid via the SO_PEERCRED option. The PipeWire daemon, pipewire-pulse
// daemon and the session manager daemon then separately performs the /.flatpak-info hack
// described in https://git.gensokyo.uk/security/hakurei/issues/21. Under such use case,
// since the client has no direct access to PipeWire, insecure parts of the protocol are
// obscured by pipewire-pulse simply not implementing them, and thus hiding the flaws
// described above.
//
// Hakurei does not rely on the /.flatpak-info hack. Instead, a socket is sets up via
// SecurityContext. A pipewire-pulse server connected through it achieves the same
// permissions as flatpak does via the /.flatpak-info hack and is maintained for the
// life of the container.
//
// This option is unsupported and enables a denial-of-service attack as the sandboxed
// client is able to destroy any client object and thus disconnecting them from PipeWire,
// or destroy the SecurityContext object preventing any further container creation.
// Do not set this to true, it is insecure under any configuration.
DirectPipeWire bool `json:"direct_pipewire,omitempty"`
// Direct access to PulseAudio socket, no attempt is made to establish pipewire-pulse
// server via a PipeWire socket with a SecurityContext attached and the bare socket
// is made available to the container.
//
// This option is unsupported and enables arbitrary code execution as the PulseAudio
// server. Do not set this to true, it is insecure under any configuration.
DirectPulse bool `json:"direct_pulse,omitempty"`
// Extra acl updates to perform before setuid.
ExtraPerms []ExtraPermConfig `json:"extra_perms,omitempty"`
@@ -94,9 +49,6 @@ var (
// ErrEnviron is returned by [Config.Validate] if an environment variable name contains '=' or NUL.
ErrEnviron = errors.New("invalid environment variable name")
// ErrInsecure is returned by [Config.Validate] if the configuration is considered insecure.
ErrInsecure = errors.New("configuration is insecure")
)
// Validate checks [Config] and returns [AppError] if an invalid value is encountered.
@@ -143,11 +95,6 @@ func (config *Config) Validate() error {
}
}
if et := config.Enablements.Unwrap(); !config.DirectPulse && et&EPulse != 0 {
return &AppError{Step: "validate configuration", Err: ErrInsecure,
Msg: "enablement PulseAudio is insecure and no longer supported"}
}
return nil
}

6
hst/config_test.go
View File

@@ -53,12 +53,6 @@ func TestConfigValidate(t *testing.T) {
Env: map[string]string{"TERM\x00": ""},
}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrEnviron,
Msg: `invalid environment variable "TERM\x00"`}},
{"insecure pulse", &hst.Config{Enablements: hst.NewEnablements(hst.EPulse), Container: &hst.ContainerConfig{
Home: fhs.AbsTmp,
Shell: fhs.AbsTmp,
Path: fhs.AbsTmp,
}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
Msg: "enablement PulseAudio is insecure and no longer supported"}},
{"valid", &hst.Config{Container: &hst.ContainerConfig{
Home: fhs.AbsTmp,
Shell: fhs.AbsTmp,

25
hst/enablement.go
View File

@@ -17,8 +17,6 @@ const (
EX11
// EDBus enables the per-container xdg-dbus-proxy daemon.
EDBus
// EPipeWire exposes a pipewire pathname socket via SecurityContext.
EPipeWire
// EPulse copies the PulseAudio cookie to [hst.PrivateTmp] and exposes the PulseAudio socket.
EPulse
@@ -37,8 +35,6 @@ func (e Enablement) String() string {
return "x11"
case EDBus:
return "dbus"
case EPipeWire:
return "pipewire"
case EPulse:
return "pulseaudio"
default:
@@ -66,11 +62,10 @@ type Enablements Enablement
// enablementsJSON is the [json] representation of [Enablements].
type enablementsJSON = struct {
Wayland bool `json:"wayland,omitempty"`
X11 bool `json:"x11,omitempty"`
DBus bool `json:"dbus,omitempty"`
PipeWire bool `json:"pipewire,omitempty"`
Pulse bool `json:"pulse,omitempty"`
Wayland bool `json:"wayland,omitempty"`
X11 bool `json:"x11,omitempty"`
DBus bool `json:"dbus,omitempty"`
Pulse bool `json:"pulse,omitempty"`
}
// Unwrap returns the underlying [Enablement].
@@ -86,11 +81,10 @@ func (e *Enablements) MarshalJSON() ([]byte, error) {
return nil, syscall.EINVAL
}
return json.Marshal(&enablementsJSON{
Wayland: Enablement(*e)&EWayland != 0,
X11: Enablement(*e)&EX11 != 0,
DBus: Enablement(*e)&EDBus != 0,
PipeWire: Enablement(*e)&EPipeWire != 0,
Pulse: Enablement(*e)&EPulse != 0,
Wayland: Enablement(*e)&EWayland != 0,
X11: Enablement(*e)&EX11 != 0,
DBus: Enablement(*e)&EDBus != 0,
Pulse: Enablement(*e)&EPulse != 0,
})
}
@@ -114,9 +108,6 @@ func (e *Enablements) UnmarshalJSON(data []byte) error {
if v.DBus {
ve |= EDBus
}
if v.PipeWire {
ve |= EPipeWire
}
if v.Pulse {
ve |= EPulse
}

4
hst/enablement_test.go
View File

@@ -32,7 +32,6 @@ func TestEnablementString(t *testing.T) {
{hst.EWayland | hst.EDBus | hst.EPulse, "wayland, dbus, pulseaudio"},
{hst.EX11 | hst.EDBus | hst.EPulse, "x11, dbus, pulseaudio"},
{hst.EWayland | hst.EX11 | hst.EDBus | hst.EPulse, "wayland, x11, dbus, pulseaudio"},
{hst.EM - 1, "wayland, x11, dbus, pipewire, pulseaudio"},
{1 << 5, "e20"},
{1 << 6, "e40"},
@@ -63,9 +62,8 @@ func TestEnablements(t *testing.T) {
{"wayland", hst.NewEnablements(hst.EWayland), `{"wayland":true}`, `{"value":{"wayland":true},"magic":3236757504}`},
{"x11", hst.NewEnablements(hst.EX11), `{"x11":true}`, `{"value":{"x11":true},"magic":3236757504}`},
{"dbus", hst.NewEnablements(hst.EDBus), `{"dbus":true}`, `{"value":{"dbus":true},"magic":3236757504}`},
{"pipewire", hst.NewEnablements(hst.EPipeWire), `{"pipewire":true}`, `{"value":{"pipewire":true},"magic":3236757504}`},
{"pulse", hst.NewEnablements(hst.EPulse), `{"pulse":true}`, `{"value":{"pulse":true},"magic":3236757504}`},
{"all", hst.NewEnablements(hst.EM - 1), `{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pipewire":true,"pulse":true},"magic":3236757504}`},
{"all", hst.NewEnablements(hst.EWayland | hst.EX11 | hst.EDBus | hst.EPulse), `{"wayland":true,"x11":true,"dbus":true,"pulse":true}`, `{"value":{"wayland":true,"x11":true,"dbus":true,"pulse":true},"magic":3236757504}`},
}
for _, tc := range testCases {

12
hst/fs.go
View File

@@ -45,9 +45,6 @@ type Ops interface {
Root(host *check.Absolute, flags int) Ops
// Etc appends an op that expands host /etc into a toplevel symlink mirror with /etc semantics.
Etc(host *check.Absolute, prefix string) Ops
// Daemon appends an op that starts a daemon in the container and blocks until target appears.
Daemon(target, path *check.Absolute, args ...string) Ops
}
// ApplyState holds the address of [Ops] and any relevant application state.
@@ -127,12 +124,6 @@ func (f *FilesystemConfigJSON) MarshalJSON() ([]byte, error) {
*FSLink
}{fsType{FilesystemLink}, cv}
case *FSDaemon:
v = &struct {
fsType
*FSDaemon
}{fsType{FilesystemDaemon}, cv}
default:
return nil, FSImplError{f.FilesystemConfig}
}
@@ -161,9 +152,6 @@ func (f *FilesystemConfigJSON) UnmarshalJSON(data []byte) error {
case FilesystemLink:
*f = FilesystemConfigJSON{new(FSLink)}
case FilesystemDaemon:
*f = FilesystemConfigJSON{new(FSDaemon)}
default:
return FSTypeError(t.Type)
}

14
hst/fs_test.go
View File

@@ -84,16 +84,6 @@ func TestFilesystemConfigJSON(t *testing.T) {
}, nil,
`{"type":"link","dst":"/run/current-system","linkname":"/run/current-system","dereference":true}`,
`{"fs":{"type":"link","dst":"/run/current-system","linkname":"/run/current-system","dereference":true},"magic":3236757504}`},
{"daemon", hst.FilesystemConfigJSON{
FilesystemConfig: &hst.FSDaemon{
Target: m("/run/user/1971/pulse/native"),
Exec: m("/run/current-system/sw/bin/pipewire-pulse"),
Args: []string{"-v"},
},
}, nil,
`{"type":"daemon","dst":"/run/user/1971/pulse/native","path":"/run/current-system/sw/bin/pipewire-pulse","args":["-v"]}`,
`{"fs":{"type":"daemon","dst":"/run/user/1971/pulse/native","path":"/run/current-system/sw/bin/pipewire-pulse","args":["-v"]},"magic":3236757504}`},
}
for _, tc := range testCases {
@@ -355,10 +345,6 @@ func (p opsAdapter) Etc(host *check.Absolute, prefix string) hst.Ops {
return opsAdapter{p.Ops.Etc(host, prefix)}
}
func (p opsAdapter) Daemon(target, path *check.Absolute, args ...string) hst.Ops {
return opsAdapter{p.Ops.Daemon(target, path, args...)}
}
func m(pathname string) *check.Absolute { return check.MustAbs(pathname) }
func ms(pathnames ...string) []*check.Absolute {
as := make([]*check.Absolute, len(pathnames))

48
hst/fsdaemon.go
View File

@@ -1,48 +0,0 @@
package hst
import (
"encoding/gob"
"hakurei.app/container/check"
)
func init() { gob.Register(new(FSDaemon)) }
// FilesystemDaemon is the type string of a daemon.
const FilesystemDaemon = "daemon"
// FSDaemon represents a daemon to be started in the container.
type FSDaemon struct {
// Pathname indicating readiness of daemon.
Target *check.Absolute `json:"dst"`
// Absolute pathname to daemon executable file.
Exec *check.Absolute `json:"path"`
// Arguments (excl. first) passed to daemon.
Args []string `json:"args"`
}
func (d *FSDaemon) Valid() bool { return d != nil && d.Target != nil && d.Exec != nil }
func (d *FSDaemon) Path() *check.Absolute {
if !d.Valid() {
return nil
}
return d.Target
}
func (d *FSDaemon) Host() []*check.Absolute { return nil }
func (d *FSDaemon) Apply(z *ApplyState) {
if !d.Valid() {
return
}
z.Daemon(d.Target, d.Exec, d.Args...)
}
func (d *FSDaemon) String() string {
if !d.Valid() {
return "<invalid>"
}
return "daemon:" + d.Target.String()
}

29
hst/fsdaemon_test.go
View File

@@ -1,29 +0,0 @@
package hst_test
import (
"testing"
"hakurei.app/container"
"hakurei.app/hst"
)
func TestFSDaemon(t *testing.T) {
t.Parallel()
checkFs(t, []fsTestCase{
{"nil", (*hst.FSDaemon)(nil), false, nil, nil, nil, "<invalid>"},
{"zero", new(hst.FSDaemon), false, nil, nil, nil, "<invalid>"},
{"pipewire-pulse", &hst.FSDaemon{
Target: m("/run/user/1971/pulse/native"),
Exec: m("/run/current-system/sw/bin/pipewire-pulse"),
Args: []string{"-v"},
}, true, container.Ops{
&container.DaemonOp{
Target: m("/run/user/1971/pulse/native"),
Path: m("/run/current-system/sw/bin/pipewire-pulse"),
Args: []string{"-v"},
},
}, m("/run/user/1971/pulse/native"), nil, `daemon:/run/user/1971/pulse/native`},
})
}

5
hst/hst.go
View File

@@ -56,6 +56,8 @@ type Paths struct {
type Info struct {
// WaylandVersion is the libwayland value of WAYLAND_VERSION.
WaylandVersion string `json:"WAYLAND_VERSION"`
// PipeWireVersion is the pipewire value of pw_get_headers_version().
PipeWireVersion string `json:"pw_get_headers_version"`
// Version is a hardcoded version string.
Version string `json:"version"`
@@ -70,7 +72,7 @@ func Template() *Config {
return &Config{
ID: "org.chromium.Chromium",
Enablements: NewEnablements(EWayland | EDBus | EPipeWire),
Enablements: NewEnablements(EWayland | EDBus | EPulse),
SessionBus: &BusConfig{
See: nil,
@@ -92,6 +94,7 @@ func Template() *Config {
Log: false,
Filter: true,
},
DirectWayland: false,
ExtraPerms: []ExtraPermConfig{
{Path: fhs.AbsVarLib.Append("hakurei/u0"), Ensure: true, Execute: true},

2
hst/hst_test.go
View File

@@ -105,7 +105,7 @@ func TestTemplate(t *testing.T) {
"enablements": {
"wayland": true,
"dbus": true,
"pipewire": true
"pulse": true
},
"session_bus": {
"see": null,

9
internal/outcome/dispatcher.go
View File

@@ -53,10 +53,6 @@ type syscallDispatcher interface {
readdir(name string) ([]os.DirEntry, error)
// tempdir provides [os.TempDir].
tempdir() string
// mkdir provides [os.Mkdir].
mkdir(name string, perm os.FileMode) error
// removeAll provides [os.RemoveAll].
removeAll(path string) error
// exit provides [os.Exit].
exit(code int)
@@ -66,8 +62,6 @@ type syscallDispatcher interface {
// lookupGroupId calls [user.LookupGroup] and returns the Gid field of the resulting [user.Group] struct.
lookupGroupId(name string) (string, error)
// lookPath provides exec.LookPath.
lookPath(file string) (string, error)
// cmdOutput provides the Output method of [exec.Cmd].
cmdOutput(cmd *exec.Cmd) ([]byte, error)
@@ -127,8 +121,6 @@ func (direct) stat(name string) (os.FileInfo, error) { return os.Stat(name)
func (direct) open(name string) (osFile, error) { return os.Open(name) }
func (direct) readdir(name string) ([]os.DirEntry, error) { return os.ReadDir(name) }
func (direct) tempdir() string { return os.TempDir() }
func (direct) mkdir(name string, perm os.FileMode) error { return os.Mkdir(name, perm) }
func (direct) removeAll(path string) error { return os.RemoveAll(path) }
func (direct) exit(code int) { os.Exit(code) }
func (direct) evalSymlinks(path string) (string, error) { return filepath.EvalSymlinks(path) }
@@ -142,7 +134,6 @@ func (direct) lookupGroupId(name string) (gid string, err error) {
return
}
func (direct) lookPath(file string) (string, error) { return exec.LookPath(file) }
func (direct) cmdOutput(cmd *exec.Cmd) ([]byte, error) { return cmd.Output() }
func (direct) notifyContext(parent context.Context, signals ...os.Signal) (ctx context.Context, stop context.CancelFunc) {

3
internal/outcome/dispatcher_test.go
View File

@@ -701,13 +701,10 @@ func (panicDispatcher) stat(string) (os.FileInfo, error) { pa
func (panicDispatcher) open(string) (osFile, error) { panic("unreachable") }
func (panicDispatcher) readdir(string) ([]os.DirEntry, error) { panic("unreachable") }
func (panicDispatcher) tempdir() string { panic("unreachable") }
func (panicDispatcher) mkdir(string, os.FileMode) error { panic("unreachable") }
func (panicDispatcher) removeAll(string) error { panic("unreachable") }
func (panicDispatcher) exit(int) { panic("unreachable") }
func (panicDispatcher) evalSymlinks(string) (string, error) { panic("unreachable") }
func (panicDispatcher) prctl(uintptr, uintptr, uintptr) error { panic("unreachable") }
func (panicDispatcher) lookupGroupId(string) (string, error) { panic("unreachable") }
func (panicDispatcher) lookPath(string) (string, error) { panic("unreachable") }
func (panicDispatcher) cmdOutput(*exec.Cmd) ([]byte, error) { panic("unreachable") }
func (panicDispatcher) overflowUid(message.Msg) int { panic("unreachable") }
func (panicDispatcher) overflowGid(message.Msg) int { panic("unreachable") }

18
internal/outcome/outcome.go
View File

@@ -12,6 +12,7 @@ import (
"hakurei.app/internal/acl"
"hakurei.app/internal/env"
"hakurei.app/internal/info"
"hakurei.app/internal/pipewire"
"hakurei.app/internal/system"
"hakurei.app/internal/wayland"
"hakurei.app/message"
@@ -21,7 +22,7 @@ import (
//
// This must not be called from within package outcome.
func Info() *hst.Info {
hi := hst.Info{WaylandVersion: wayland.Version,
hi := hst.Info{WaylandVersion: wayland.Version, PipeWireVersion: pipewire.Version,
Version: info.Version(), User: new(Hsu).MustID(nil)}
env.CopyPaths().Copy(&hi.Paths, hi.User)
return &hi
@@ -70,7 +71,7 @@ type outcomeState struct {
// Copied from their respective exported values.
mapuid, mapgid *stringPair[int]
// Copied from [env.Paths] per-process.
// Copied from [EnvPaths] per-process.
sc hst.Paths
*env.Paths
@@ -172,10 +173,6 @@ type outcomeStateSys struct {
// Copied from [hst.Config]. Safe for read by spWaylandOp.toSystem only.
directWayland bool
// Copied from [hst.Config]. Safe for read by spPipeWireOp.toSystem only.
directPipeWire bool
// Copied from [hst.Config]. Safe for read by spPulseOp.toSystem only.
directPulse bool
// Copied header from [hst.Config]. Safe for read by spFilesystemOp.toSystem only.
extraPerms []hst.ExtraPermConfig
// Copied address from [hst.Config]. Safe for read by spDBusOp.toSystem only.
@@ -189,8 +186,8 @@ type outcomeStateSys struct {
func (s *outcomeState) newSys(config *hst.Config, sys *system.I) *outcomeStateSys {
return &outcomeStateSys{
appId: config.ID, et: config.Enablements.Unwrap(),
directWayland: config.DirectWayland, directPipeWire: config.DirectPipeWire, directPulse: config.DirectPulse,
extraPerms: config.ExtraPerms, sessionBus: config.SessionBus, systemBus: config.SystemBus,
directWayland: config.DirectWayland, extraPerms: config.ExtraPerms,
sessionBus: config.SessionBus, systemBus: config.SystemBus,
sys: sys, outcomeState: s,
}
}
@@ -257,10 +254,6 @@ type outcomeStateParams struct {
// Populated by spRuntimeOp.
runtimeDir *check.Absolute
// Path to pipewire-pulse server.
// Populated by spPipeWireOp if DirectPipeWire is false.
pipewirePulsePath *check.Absolute
as hst.ApplyState
*outcomeState
}
@@ -300,7 +293,6 @@ func (state *outcomeStateSys) toSystem() error {
// optional via enablements
&spWaylandOp{},
&spX11Op{},
&spPipeWireOp{},
&spPulseOp{},
&spDBusOp{},

74
internal/outcome/run_test.go
View File

@@ -27,7 +27,7 @@ import (
"hakurei.app/message"
)
func TestOutcomeRun(t *testing.T) {
func TestOutcomeMain(t *testing.T) {
t.Parallel()
msg := message.New(nil)
msg.SwapVerbose(testing.Verbose())
@@ -67,12 +67,18 @@ func TestOutcomeRun(t *testing.T) {
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
).
// spPipeWireOp
PipeWire(
m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pipewire"),
"org.chromium.Chromium",
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
).
// ensureRuntimeDir
Ensure(m("/run/user/1971"), 0700).
UpdatePermType(system.User, m("/run/user/1971"), acl.Execute).
Ensure(m("/run/user/1971/hakurei"), 0700).
UpdatePermType(system.User, m("/run/user/1971/hakurei"), acl.Execute).
// runtime
Ephemeral(system.Process, m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), 0700).
UpdatePerm(m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), acl.Execute).
// spPulseOp
Link(m("/run/user/1971/pulse/native"), m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pulse")).
// spDBusOp
MustProxyDBus(
@@ -100,6 +106,8 @@ func TestOutcomeRun(t *testing.T) {
"GOOGLE_DEFAULT_CLIENT_ID=77185425430.apps.googleusercontent.com",
"GOOGLE_DEFAULT_CLIENT_SECRET=OTJgUOQcT7lO7GsGZq2G4IlT",
"HOME=/data/data/org.chromium.Chromium",
"PULSE_COOKIE=/.hakurei/pulse-cookie",
"PULSE_SERVER=unix:/run/user/1971/pulse/native",
"SHELL=/run/current-system/sw/bin/zsh",
"TERM=xterm-256color",
"USER=chronos",
@@ -136,7 +144,7 @@ func TestOutcomeRun(t *testing.T) {
Tmpfs(fhs.AbsDevShm, 0, 01777).
// spRuntimeOp
Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755).
Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
Bind(m("/tmp/hakurei.0/runtime/9"), m("/run/user/1971"), std.BindWritable).
// spTmpdirOp
@@ -149,6 +157,10 @@ func TestOutcomeRun(t *testing.T) {
// spWaylandOp
Bind(m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/wayland"), m("/run/user/1971/wayland-0"), 0).
// spPulseOp
Bind(m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pulse"), m("/run/user/1971/pulse/native"), 0).
Place(m("/.hakurei/pulse-cookie"), bytes.Repeat([]byte{0}, pulseCookieSizeMax)).
// spDBusOp
Bind(m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bus"), m("/run/user/1971/bus"), 0).
Bind(m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/system_bus_socket"), m("/var/run/dbus/system_bus_socket"), 0).
@@ -170,7 +182,7 @@ func TestOutcomeRun(t *testing.T) {
Remount(fhs.AbsRoot, syscall.MS_RDONLY),
}},
{"nixos permissive defaults no enablements", new(stubNixOS), &hst.Config{DirectPipeWire: true, Container: &hst.ContainerConfig{
{"nixos permissive defaults no enablements", new(stubNixOS), &hst.Config{Container: &hst.ContainerConfig{
Filesystem: []hst.FilesystemConfigJSON{
{FilesystemConfig: &hst.FSBind{
Target: fhs.AbsRoot,
@@ -232,7 +244,7 @@ func TestOutcomeRun(t *testing.T) {
Tmpfs(hst.AbsPrivateTmp, 4096, 0755).
DevWritable(m("/dev/"), true).
Tmpfs(m("/dev/shm/"), 0, 01777).
Tmpfs(m("/run/user/"), xdgRuntimeDirSize, 0755).
Tmpfs(m("/run/user/"), 4096, 0755).
Bind(m("/tmp/hakurei.0/runtime/0"), m("/run/user/65534"), std.BindWritable).
Bind(m("/tmp/hakurei.0/tmpdir/0"), m("/tmp/"), std.BindWritable).
Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
@@ -252,8 +264,6 @@ func TestOutcomeRun(t *testing.T) {
}},
{"nixos permissive defaults chromium", new(stubNixOS), &hst.Config{
DirectPipeWire: true,
ID: "org.chromium.Chromium",
Identity: 9,
Groups: []string{"video"},
@@ -288,7 +298,7 @@ func TestOutcomeRun(t *testing.T) {
},
Filter: true,
},
Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPulse),
Container: &hst.ContainerConfig{
Filesystem: []hst.FilesystemConfigJSON{
@@ -337,7 +347,10 @@ func TestOutcomeRun(t *testing.T) {
Ensure(m("/tmp/hakurei.0/tmpdir/9"), 01700).UpdatePermType(system.User, m("/tmp/hakurei.0/tmpdir/9"), acl.Read, acl.Write, acl.Execute).
Ephemeral(system.Process, m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c"), 0711).
Wayland(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
PipeWire(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/pipewire"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
Ensure(m("/run/user/1971"), 0700).UpdatePermType(system.User, m("/run/user/1971"), acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
Ensure(m("/run/user/1971/hakurei"), 0700).UpdatePermType(system.User, m("/run/user/1971/hakurei"), acl.Execute).
Ephemeral(system.Process, m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c"), 0700).UpdatePermType(system.Process, m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c"), acl.Execute).
Link(m("/run/user/1971/pulse/native"), m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse")).
MustProxyDBus(&hst.BusConfig{
Talk: []string{
"org.freedesktop.Notifications",
@@ -384,7 +397,8 @@ func TestOutcomeRun(t *testing.T) {
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus",
"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/var/run/dbus/system_bus_socket",
"HOME=/home/chronos",
"PIPEWIRE_REMOTE=/run/user/65534/pipewire-0",
"PULSE_COOKIE=" + hst.PrivateTmp + "/pulse-cookie",
"PULSE_SERVER=unix:/run/user/65534/pulse/native",
"SHELL=/run/current-system/sw/bin/zsh",
"TERM=xterm-256color",
"USER=chronos",
@@ -399,13 +413,14 @@ func TestOutcomeRun(t *testing.T) {
Tmpfs(hst.AbsPrivateTmp, 4096, 0755).
DevWritable(m("/dev/"), true).
Tmpfs(m("/dev/shm/"), 0, 01777).
Tmpfs(m("/run/user/"), xdgRuntimeDirSize, 0755).
Tmpfs(m("/run/user/"), 4096, 0755).
Bind(m("/tmp/hakurei.0/runtime/9"), m("/run/user/65534"), std.BindWritable).
Bind(m("/tmp/hakurei.0/tmpdir/9"), m("/tmp/"), std.BindWritable).
Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
Place(m("/etc/group"), []byte("hakurei:x:65534:\n")).
Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/65534/wayland-0"), 0).
Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/pipewire"), m("/run/user/65534/pipewire-0"), 0).
Bind(m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse"), m("/run/user/65534/pulse/native"), 0).
Place(m(hst.PrivateTmp+"/pulse-cookie"), bytes.Repeat([]byte{0}, pulseCookieSizeMax)).
Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/bus"), m("/run/user/65534/bus"), 0).
Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/system_bus_socket"), m("/var/run/dbus/system_bus_socket"), 0).
Bind(m("/dev/dri"), m("/dev/dri"), std.BindWritable|std.BindDevice|std.BindOptional).
@@ -424,10 +439,8 @@ func TestOutcomeRun(t *testing.T) {
}},
{"nixos chromium direct wayland", new(stubNixOS), &hst.Config{
DirectPipeWire: true,
ID: "org.chromium.Chromium",
Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPulse),
Container: &hst.ContainerConfig{
Env: nil,
Filesystem: []hst.FilesystemConfigJSON{
@@ -489,8 +502,9 @@ func TestOutcomeRun(t *testing.T) {
Ensure(m("/run/user/1971"), 0700).UpdatePermType(system.User, m("/run/user/1971"), acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
Ensure(m("/run/user/1971/hakurei"), 0700).UpdatePermType(system.User, m("/run/user/1971/hakurei"), acl.Execute).
UpdatePermType(hst.EWayland, m("/run/user/1971/wayland-0"), acl.Read, acl.Write, acl.Execute).
Ephemeral(system.Process, m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1"), 0700).UpdatePermType(system.Process, m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1"), acl.Execute).
Link(m("/run/user/1971/pulse/native"), m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse")).
Ephemeral(system.Process, m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1"), 0711).
PipeWire(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/pipewire"), "org.chromium.Chromium", "8e2c76b066dabe574cf073bdb46eb5c1").
MustProxyDBus(&hst.BusConfig{
Talk: []string{
"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
@@ -530,7 +544,8 @@ func TestOutcomeRun(t *testing.T) {
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1971/bus",
"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/var/run/dbus/system_bus_socket",
"HOME=/var/lib/persist/module/hakurei/0/1",
"PIPEWIRE_REMOTE=/run/user/1971/pipewire-0",
"PULSE_COOKIE=" + hst.PrivateTmp + "/pulse-cookie",
"PULSE_SERVER=unix:/run/user/1971/pulse/native",
"SHELL=/run/current-system/sw/bin/zsh",
"TERM=xterm-256color",
"USER=u0_a1",
@@ -544,13 +559,14 @@ func TestOutcomeRun(t *testing.T) {
Tmpfs(hst.AbsPrivateTmp, 4096, 0755).
DevWritable(m("/dev/"), true).
Tmpfs(m("/dev/shm/"), 0, 01777).
Tmpfs(m("/run/user/"), xdgRuntimeDirSize, 0755).
Tmpfs(m("/run/user/"), 4096, 0755).
Bind(m("/tmp/hakurei.0/runtime/1"), m("/run/user/1971"), std.BindWritable).
Bind(m("/tmp/hakurei.0/tmpdir/1"), m("/tmp/"), std.BindWritable).
Place(m("/etc/passwd"), []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
Place(m("/etc/group"), []byte("hakurei:x:100:\n")).
Bind(m("/run/user/1971/wayland-0"), m("/run/user/1971/wayland-0"), 0).
Bind(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/pipewire"), m("/run/user/1971/pipewire-0"), 0).
Bind(m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse"), m("/run/user/1971/pulse/native"), 0).
Place(m(hst.PrivateTmp+"/pulse-cookie"), bytes.Repeat([]byte{0}, pulseCookieSizeMax)).
Bind(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/bus"), m("/run/user/1971/bus"), 0).
Bind(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket"), m("/var/run/dbus/system_bus_socket"), 0).
Bind(m("/bin"), m("/bin"), 0).
@@ -883,16 +899,6 @@ func (k *stubNixOS) lookupGroupId(name string) (string, error) {
}
}
func (k *stubNixOS) lookPath(file string) (string, error) {
switch file {
case "pipewire-pulse":
return "/run/current-system/sw/bin/pipewire-pulse", nil
default:
panic(fmt.Sprintf("unexpected file %q", file))
}
}
func (k *stubNixOS) cmdOutput(cmd *exec.Cmd) ([]byte, error) {
switch cmd.Path {
case "/proc/nonexistent/hsu":

132
internal/outcome/shim.go
View File

@@ -14,12 +14,9 @@ import (
"time"
"hakurei.app/container"
"hakurei.app/container/check"
"hakurei.app/container/fhs"
"hakurei.app/container/seccomp"
"hakurei.app/container/std"
"hakurei.app/hst"
"hakurei.app/internal/pipewire"
"hakurei.app/message"
)
@@ -86,55 +83,6 @@ func Shim(msg message.Msg) {
shimEntrypoint(direct{msg})
}
// A shimPrivate holds state of the private work directory owned by shim.
type shimPrivate struct {
// Path to directory if created.
pathname *check.Absolute
k syscallDispatcher
id *stringPair[hst.ID]
}
// unwrap returns the underlying pathname.
func (sp *shimPrivate) unwrap() *check.Absolute {
if sp.pathname == nil {
if a, err := check.NewAbs(sp.k.tempdir()); err != nil {
sp.k.fatal(err)
panic("unreachable")
} else {
pathname := a.Append(".hakurei-shim-" + sp.id.String())
sp.k.getMsg().Verbosef("creating private work directory %q", pathname)
if err = sp.k.mkdir(pathname.String(), 0700); err != nil {
sp.k.fatal(err)
panic("unreachable")
}
sp.pathname = pathname
return sp.unwrap()
}
} else {
return sp.pathname
}
}
// String returns the absolute pathname to the directory held by shimPrivate.
func (sp *shimPrivate) String() string { return sp.unwrap().String() }
// destroy removes the directory held by shimPrivate.
func (sp *shimPrivate) destroy() {
defer func() { sp.pathname = nil }()
if sp.pathname != nil {
sp.k.getMsg().Verbosef("destroying private work directory %q", sp.pathname)
if err := sp.k.removeAll(sp.pathname.String()); err != nil {
sp.k.getMsg().GetLogger().Println(err)
}
}
}
const (
// shimPipeWireTimeout is the duration pipewire-pulse is allowed to run before its socket becomes available.
shimPipeWireTimeout = 5 * time.Second
)
func shimEntrypoint(k syscallDispatcher) {
msg := k.getMsg()
if msg == nil {
@@ -260,7 +208,6 @@ func shimEntrypoint(k syscallDispatcher) {
ctx, stop := k.notifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
cancelContainer.Store(&stop)
sp := shimPrivate{k: k, id: state.id}
z := container.New(ctx, msg)
z.Params = *stateParams.params
z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
@@ -268,79 +215,6 @@ func shimEntrypoint(k syscallDispatcher) {
// bounds and default enforced in finalise.go
z.WaitDelay = state.Shim.WaitDelay
if stateParams.pipewirePulsePath != nil {
zpw := container.NewCommand(ctx, msg, stateParams.pipewirePulsePath, pipewirePulseName)
zpw.Hostname = "hakurei-" + pipewirePulseName
zpw.SeccompFlags |= seccomp.AllowMultiarch
zpw.SeccompPresets |= std.PresetStrict
zpw.Env = []string{
// pipewire SecurityContext socket path
pipewire.Remote + "=" + stateParams.instancePath().Append("pipewire").String(),
// pipewire-pulse socket directory path
envXDGRuntimeDir + "=" + sp.String(),
}
if msg.IsVerbose() {
zpw.Stdin, zpw.Stdout, zpw.Stderr = os.Stdin, os.Stdout, os.Stderr
}
zpw.
Bind(fhs.AbsRoot, fhs.AbsRoot, 0).
Bind(sp.unwrap(), sp.unwrap(), std.BindWritable).
Proc(fhs.AbsProc).Dev(fhs.AbsDev, true)
socketPath := sp.unwrap().Append("pulse", "native")
innerSocketPath := stateParams.runtimeDir.Append("pulse", "native")
if err := k.containerStart(zpw); err != nil {
sp.destroy()
printMessageError(func(v ...any) { k.fatal(fmt.Sprintln(v...)) },
"cannot start "+pipewirePulseName+" container:", err)
}
if err := k.containerServe(zpw); err != nil {
sp.destroy()
printMessageError(func(v ...any) { k.fatal(fmt.Sprintln(v...)) },
"cannot configure "+pipewirePulseName+" container:", err)
}
done := make(chan error, 1)
k.new(func(k syscallDispatcher, msg message.Msg) { done <- k.containerWait(zpw) })
socketTimer := time.NewTimer(shimPipeWireTimeout)
for {
select {
case <-socketTimer.C:
sp.destroy()
k.fatal(pipewirePulseName + " exceeded deadline before socket appeared")
break
case err := <-done:
var exitError *exec.ExitError
if !errors.As(err, &exitError) {
msg.Verbosef("cannot wait: %v", err)
k.exit(127)
}
sp.destroy()
k.fatal(pipewirePulseName + " " + exitError.ProcessState.String())
break
default:
if _, err := k.stat(socketPath.String()); err != nil {
if !errors.Is(err, os.ErrNotExist) {
sp.destroy()
k.fatal(err)
break
}
time.Sleep(500 * time.Microsecond)
continue
}
}
break
}
z.Bind(socketPath, innerSocketPath, 0)
z.Env = append(z.Env, "PULSE_SERVER=unix:"+innerSocketPath.String())
}
if err := k.containerStart(z); err != nil {
var f func(v ...any)
if logger := msg.GetLogger(); logger != nil {
@@ -351,11 +225,9 @@ func shimEntrypoint(k syscallDispatcher) {
}
}
printMessageError(f, "cannot start container:", err)
sp.destroy()
k.exit(hst.ExitFailure)
}
if err := k.containerServe(z); err != nil {
sp.destroy()
printMessageError(func(v ...any) { k.fatal(fmt.Sprintln(v...)) },
"cannot configure container:", err)
}
@@ -364,13 +236,10 @@ func shimEntrypoint(k syscallDispatcher) {
seccomp.Preset(std.PresetStrict, seccomp.AllowMultiarch),
seccomp.AllowMultiarch,
); err != nil {
sp.destroy()
k.fatalf("cannot load syscall filter: %v", err)
}
if err := k.containerWait(z); err != nil {
sp.destroy()
var exitError *exec.ExitError
if !errors.As(err, &exitError) {
if errors.Is(err, context.Canceled) {
@@ -381,5 +250,4 @@ func shimEntrypoint(k syscallDispatcher) {
}
k.exit(exitError.ExitCode())
}
sp.destroy()
}

2
internal/outcome/shim_test.go
View File

@@ -69,7 +69,7 @@ func TestShimEntrypoint(t *testing.T) {
Tmpfs(fhs.AbsDevShm, 0, 01777).
// spRuntimeOp
Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755).
Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
Bind(m("/tmp/hakurei.10/runtime/9999"), m("/run/user/1000"), std.BindWritable).
// spTmpdirOp

4
internal/outcome/spcontainer.go
View File

@@ -382,10 +382,6 @@ func (p opsAdapter) Link(target *check.Absolute, linkName string, dereference bo
return opsAdapter{p.Ops.Link(target, linkName, dereference)}
}
func (p opsAdapter) Daemon(target, path *check.Absolute, args ...string) hst.Ops {
return opsAdapter{p.Ops.Daemon(target, path, args...)}
}
func (p opsAdapter) Root(host *check.Absolute, flags int) hst.Ops {
return opsAdapter{p.Ops.Root(host, flags)}
}

53
internal/outcome/sppipewire.go
View File

@@ -1,53 +0,0 @@
package outcome
import (
"encoding/gob"
"hakurei.app/container/check"
"hakurei.app/hst"
"hakurei.app/internal/pipewire"
)
const pipewirePulseName = "pipewire-pulse"
func init() { gob.Register(new(spPipeWireOp)) }
// spPipeWireOp exports the PipeWire server to the container via SecurityContext.
// Runs after spRuntimeOp.
type spPipeWireOp struct {
// Path to pipewire-pulse server. Populated during toSystem if DirectPipeWire is false.
CompatServerPath *check.Absolute
}
func (s *spPipeWireOp) toSystem(state *outcomeStateSys) error {
if state.et&hst.EPipeWire == 0 {
return errNotEnabled
}
if !state.directPipeWire {
if n, err := state.k.lookPath(pipewirePulseName); err != nil {
return &hst.AppError{Step: "look up " + pipewirePulseName, Err: err}
} else if s.CompatServerPath, err = check.NewAbs(n); err != nil {
return err
}
}
appId := state.appId
if appId == "" {
// use instance ID in case app id is not set
appId = "app.hakurei." + state.id.String()
}
state.sys.PipeWire(state.instance().Append("pipewire"), appId, state.id.String())
return nil
}
func (s *spPipeWireOp) toContainer(state *outcomeStateParams) error {
if s.CompatServerPath == nil {
innerPath := state.runtimeDir.Append(pipewire.PW_DEFAULT_REMOTE)
state.env[pipewire.Remote] = innerPath.String()
state.params.Bind(state.instancePath().Append("pipewire"), innerPath, 0)
}
// pipewire-pulse behaviour implemented in shim.go
state.pipewirePulsePath = s.CompatServerPath
return nil
}

49
internal/outcome/sppipewire_test.go
View File

@@ -1,49 +0,0 @@
package outcome
import (
"testing"
"hakurei.app/container"
"hakurei.app/container/stub"
"hakurei.app/hst"
"hakurei.app/internal/pipewire"
"hakurei.app/internal/system"
)
func TestSpPipeWireOp(t *testing.T) {
t.Parallel()
config := hst.Template()
checkOpBehaviour(t, []opBehaviourTestCase{
{"not enabled", func(bool, bool) outcomeOp {
return new(spPipeWireOp)
}, func() *hst.Config {
c := hst.Template()
*c.Enablements = 0
return c
}, nil, nil, nil, nil, errNotEnabled, nil, nil, nil, nil, nil},
{"success", func(bool, bool) outcomeOp {
return new(spPipeWireOp)
}, func() *hst.Config {
c := hst.Template()
c.DirectPipeWire = true
return c
}, nil, []stub.Call{}, newI().
// state.instance
Ephemeral(system.Process, m(wantInstancePrefix), 0711).
// toSystem
PipeWire(
m(wantInstancePrefix+"/pipewire"),
"org.chromium.Chromium",
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
), sysUsesInstance(nil), nil, insertsOps(afterSpRuntimeOp(nil)), []stub.Call{
// this op configures the container state and does not make calls during toContainer
}, &container.Params{
Ops: new(container.Ops).
Bind(m(wantInstancePrefix+"/pipewire"), m("/run/user/1000/pipewire-0"), 0),
}, paramsWantEnv(config, map[string]string{
pipewire.Remote: "/run/user/1000/pipewire-0",
}, nil), nil},
})
}

2
internal/outcome/sppulse.go
View File

@@ -29,7 +29,7 @@ type spPulseOp struct {
}
func (s *spPulseOp) toSystem(state *outcomeStateSys) error {
if !state.directPulse || state.et&hst.EPulse == 0 {
if state.et&hst.EPulse == 0 {
return errNotEnabled
}

42
internal/outcome/sppulse_test.go
View File

@@ -18,40 +18,24 @@ import (
func TestSpPulseOp(t *testing.T) {
t.Parallel()
newConfig := func() *hst.Config {
config := hst.Template()
config.DirectPulse = true
config.Enablements = hst.NewEnablements(hst.EPulse)
return config
}
config := newConfig()
config := hst.Template()
sampleCookie := bytes.Repeat([]byte{0xfc}, pulseCookieSizeMax)
checkOpBehaviour(t, []opBehaviourTestCase{
{"not enabled", func(bool, bool) outcomeOp {
return new(spPulseOp)
}, func() *hst.Config {
c := newConfig()
c.DirectPulse = true
c := hst.Template()
*c.Enablements = 0
return c
}, nil, nil, nil, nil, errNotEnabled, nil, nil, nil, nil, nil},
{"not enabled direct", func(bool, bool) outcomeOp {
return new(spPulseOp)
}, func() *hst.Config {
c := newConfig()
c.DirectPulse = false
return c
}, nil, nil, nil, nil, errNotEnabled, nil, nil, nil, nil, nil},
{"socketDir stat", func(isShim, _ bool) outcomeOp {
if !isShim {
return new(spPulseOp)
}
return &spPulseOp{Cookie: (*[256]byte)(sampleCookie)}
}, newConfig, nil, []stub.Call{
}, hst.Template, nil, []stub.Call{
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), stub.UniqueError(2)),
}, nil, nil, &hst.AppError{
Step: `access PulseAudio directory "/proc/nonexistent/xdg_runtime_dir/pulse"`,
@@ -60,7 +44,7 @@ func TestSpPulseOp(t *testing.T) {
{"socketDir nonexistent", func(bool, bool) outcomeOp {
return new(spPulseOp)
}, newConfig, nil, []stub.Call{
}, hst.Template, nil, []stub.Call{
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), os.ErrNotExist),
}, nil, nil, &hst.AppError{
Step: "finalise",
@@ -70,7 +54,7 @@ func TestSpPulseOp(t *testing.T) {
{"socket stat", func(bool, bool) outcomeOp {
return new(spPulseOp)
}, newConfig, nil, []stub.Call{
}, hst.Template, nil, []stub.Call{
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, (*stubFi)(nil), stub.UniqueError(1)),
}, nil, nil, &hst.AppError{
@@ -80,7 +64,7 @@ func TestSpPulseOp(t *testing.T) {
{"socket nonexistent", func(bool, bool) outcomeOp {
return new(spPulseOp)
}, newConfig, nil, []stub.Call{
}, hst.Template, nil, []stub.Call{
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, (*stubFi)(nil), os.ErrNotExist),
}, nil, nil, &hst.AppError{
@@ -91,7 +75,7 @@ func TestSpPulseOp(t *testing.T) {
{"socket mode", func(bool, bool) outcomeOp {
return new(spPulseOp)
}, newConfig, nil, []stub.Call{
}, hst.Template, nil, []stub.Call{
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0660}, nil),
}, nil, nil, &hst.AppError{
@@ -102,7 +86,7 @@ func TestSpPulseOp(t *testing.T) {
{"cookie notAbs", func(bool, bool) outcomeOp {
return new(spPulseOp)
}, newConfig, nil, []stub.Call{
}, hst.Template, nil, []stub.Call{
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "proc/nonexistent/cookie", nil),
@@ -113,7 +97,7 @@ func TestSpPulseOp(t *testing.T) {
{"cookie loadFile", func(bool, bool) outcomeOp {
return new(spPulseOp)
}, newConfig, nil, []stub.Call{
}, hst.Template, nil, []stub.Call{
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "/proc/nonexistent/cookie", nil),
@@ -134,7 +118,7 @@ func TestSpPulseOp(t *testing.T) {
op.CookieSize += +0xfd
}
return op
}, newConfig, nil, []stub.Call{
}, hst.Template, nil, []stub.Call{
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "/proc/nonexistent/cookie", nil),
@@ -166,7 +150,7 @@ func TestSpPulseOp(t *testing.T) {
sampleCookieTrunc := make([]byte, pulseCookieSizeMax)
copy(sampleCookieTrunc, sampleCookie[:len(sampleCookie)-0xe])
return &spPulseOp{Cookie: (*[pulseCookieSizeMax]byte)(sampleCookieTrunc), CookieSize: pulseCookieSizeMax - 0xe}
}, newConfig, nil, []stub.Call{
}, hst.Template, nil, []stub.Call{
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "/proc/nonexistent/cookie", nil),
@@ -199,7 +183,7 @@ func TestSpPulseOp(t *testing.T) {
return new(spPulseOp)
}
return &spPulseOp{Cookie: (*[pulseCookieSizeMax]byte)(sampleCookie), CookieSize: pulseCookieSizeMax}
}, newConfig, nil, []stub.Call{
}, hst.Template, nil, []stub.Call{
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "/proc/nonexistent/cookie", nil),
@@ -229,7 +213,7 @@ func TestSpPulseOp(t *testing.T) {
{"success", func(bool, bool) outcomeOp {
return new(spPulseOp)
}, newConfig, nil, []stub.Call{
}, hst.Template, nil, []stub.Call{
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, nil, nil),

5
internal/outcome/spruntime.go
View File

@@ -91,9 +91,6 @@ func (s *spRuntimeOp) toSystem(state *outcomeStateSys) error {
return nil
}
// xdgRuntimeDirSize is the size of the filesystem mounted on inner XDG_RUNTIME_DIR.
const xdgRuntimeDirSize = 1 << 24
func (s *spRuntimeOp) toContainer(state *outcomeStateParams) error {
state.runtimeDir = fhs.AbsRunUser.Append(state.mapuid.String())
state.env[envXDGRuntimeDir] = state.runtimeDir.String()
@@ -111,7 +108,7 @@ func (s *spRuntimeOp) toContainer(state *outcomeStateParams) error {
}
state.params.Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755)
state.params.Tmpfs(fhs.AbsRunUser, 1<<12, 0755)
if state.Container.Flags&hst.FShareRuntime != 0 {
_, runtimeDirInst := s.commonPaths(state.outcomeState)
state.params.Bind(runtimeDirInst, state.runtimeDir, std.BindWritable)

8
internal/outcome/spruntime_test.go
View File

@@ -40,7 +40,7 @@ func TestSpRuntimeOp(t *testing.T) {
// this op configures the container state and does not make calls during toContainer
}, &container.Params{
Ops: new(container.Ops).
Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755).
Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), std.BindWritable),
}, paramsWantEnv(config, map[string]string{
"XDG_RUNTIME_DIR": "/run/user/1000",
@@ -67,7 +67,7 @@ func TestSpRuntimeOp(t *testing.T) {
// this op configures the container state and does not make calls during toContainer
}, &container.Params{
Ops: new(container.Ops).
Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755).
Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), std.BindWritable),
}, paramsWantEnv(config, map[string]string{
"XDG_RUNTIME_DIR": "/run/user/1000",
@@ -94,7 +94,7 @@ func TestSpRuntimeOp(t *testing.T) {
// this op configures the container state and does not make calls during toContainer
}, &container.Params{
Ops: new(container.Ops).
Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755).
Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), std.BindWritable),
}, paramsWantEnv(config, map[string]string{
"XDG_RUNTIME_DIR": "/run/user/1000",
@@ -117,7 +117,7 @@ func TestSpRuntimeOp(t *testing.T) {
// this op configures the container state and does not make calls during toContainer
}, &container.Params{
Ops: new(container.Ops).
Tmpfs(fhs.AbsRunUser, xdgRuntimeDirSize, 0755).
Tmpfs(fhs.AbsRunUser, 1<<12, 0755).
Bind(m("/proc/nonexistent/tmp/hakurei.0/runtime/9"), m("/run/user/1000"), std.BindWritable),
}, paramsWantEnv(config, map[string]string{
"XDG_RUNTIME_DIR": "/run/user/1000",

129
internal/pipewire/client.go
View File

@@ -1,129 +0,0 @@
package pipewire
/* pipewire/client.h */
const (
PW_TYPE_INTERFACE_Client = PW_TYPE_INFO_INTERFACE_BASE + "Client"
PW_CLIENT_PERM_MASK = PW_PERM_RWXM
PW_VERSION_CLIENT = 3
PW_ID_CLIENT = 1
)
const (
PW_CLIENT_CHANGE_MASK_PROPS = 1 << iota
PW_CLIENT_CHANGE_MASK_ALL = 1<<iota - 1
)
const (
PW_CLIENT_EVENT_INFO = iota
PW_CLIENT_EVENT_PERMISSIONS
PW_CLIENT_EVENT_NUM
PW_VERSION_CLIENT_EVENTS = 0
)
const (
PW_CLIENT_METHOD_ADD_LISTENER = iota
PW_CLIENT_METHOD_ERROR
PW_CLIENT_METHOD_UPDATE_PROPERTIES
PW_CLIENT_METHOD_GET_PERMISSIONS
PW_CLIENT_METHOD_UPDATE_PERMISSIONS
PW_CLIENT_METHOD_NUM
PW_VERSION_CLIENT_METHODS = 0
)
// The ClientInfo event provides client information updates.
// This is emitted when binding to a client or when the client info is updated later.
type ClientInfo struct {
// The global id of the client.
ID Int `json:"id"`
// The changes emitted by this event.
ChangeMask Long `json:"change_mask"`
// Properties of this object, valid when change_mask has PW_CLIENT_CHANGE_MASK_PROPS.
Properties *SPADict `json:"props"`
}
// Opcode satisfies [Message] with a constant value.
func (c *ClientInfo) Opcode() byte { return PW_CLIENT_EVENT_INFO }
// FileCount satisfies [Message] with a constant value.
func (c *ClientInfo) FileCount() Int { return 0 }
// Size satisfies [KnownSize] with a value computed at runtime.
func (c *ClientInfo) Size() Word {
return SizePrefix +
Size(SizeInt) +
Size(SizeLong) +
c.Properties.Size()
}
// MarshalBinary satisfies [encoding.BinaryMarshaler] via [Marshal].
func (c *ClientInfo) MarshalBinary() ([]byte, error) { return Marshal(c) }
// UnmarshalBinary satisfies [encoding.BinaryUnmarshaler] via [Unmarshal].
func (c *ClientInfo) UnmarshalBinary(data []byte) error { return Unmarshal(data, c) }
// ClientUpdateProperties is used to update the properties of a client.
type ClientUpdateProperties struct {
// Properties to update on the client.
Properties *SPADict `json:"props"`
}
// Opcode satisfies [Message] with a constant value.
func (c *ClientUpdateProperties) Opcode() byte { return PW_CLIENT_METHOD_UPDATE_PROPERTIES }
// FileCount satisfies [Message] with a constant value.
func (c *ClientUpdateProperties) FileCount() Int { return 0 }
// Size satisfies [KnownSize] with a value computed at runtime.
func (c *ClientUpdateProperties) Size() Word { return SizePrefix + c.Properties.Size() }
// MarshalBinary satisfies [encoding.BinaryMarshaler] via [Marshal].
func (c *ClientUpdateProperties) MarshalBinary() ([]byte, error) { return Marshal(c) }
// UnmarshalBinary satisfies [encoding.BinaryUnmarshaler] via [Unmarshal].
func (c *ClientUpdateProperties) UnmarshalBinary(data []byte) error { return Unmarshal(data, c) }
// clientUpdateProperties queues a [ClientUpdateProperties] message for the PipeWire server.
// This method should not be called directly, the New function queues this message.
func (ctx *Context) clientUpdateProperties(props SPADict) error {
return ctx.writeMessage(
PW_ID_CLIENT,
&ClientUpdateProperties{&props},
)
}
// Client holds state of [PW_TYPE_INTERFACE_Client].
type Client struct {
// Additional information from the server, populated or updated during [Context.Roundtrip].
Info *ClientInfo `json:"info"`
// Populated by [CoreBoundProps] events targeting [Client].
Properties SPADict `json:"props"`
noRemove
}
func (client *Client) consume(opcode byte, files []int, unmarshal func(v any)) error {
closeReceivedFiles(files...)
switch opcode {
case PW_CLIENT_EVENT_INFO:
unmarshal(&client.Info)
return nil
default:
panic(&UnsupportedOpcodeError{opcode, client.String()})
}
}
func (client *Client) setBoundProps(event *CoreBoundProps) error {
if event.Properties != nil {
client.Properties = *event.Properties
}
return nil
}
func (client *Client) String() string { return PW_TYPE_INTERFACE_Registry }

157
internal/pipewire/client_test.go
View File

@@ -1,157 +0,0 @@
package pipewire_test
import (
"testing"
"hakurei.app/internal/pipewire"
)
func TestClientInfo(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.ClientInfo, *pipewire.ClientInfo]{
{"sample", samplePWContainer[1][2][1], pipewire.ClientInfo{
ID: 34,
ChangeMask: pipewire.PW_CLIENT_CHANGE_MASK_PROPS,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_PROTOCOL, Value: "protocol-native"},
{Key: pipewire.PW_KEY_CORE_NAME, Value: "pipewire-0"},
{Key: pipewire.PW_KEY_SEC_SOCKET, Value: "pipewire-0-manager"},
{Key: pipewire.PW_KEY_SEC_PID, Value: "1443"},
{Key: pipewire.PW_KEY_SEC_UID, Value: "1000"},
{Key: pipewire.PW_KEY_SEC_GID, Value: "100"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "2"},
{Key: pipewire.PW_KEY_OBJECT_ID, Value: "34"},
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "34"},
}}, nil},
{"sample*", samplePWContainer[1][3][1], pipewire.ClientInfo{
ID: 34,
ChangeMask: pipewire.PW_CLIENT_CHANGE_MASK_PROPS,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_PROTOCOL, Value: "protocol-native"},
{Key: pipewire.PW_KEY_CORE_NAME, Value: "pipewire-alice-1443"},
{Key: pipewire.PW_KEY_SEC_SOCKET, Value: "pipewire-0-manager"},
{Key: pipewire.PW_KEY_SEC_PID, Value: "1443"},
{Key: pipewire.PW_KEY_SEC_UID, Value: "1000"},
{Key: pipewire.PW_KEY_SEC_GID, Value: "100"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "2"},
{Key: pipewire.PW_KEY_OBJECT_ID, Value: "34"},
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "34"},
{Key: pipewire.PW_KEY_REMOTE_INTENTION, Value: "manager"},
{Key: pipewire.PW_KEY_APP_NAME, Value: "pw-container"},
{Key: pipewire.PW_KEY_APP_PROCESS_BINARY, Value: "pw-container"},
{Key: pipewire.PW_KEY_APP_LANGUAGE, Value: "en_US.UTF-8"},
{Key: pipewire.PW_KEY_APP_PROCESS_ID, Value: "1443"},
{Key: pipewire.PW_KEY_APP_PROCESS_USER, Value: "alice"},
{Key: pipewire.PW_KEY_APP_PROCESS_HOST, Value: "nixos"},
{Key: pipewire.PW_KEY_APP_PROCESS_SESSION_ID, Value: "1"},
{Key: pipewire.PW_KEY_WINDOW_X11_DISPLAY, Value: ":0"},
{Key: "cpu.vm.name", Value: "qemu"},
{Key: "log.level", Value: "0"},
{Key: pipewire.PW_KEY_CPU_MAX_ALIGN, Value: "32"},
{Key: "default.clock.rate", Value: "48000"},
{Key: "default.clock.quantum", Value: "1024"},
{Key: "default.clock.min-quantum", Value: "32"},
{Key: "default.clock.max-quantum", Value: "2048"},
{Key: "default.clock.quantum-limit", Value: "8192"},
{Key: "default.clock.quantum-floor", Value: "4"},
{Key: "default.video.width", Value: "640"},
{Key: "default.video.height", Value: "480"},
{Key: "default.video.rate.num", Value: "25"},
{Key: "default.video.rate.denom", Value: "1"},
{Key: "clock.power-of-two-quantum", Value: "true"},
{Key: "link.max-buffers", Value: "64"},
{Key: "mem.warn-mlock", Value: "false"},
{Key: "mem.allow-mlock", Value: "true"},
{Key: "settings.check-quantum", Value: "false"},
{Key: "settings.check-rate", Value: "false"},
{Key: pipewire.PW_KEY_CORE_VERSION, Value: "1.4.7"},
}}, nil},
{"sample**", samplePWContainer[1][4][1], pipewire.ClientInfo{
ID: 34,
ChangeMask: pipewire.PW_CLIENT_CHANGE_MASK_PROPS,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_PROTOCOL, Value: "protocol-native"},
{Key: pipewire.PW_KEY_CORE_NAME, Value: "pipewire-alice-1443"},
{Key: pipewire.PW_KEY_SEC_SOCKET, Value: "pipewire-0-manager"},
{Key: pipewire.PW_KEY_SEC_PID, Value: "1443"},
{Key: pipewire.PW_KEY_SEC_UID, Value: "1000"},
{Key: pipewire.PW_KEY_SEC_GID, Value: "100"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "2"},
{Key: pipewire.PW_KEY_OBJECT_ID, Value: "34"},
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "34"},
{Key: pipewire.PW_KEY_REMOTE_INTENTION, Value: "manager"},
{Key: pipewire.PW_KEY_APP_NAME, Value: "pw-container"},
{Key: pipewire.PW_KEY_APP_PROCESS_BINARY, Value: "pw-container"},
{Key: pipewire.PW_KEY_APP_LANGUAGE, Value: "en_US.UTF-8"},
{Key: pipewire.PW_KEY_APP_PROCESS_ID, Value: "1443"},
{Key: pipewire.PW_KEY_APP_PROCESS_USER, Value: "alice"},
{Key: pipewire.PW_KEY_APP_PROCESS_HOST, Value: "nixos"},
{Key: pipewire.PW_KEY_APP_PROCESS_SESSION_ID, Value: "1"},
{Key: pipewire.PW_KEY_WINDOW_X11_DISPLAY, Value: ":0"},
{Key: "cpu.vm.name", Value: "qemu"},
{Key: "log.level", Value: "0"},
{Key: pipewire.PW_KEY_CPU_MAX_ALIGN, Value: "32"},
{Key: "default.clock.rate", Value: "48000"},
{Key: "default.clock.quantum", Value: "1024"},
{Key: "default.clock.min-quantum", Value: "32"},
{Key: "default.clock.max-quantum", Value: "2048"},
{Key: "default.clock.quantum-limit", Value: "8192"},
{Key: "default.clock.quantum-floor", Value: "4"},
{Key: "default.video.width", Value: "640"},
{Key: "default.video.height", Value: "480"},
{Key: "default.video.rate.num", Value: "25"},
{Key: "default.video.rate.denom", Value: "1"},
{Key: "clock.power-of-two-quantum", Value: "true"},
{Key: "link.max-buffers", Value: "64"},
{Key: "mem.warn-mlock", Value: "false"},
{Key: "mem.allow-mlock", Value: "true"},
{Key: "settings.check-quantum", Value: "false"},
{Key: "settings.check-rate", Value: "false"},
{Key: pipewire.PW_KEY_CORE_VERSION, Value: "1.4.7"},
{Key: pipewire.PW_KEY_ACCESS, Value: "unrestricted"},
},
}, nil},
}.run(t)
}
func TestClientUpdateProperties(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.ClientUpdateProperties, *pipewire.ClientUpdateProperties]{
{"sample", samplePWContainer[0][1][1], pipewire.ClientUpdateProperties{Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_REMOTE_INTENTION, Value: "manager"},
{Key: pipewire.PW_KEY_APP_NAME, Value: "pw-container"},
{Key: pipewire.PW_KEY_APP_PROCESS_BINARY, Value: "pw-container"},
{Key: pipewire.PW_KEY_APP_LANGUAGE, Value: "en_US.UTF-8"},
{Key: pipewire.PW_KEY_APP_PROCESS_ID, Value: "1443"},
{Key: pipewire.PW_KEY_APP_PROCESS_USER, Value: "alice"},
{Key: pipewire.PW_KEY_APP_PROCESS_HOST, Value: "nixos"},
{Key: pipewire.PW_KEY_APP_PROCESS_SESSION_ID, Value: "1"},
{Key: pipewire.PW_KEY_WINDOW_X11_DISPLAY, Value: ":0"},
{Key: "cpu.vm.name", Value: "qemu"},
{Key: "log.level", Value: "0"},
{Key: pipewire.PW_KEY_CPU_MAX_ALIGN, Value: "32"},
{Key: "default.clock.rate", Value: "48000"},
{Key: "default.clock.quantum", Value: "1024"},
{Key: "default.clock.min-quantum", Value: "32"},
{Key: "default.clock.max-quantum", Value: "2048"},
{Key: "default.clock.quantum-limit", Value: "8192"},
{Key: "default.clock.quantum-floor", Value: "4"},
{Key: "default.video.width", Value: "640"},
{Key: "default.video.height", Value: "480"},
{Key: "default.video.rate.num", Value: "25"},
{Key: "default.video.rate.denom", Value: "1"},
{Key: "clock.power-of-two-quantum", Value: "true"},
{Key: "link.max-buffers", Value: "64"},
{Key: "mem.warn-mlock", Value: "false"},
{Key: "mem.allow-mlock", Value: "true"},
{Key: "settings.check-quantum", Value: "false"},
{Key: "settings.check-rate", Value: "false"},
{Key: pipewire.PW_KEY_CORE_VERSION, Value: "1.4.7"},
{Key: pipewire.PW_KEY_CORE_NAME, Value: "pipewire-alice-1443"},
}}, nil},
}.run(t)
}

85
internal/pipewire/conn.go Normal file
View File

@@ -0,0 +1,85 @@
package pipewire
import (
"errors"
"os"
"syscall"
"hakurei.app/container/check"
)
// SecurityContext holds resources associated with a PipeWire security context.
type SecurityContext struct {
// Pipe with its write end passed to the PipeWire security context.
closeFds [2]int
// Absolute pathname the socket was bound to.
bindPath *check.Absolute
}
// Close releases any resources held by [SecurityContext], and prevents further
// connections to its associated socket.
//
// A non-nil error has the concrete type [Error].
func (sc *SecurityContext) Close() error {
if sc == nil || sc.bindPath == nil {
return os.ErrInvalid
}
e := Error{RCleanup, sc.bindPath.String(), errors.Join(
syscall.Close(sc.closeFds[1]),
syscall.Close(sc.closeFds[0]),
// there is still technically a TOCTOU here but this is internal
// and has access to the privileged pipewire socket, so it only
// receives trusted input (e.g. from cmd/hakurei) anyway
os.Remove(sc.bindPath.String()),
)}
if e.Errno != nil {
return &e
}
return nil
}
// New creates a new security context on the PipeWire remote at remotePath
// or auto-detected, and associates it with a new socket bound to bindPath.
//
// New does not attach a finalizer to the resulting [SecurityContext] struct.
// The caller is responsible for calling [SecurityContext.Close].
//
// A non-nil error unwraps to concrete type [Error].
func New(remotePath, bindPath *check.Absolute) (*SecurityContext, error) {
// ensure bindPath is available
if f, err := os.Create(bindPath.String()); err != nil {
return nil, &Error{RCreate, bindPath.String(), err}
} else if err = f.Close(); err != nil {
return nil, &Error{RCreate, bindPath.String(), err}
} else if err = os.Remove(bindPath.String()); err != nil {
return nil, &Error{RCreate, bindPath.String(), err}
}
// write end passed to PipeWire security context close_fd
var closeFds [2]int
if err := syscall.Pipe2(closeFds[0:], syscall.O_CLOEXEC); err != nil {
return nil, err
}
// zero value causes auto-detect
var remotePathVal string
if remotePath != nil {
remotePathVal = remotePath.String()
}
// returned error is already wrapped
if err := securityContextBind(
bindPath.String(),
remotePathVal,
closeFds[1],
); err != nil {
return nil, errors.Join(err, // already wrapped
syscall.Close(closeFds[1]),
syscall.Close(closeFds[0]),
)
} else {
return &SecurityContext{closeFds, bindPath}, nil
}
}

66
internal/pipewire/conn_test.go Normal file
View File

@@ -0,0 +1,66 @@
package pipewire
import (
"errors"
"os"
"path"
"reflect"
"syscall"
"testing"
"hakurei.app/container/check"
)
func TestSecurityContextClose(t *testing.T) {
// do not parallel: fd test not thread safe
if err := (*SecurityContext)(nil).Close(); !reflect.DeepEqual(err, os.ErrInvalid) {
t.Fatalf("Close: error = %v", err)
}
var ctx SecurityContext
if err := syscall.Pipe2(ctx.closeFds[0:], syscall.O_CLOEXEC); err != nil {
t.Fatalf("Pipe: error = %v", err)
}
if f, err := os.Create(path.Join(t.TempDir(), "remove")); err != nil {
t.Fatal(err)
} else {
ctx.bindPath = check.MustAbs(f.Name())
}
t.Cleanup(func() { _ = syscall.Close(ctx.closeFds[0]); _ = syscall.Close(ctx.closeFds[1]) })
if err := ctx.Close(); err != nil {
t.Fatalf("Close: error = %v", err)
} else if _, err = os.Stat(ctx.bindPath.String()); err == nil || !errors.Is(err, os.ErrNotExist) {
t.Fatalf("Did not remove %q", ctx.bindPath)
}
wantErr := &Error{Cause: RCleanup, Path: ctx.bindPath.String(), Errno: errors.Join(syscall.EBADF, syscall.EBADF, &os.PathError{
Op: "remove",
Path: ctx.bindPath.String(),
Err: syscall.ENOENT,
})}
if err := ctx.Close(); !reflect.DeepEqual(err, wantErr) {
t.Fatalf("Close: error = %#v, want %#v", err, wantErr)
}
}
func TestNewEnsure(t *testing.T) {
existingDirPath := check.MustAbs(t.TempDir()).Append("dir")
if err := os.MkdirAll(existingDirPath.String(), 0700); err != nil {
t.Fatal(err)
}
nonexistent := check.MustAbs("/proc/nonexistent")
wantErr := &Error{RCreate, existingDirPath.String(), &os.PathError{
Op: "open",
Path: existingDirPath.String(),
Err: syscall.EISDIR,
}}
if _, err := New(
nonexistent,
existingDirPath,
); !reflect.DeepEqual(err, wantErr) {
t.Fatalf("New: error = %#v, want %#v", err, wantErr)
}
}

1054
internal/pipewire/core.go
View File

File diff suppressed because it is too large Load Diff

888
internal/pipewire/core_test.go
View File

@@ -1,888 +0,0 @@
package pipewire_test
import (
"testing"
"hakurei.app/internal/pipewire"
)
func TestFooterCoreGeneration(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.Footer[pipewire.FooterCoreGeneration], *pipewire.Footer[pipewire.FooterCoreGeneration]]{
/* recvmsg 0 */
{"sample0", samplePWContainer[1][0][2], pipewire.Footer[pipewire.FooterCoreGeneration]{
Opcode: pipewire.FOOTER_CORE_OPCODE_GENERATION,
Payload: pipewire.FooterCoreGeneration{RegistryGeneration: 0x22},
}, nil},
{"sample1", samplePWContainer[1][5][2], pipewire.Footer[pipewire.FooterCoreGeneration]{
Opcode: pipewire.FOOTER_CORE_OPCODE_GENERATION,
Payload: pipewire.FooterCoreGeneration{RegistryGeneration: 0x23},
}, nil},
// happens on the last message, client footer sent in the next roundtrip
{"sample2", samplePWContainer[1][42][2], pipewire.Footer[pipewire.FooterCoreGeneration]{
Opcode: pipewire.FOOTER_CORE_OPCODE_GENERATION,
Payload: pipewire.FooterCoreGeneration{RegistryGeneration: 0x24},
}, nil},
}.run(t)
encodingTestCases[pipewire.Footer[pipewire.FooterClientGeneration], *pipewire.Footer[pipewire.FooterClientGeneration]]{
/* sendmsg 1 */
{"sample0", samplePWContainer[3][0][2], pipewire.Footer[pipewire.FooterClientGeneration]{
Opcode: pipewire.FOOTER_CORE_OPCODE_GENERATION,
// triggered by difference in sample1, sample0 is overwritten in the same roundtrip
Payload: pipewire.FooterClientGeneration{ClientGeneration: 0x23},
}, nil},
/* sendmsg 2 */
{"sample1", samplePWContainer[6][0][2], pipewire.Footer[pipewire.FooterClientGeneration]{
// triggered by difference in sample2, last footer in the previous roundtrip
Opcode: pipewire.FOOTER_CORE_OPCODE_GENERATION,
Payload: pipewire.FooterClientGeneration{ClientGeneration: 0x24},
}, nil},
}.run(t)
}
func TestCoreInfo(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.CoreInfo, *pipewire.CoreInfo]{
{"sample", samplePWContainer[1][0][1], pipewire.CoreInfo{
ID: 0,
Cookie: -2069267610,
UserName: "alice",
HostName: "nixos",
Version: "1.4.7",
Name: "pipewire-0",
ChangeMask: pipewire.PW_CORE_CHANGE_MASK_PROPS,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_CONFIG_NAME, Value: "pipewire.conf"},
{Key: pipewire.PW_KEY_APP_NAME, Value: "pipewire"},
{Key: pipewire.PW_KEY_APP_PROCESS_BINARY, Value: "pipewire"},
{Key: pipewire.PW_KEY_APP_LANGUAGE, Value: "en_US.UTF-8"},
{Key: pipewire.PW_KEY_APP_PROCESS_ID, Value: "1446"},
{Key: pipewire.PW_KEY_APP_PROCESS_USER, Value: "alice"},
{Key: pipewire.PW_KEY_APP_PROCESS_HOST, Value: "nixos"},
{Key: pipewire.PW_KEY_WINDOW_X11_DISPLAY, Value: ":0"},
{Key: "cpu.vm.name", Value: "qemu"},
{Key: "link.max-buffers", Value: "16"},
{Key: pipewire.PW_KEY_CORE_DAEMON, Value: "true"},
{Key: pipewire.PW_KEY_CORE_NAME, Value: "pipewire-0"},
{Key: "default.clock.min-quantum", Value: "1024"},
{Key: pipewire.PW_KEY_CPU_MAX_ALIGN, Value: "32"},
{Key: "default.clock.rate", Value: "48000"},
{Key: "default.clock.quantum", Value: "1024"},
{Key: "default.clock.max-quantum", Value: "2048"},
{Key: "default.clock.quantum-limit", Value: "8192"},
{Key: "default.clock.quantum-floor", Value: "4"},
{Key: "default.video.width", Value: "640"},
{Key: "default.video.height", Value: "480"},
{Key: "default.video.rate.num", Value: "25"},
{Key: "default.video.rate.denom", Value: "1"},
{Key: "log.level", Value: "2"},
{Key: "clock.power-of-two-quantum", Value: "true"},
{Key: "mem.warn-mlock", Value: "false"},
{Key: "mem.allow-mlock", Value: "true"},
{Key: "settings.check-quantum", Value: "false"},
{Key: "settings.check-rate", Value: "false"},
{Key: pipewire.PW_KEY_OBJECT_ID, Value: "0"},
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "0"}},
}, nil},
}.run(t)
}
func TestCoreDone(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.CoreDone, *pipewire.CoreDone]{
{"sample0", samplePWContainer[1][5][1], pipewire.CoreDone{
ID: -1,
Sequence: 0,
}, nil},
// matches the Core::Sync sample
{"sample1", samplePWContainer[1][41][1], pipewire.CoreDone{
ID: 0,
Sequence: pipewire.CoreSyncSequenceOffset + 3,
}, nil},
// matches the second Core::Sync sample
{"sample2", samplePWContainer[7][0][1], pipewire.CoreDone{
ID: 0,
Sequence: pipewire.CoreSyncSequenceOffset + 6,
}, nil},
}.run(t)
}
func TestCorePing(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.CorePing, *pipewire.CorePing]{
// handmade sample
{"sample", []byte{
/* size: rest of data */ 0x20, 0, 0, 0,
/* type: Struct */ byte(pipewire.SPA_TYPE_Struct), 0, 0, 0,
/* size: 4 bytes */ 4, 0, 0, 0,
/* type: Int */ byte(pipewire.SPA_TYPE_Int), 0, 0, 0,
/* value: -1 */ 0xff, 0xff, 0xff, 0xff,
/* padding */ 0, 0, 0, 0,
/* size: 4 bytes */ 4, 0, 0, 0,
/* type: Int */ byte(pipewire.SPA_TYPE_Int), 0, 0, 0,
/* value: 0 */ 0, 0, 0, 0,
/* padding */ 0, 0, 0, 0,
}, pipewire.CorePing{
ID: -1,
Sequence: 0,
}, nil},
}.run(t)
}
func TestCoreError(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.CoreError, *pipewire.CoreError]{
// captured from pw-cli
{"pw-cli", []byte{
/* size: rest of data */ 0x58, 0, 0, 0,
/* type: Struct */ 0xe, 0, 0, 0,
/* size: 4 bytes */ 4, 0, 0, 0,
/* type: Int */ 4, 0, 0, 0,
/* value: 2 */ 2, 0, 0, 0,
/* padding */ 0, 0, 0, 0,
/* size: 4 bytes */ 4, 0, 0, 0,
/* type: Int */ 4, 0, 0, 0,
/* value: 0x67 */ 0x67, 0, 0, 0,
/* padding */ 0, 0, 0, 0,
/* size: 4 bytes */ 4, 0, 0, 0,
/* type: Int */ 4, 0, 0, 0,
/* value: -1 */ 0xff, 0xff, 0xff, 0xff,
/* padding */ 0, 0, 0, 0,
/* size: 0x1b bytes */ 0x1b, 0, 0, 0,
/* type: String */ 8, 0, 0, 0,
// value: "no permission to destroy 0\x00"
0x6e, 0x6f, 0x20, 0x70,
0x65, 0x72, 0x6d, 0x69,
0x73, 0x73, 0x69, 0x6f,
0x6e, 0x20, 0x74, 0x6f,
0x20, 0x64, 0x65, 0x73,
0x74, 0x72, 0x6f, 0x79,
0x20, 0x30, 0,
/* padding */ 0, 0, 0, 0, 0,
}, pipewire.CoreError{
ID: 2,
Sequence: 0x67,
Result: -1,
Message: "no permission to destroy 0",
}, nil},
}.run(t)
}
func TestCoreRemoveId(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.CoreRemoveId, *pipewire.CoreRemoveId]{
{"sample", []byte{
/* size: rest of data */ 0x10, 0, 0, 0,
/* type: Struct */ 0xe, 0, 0, 0,
/* size: 4 bytes */ 4, 0, 0, 0,
/* type: Int */ 4, 0, 0, 0,
/* value: 3 */ 3, 0, 0, 0,
/* padding */ 0, 0, 0, 0,
}, pipewire.CoreRemoveId{
ID: 3,
}, nil},
}.run(t)
}
func TestCoreBoundProps(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.CoreBoundProps, *pipewire.CoreBoundProps]{
/* recvmsg 0 */
{"sample0", samplePWContainer[1][1][1], pipewire.CoreBoundProps{
ID: pipewire.PW_ID_CLIENT,
GlobalID: 34,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "34"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "2"},
{Key: pipewire.PW_KEY_PROTOCOL, Value: "protocol-native"},
{Key: pipewire.PW_KEY_SEC_PID, Value: "1443"},
{Key: pipewire.PW_KEY_SEC_UID, Value: "1000"},
{Key: pipewire.PW_KEY_SEC_GID, Value: "100"},
{Key: pipewire.PW_KEY_SEC_SOCKET, Value: "pipewire-0-manager"},
},
}, nil},
/* recvmsg 1 */
{"sample1", samplePWContainer[4][0][1], pipewire.CoreBoundProps{
ID: 3,
GlobalID: 3,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "3"},
},
}, nil},
}.run(t)
}
func TestCoreHello(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.CoreHello, *pipewire.CoreHello]{
{"sample", samplePWContainer[0][0][1], pipewire.CoreHello{
Version: pipewire.PW_VERSION_CORE,
}, nil},
}.run(t)
}
func TestCoreSync(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.CoreSync, *pipewire.CoreSync]{
{"sample0", samplePWContainer[0][3][1], pipewire.CoreSync{
ID: 0,
Sequence: pipewire.CoreSyncSequenceOffset + 3,
}, nil},
{"sample1", samplePWContainer[6][1][1], pipewire.CoreSync{
ID: 0,
Sequence: pipewire.CoreSyncSequenceOffset + 6,
}, nil},
}.run(t)
}
func TestCorePong(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.CorePong, *pipewire.CorePong]{
// handmade sample
{"sample", []byte{
/* size: rest of data */ 0x20, 0, 0, 0,
/* type: Struct */ byte(pipewire.SPA_TYPE_Struct), 0, 0, 0,
/* size: 4 bytes */ 4, 0, 0, 0,
/* type: Int */ byte(pipewire.SPA_TYPE_Int), 0, 0, 0,
/* value: -1 */ 0xff, 0xff, 0xff, 0xff,
/* padding */ 0, 0, 0, 0,
/* size: 4 bytes */ 4, 0, 0, 0,
/* type: Int */ byte(pipewire.SPA_TYPE_Int), 0, 0, 0,
/* value: 0 */ 0, 0, 0, 0,
/* padding */ 0, 0, 0, 0,
}, pipewire.CorePong{
ID: -1,
Sequence: 0,
}, nil},
}.run(t)
}
func TestCoreGetRegistry(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.CoreGetRegistry, *pipewire.CoreGetRegistry]{
{"sample", samplePWContainer[0][2][1], pipewire.CoreGetRegistry{
Version: pipewire.PW_VERSION_REGISTRY,
// this ends up as the Id of PW_TYPE_INTERFACE_Registry
NewID: 2,
}, nil},
}.run(t)
}
func TestCoreCreateObject(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.CoreCreateObject, *pipewire.CoreCreateObject]{
{"sample", []byte{
/* size: rest of data */ 0x80, 0, 0, 0,
/* type: Struct */ 0xe, 0, 0, 0,
/* size: 0x13 bytes */ 0x13, 0, 0, 0,
/* type: String */ 8, 0, 0, 0,
// value: "spa-device-factory\x00"
0x73, 0x70, 0x61, 0x2d,
0x64, 0x65, 0x76, 0x69,
0x63, 0x65, 0x2d, 0x66,
0x61, 0x63, 0x74, 0x6f,
0x72, 0x79, 0, 0,
0, 0, 0, 0,
/* size: 0x1a bytes */ 0x1a, 0, 0, 0,
/* type: String */ 8, 0, 0, 0,
// value: "PipeWire:Interface:Device\x00"
0x50, 0x69, 0x70, 0x65,
0x57, 0x69, 0x72, 0x65,
0x3a, 0x49, 0x6e, 0x74,
0x65, 0x72, 0x66, 0x61,
0x63, 0x65, 0x3a, 0x44,
0x65, 0x76, 0x69, 0x63,
0x65, 0, 0, 0,
0, 0, 0, 0,
/* size: 4 bytes */ 4, 0, 0, 0,
/* type: Int */ 4, 0, 0, 0,
/* value: 3 */ 3, 0, 0, 0,
/* padding */ 0, 0, 0, 0,
/* size */ 0x10, 0, 0, 0,
/* type: Struct */ 0xe, 0, 0, 0,
/* size: 4 bytes */ 4, 0, 0, 0,
/* type: Int */ 4, 0, 0, 0,
/* value: 0 */ 0, 0, 0, 0,
/* padding */ 0, 0, 0, 0,
/* size: 4 bytes */ 4, 0, 0, 0,
/* type: Int */ 4, 0, 0, 0,
/* value: 0xbad */ 0xad, 0xb, 0, 0,
/* padding */ 0, 0, 0, 0,
}, pipewire.CoreCreateObject{
FactoryName: "spa-device-factory",
Type: pipewire.PW_TYPE_INTERFACE_Device,
Version: pipewire.PW_VERSION_FACTORY,
Properties: &pipewire.SPADict{},
NewID: 0xbad,
}, nil},
}.run(t)
}
func TestCoreDestroy(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.CoreDestroy, *pipewire.CoreDestroy]{
{"sample", []byte{
/* size: rest of data */ 0x10, 0, 0, 0,
/* type: Struct */ 0xe, 0, 0, 0,
/* size: 4 bytes */ 4, 0, 0, 0,
/* type: Int */ 4, 0, 0, 0,
/* value: 3 */ 3, 0, 0, 0,
/* padding */ 0, 0, 0, 0,
}, pipewire.CoreDestroy{
ID: 3,
}, nil},
}.run(t)
}
func TestRegistryGlobal(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.RegistryGlobal, *pipewire.RegistryGlobal]{
{"sample0", samplePWContainer[1][6][1], pipewire.RegistryGlobal{
ID: pipewire.PW_ID_CORE,
Permissions: pipewire.PW_CORE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Core,
Version: pipewire.PW_VERSION_CORE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "0"},
{Key: pipewire.PW_KEY_CORE_NAME, Value: "pipewire-0"},
},
}, nil},
{"sample1", samplePWContainer[1][7][1], pipewire.RegistryGlobal{
ID: 1,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "1"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-rt"},
},
}, nil},
{"sample2", samplePWContainer[1][8][1], pipewire.RegistryGlobal{
ID: 3,
Permissions: pipewire.PW_SECURITY_CONTEXT_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_SecurityContext,
Version: pipewire.PW_VERSION_SECURITY_CONTEXT,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "3"},
},
}, nil},
{"sample3", samplePWContainer[1][9][1], pipewire.RegistryGlobal{
ID: 2,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "2"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-protocol-native"},
},
}, nil},
{"sample4", samplePWContainer[1][10][1], pipewire.RegistryGlobal{
ID: 5,
Permissions: pipewire.PW_PROFILER_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Profiler,
Version: pipewire.PW_VERSION_PROFILER,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "5"},
},
}, nil},
{"sample5", samplePWContainer[1][11][1], pipewire.RegistryGlobal{
ID: 4,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "4"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-profiler"},
},
}, nil},
{"sample6", samplePWContainer[1][12][1], pipewire.RegistryGlobal{
ID: 6,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "6"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-metadata"},
},
}, nil},
{"sample7", samplePWContainer[1][13][1], pipewire.RegistryGlobal{
ID: 7,
Permissions: pipewire.PW_FACTORY_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Factory,
Version: pipewire.PW_VERSION_FACTORY,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "7"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "6"},
{Key: pipewire.PW_KEY_FACTORY_NAME, Value: "metadata"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_NAME, Value: pipewire.PW_TYPE_INTERFACE_Metadata},
{Key: pipewire.PW_KEY_FACTORY_TYPE_VERSION, Value: "3"},
},
}, nil},
{"sample8", samplePWContainer[1][14][1], pipewire.RegistryGlobal{
ID: 8,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "8"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-spa-device-factory"},
},
}, nil},
{"sample9", samplePWContainer[1][15][1], pipewire.RegistryGlobal{
ID: 9,
Permissions: pipewire.PW_FACTORY_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Factory,
Version: pipewire.PW_VERSION_FACTORY,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "9"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "8"},
{Key: pipewire.PW_KEY_FACTORY_NAME, Value: "spa-device-factory"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_NAME, Value: pipewire.PW_TYPE_INTERFACE_Device},
{Key: pipewire.PW_KEY_FACTORY_TYPE_VERSION, Value: "3"},
},
}, nil},
{"sample10", samplePWContainer[1][16][1], pipewire.RegistryGlobal{
ID: 10,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "10"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-spa-node-factory"},
},
}, nil},
{"sample11", samplePWContainer[1][17][1], pipewire.RegistryGlobal{
ID: 11,
Permissions: pipewire.PW_FACTORY_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Factory,
Version: pipewire.PW_VERSION_FACTORY,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "11"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "10"},
{Key: pipewire.PW_KEY_FACTORY_NAME, Value: "spa-node-factory"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_NAME, Value: pipewire.PW_TYPE_INTERFACE_Node},
{Key: pipewire.PW_KEY_FACTORY_TYPE_VERSION, Value: "3"},
},
}, nil},
{"sample12", samplePWContainer[1][18][1], pipewire.RegistryGlobal{
ID: 12,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "12"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-client-node"},
},
}, nil},
{"sample13", samplePWContainer[1][19][1], pipewire.RegistryGlobal{
ID: 13,
Permissions: pipewire.PW_FACTORY_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Factory,
Version: pipewire.PW_VERSION_FACTORY,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "13"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "12"},
{Key: pipewire.PW_KEY_FACTORY_NAME, Value: "client-node"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_NAME, Value: pipewire.PW_TYPE_INTERFACE_ClientNode},
{Key: pipewire.PW_KEY_FACTORY_TYPE_VERSION, Value: "6"},
},
}, nil},
{"sample14", samplePWContainer[1][20][1], pipewire.RegistryGlobal{
ID: 14,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "14"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-client-device"},
},
}, nil},
{"sample15", samplePWContainer[1][21][1], pipewire.RegistryGlobal{
ID: 15,
Permissions: pipewire.PW_FACTORY_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Factory,
Version: pipewire.PW_VERSION_FACTORY,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "15"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "14"},
{Key: pipewire.PW_KEY_FACTORY_NAME, Value: "client-device"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_NAME, Value: "Spa:Pointer:Interface:Device"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_VERSION, Value: "0"},
},
}, nil},
{"sample16", samplePWContainer[1][22][1], pipewire.RegistryGlobal{
ID: 16,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "16"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-portal"},
},
}, nil},
{"sample17", samplePWContainer[1][23][1], pipewire.RegistryGlobal{
ID: 17,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "17"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-access"},
},
}, nil},
{"sample18", samplePWContainer[1][24][1], pipewire.RegistryGlobal{
ID: 18,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "18"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-adapter"},
},
}, nil},
{"sample19", samplePWContainer[1][25][1], pipewire.RegistryGlobal{
ID: 19,
Permissions: pipewire.PW_FACTORY_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Factory,
Version: pipewire.PW_VERSION_FACTORY,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "19"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "18"},
{Key: pipewire.PW_KEY_FACTORY_NAME, Value: "adapter"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_NAME, Value: pipewire.PW_TYPE_INTERFACE_Node},
{Key: pipewire.PW_KEY_FACTORY_TYPE_VERSION, Value: "3"},
},
}, nil},
{"sample20", samplePWContainer[1][26][1], pipewire.RegistryGlobal{
ID: 20,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "20"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-link-factory"},
},
}, nil},
{"sample21", samplePWContainer[1][27][1], pipewire.RegistryGlobal{
ID: 21,
Permissions: pipewire.PW_FACTORY_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Factory,
Version: pipewire.PW_VERSION_FACTORY,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "21"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "20"},
{Key: pipewire.PW_KEY_FACTORY_NAME, Value: "link-factory"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_NAME, Value: pipewire.PW_TYPE_INTERFACE_Link},
{Key: pipewire.PW_KEY_FACTORY_TYPE_VERSION, Value: "3"},
},
}, nil},
{"sample22", samplePWContainer[1][28][1], pipewire.RegistryGlobal{
ID: 22,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "22"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-session-manager"},
},
}, nil},
{"sample23", samplePWContainer[1][29][1], pipewire.RegistryGlobal{
ID: 23,
Permissions: pipewire.PW_FACTORY_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Factory,
Version: pipewire.PW_VERSION_FACTORY,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "23"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "22"},
{Key: pipewire.PW_KEY_FACTORY_NAME, Value: "client-endpoint"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_NAME, Value: "PipeWire:Interface:ClientEndpoint"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_VERSION, Value: "0"},
},
}, nil},
{"sample24", samplePWContainer[1][30][1], pipewire.RegistryGlobal{
ID: 24,
Permissions: pipewire.PW_FACTORY_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Factory,
Version: pipewire.PW_VERSION_FACTORY,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "24"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "22"},
{Key: pipewire.PW_KEY_FACTORY_NAME, Value: "client-session"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_NAME, Value: "PipeWire:Interface:ClientSession"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_VERSION, Value: "0"},
},
}, nil},
{"sample25", samplePWContainer[1][31][1], pipewire.RegistryGlobal{
ID: 25,
Permissions: pipewire.PW_FACTORY_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Factory,
Version: pipewire.PW_VERSION_FACTORY,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "25"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "22"},
{Key: pipewire.PW_KEY_FACTORY_NAME, Value: "session"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_NAME, Value: "PipeWire:Interface:Session"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_VERSION, Value: "0"},
},
}, nil},
{"sample26", samplePWContainer[1][32][1], pipewire.RegistryGlobal{
ID: 26,
Permissions: pipewire.PW_FACTORY_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Factory,
Version: pipewire.PW_VERSION_FACTORY,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "26"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "22"},
{Key: pipewire.PW_KEY_FACTORY_NAME, Value: "endpoint"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_NAME, Value: "PipeWire:Interface:Endpoint"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_VERSION, Value: "0"},
},
}, nil},
{"sample27", samplePWContainer[1][33][1], pipewire.RegistryGlobal{
ID: 27,
Permissions: pipewire.PW_FACTORY_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Factory,
Version: pipewire.PW_VERSION_FACTORY,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "27"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "22"},
{Key: pipewire.PW_KEY_FACTORY_NAME, Value: "endpoint-stream"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_NAME, Value: "PipeWire:Interface:EndpointStream"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_VERSION, Value: "0"},
},
}, nil},
{"sample28", samplePWContainer[1][34][1], pipewire.RegistryGlobal{
ID: 28,
Permissions: pipewire.PW_FACTORY_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Factory,
Version: pipewire.PW_VERSION_FACTORY,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "28"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "22"},
{Key: pipewire.PW_KEY_FACTORY_NAME, Value: "endpoint-link"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_NAME, Value: "PipeWire:Interface:EndpointLink"},
{Key: pipewire.PW_KEY_FACTORY_TYPE_VERSION, Value: "0"},
},
}, nil},
{"sample29", samplePWContainer[1][35][1], pipewire.RegistryGlobal{
ID: 29,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "29"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-x11-bell"},
},
}, nil},
{"sample30", samplePWContainer[1][36][1], pipewire.RegistryGlobal{
ID: 30,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "30"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-jackdbus-detect"},
},
}, nil},
{"sample31", samplePWContainer[1][37][1], pipewire.RegistryGlobal{
ID: 31,
Permissions: pipewire.PW_PERM_RWXM, // why is this not PW_NODE_PERM_MASK?
Type: pipewire.PW_TYPE_INTERFACE_Node,
Version: pipewire.PW_VERSION_NODE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "31"},
{Key: pipewire.PW_KEY_FACTORY_ID, Value: "11"},
{Key: pipewire.PW_KEY_PRIORITY_DRIVER, Value: "200000"},
{Key: pipewire.PW_KEY_NODE_NAME, Value: "Dummy-Driver"},
},
}, nil},
{"sample32", samplePWContainer[1][38][1], pipewire.RegistryGlobal{
ID: 32,
Permissions: pipewire.PW_PERM_RWXM, // why is this not PW_NODE_PERM_MASK?
Type: pipewire.PW_TYPE_INTERFACE_Node,
Version: pipewire.PW_VERSION_NODE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "32"},
{Key: pipewire.PW_KEY_FACTORY_ID, Value: "11"},
{Key: pipewire.PW_KEY_PRIORITY_DRIVER, Value: "190000"},
{Key: pipewire.PW_KEY_NODE_NAME, Value: "Freewheel-Driver"},
},
}, nil},
{"sample33", samplePWContainer[1][39][1], pipewire.RegistryGlobal{
ID: 33,
Permissions: pipewire.PW_METADATA_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Metadata,
Version: pipewire.PW_VERSION_METADATA,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "33"},
{Key: "metadata.name", Value: "settings"},
},
}, nil},
{"sample34", samplePWContainer[1][40][1], pipewire.RegistryGlobal{
ID: 34,
Permissions: pipewire.PW_CLIENT_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Client,
Version: pipewire.PW_VERSION_CLIENT,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "34"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "2"},
{Key: pipewire.PW_KEY_PROTOCOL, Value: "protocol-native"},
{Key: pipewire.PW_KEY_SEC_PID, Value: "1443"},
{Key: pipewire.PW_KEY_SEC_UID, Value: "1000"},
{Key: pipewire.PW_KEY_SEC_GID, Value: "100"},
{Key: pipewire.PW_KEY_SEC_SOCKET, Value: "pipewire-0-manager"},
{Key: pipewire.PW_KEY_ACCESS, Value: "unrestricted"},
{Key: pipewire.PW_KEY_APP_NAME, Value: "pw-container"},
},
}, nil},
{"sample35", samplePWContainer[1][42][1], pipewire.RegistryGlobal{
ID: 35,
Permissions: pipewire.PW_CLIENT_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Client,
Version: pipewire.PW_VERSION_CLIENT,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "35"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "2"},
{Key: pipewire.PW_KEY_PROTOCOL, Value: "protocol-native"},
{Key: pipewire.PW_KEY_SEC_PID, Value: "1447"},
{Key: pipewire.PW_KEY_SEC_UID, Value: "1000"},
{Key: pipewire.PW_KEY_SEC_GID, Value: "100"},
{Key: pipewire.PW_KEY_SEC_SOCKET, Value: "pipewire-0-manager"},
{Key: pipewire.PW_KEY_ACCESS, Value: "unrestricted"},
{Key: pipewire.PW_KEY_APP_NAME, Value: "WirePlumber"},
},
}, nil},
}.run(t)
}
func TestRegistryGlobalRemove(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.RegistryGlobalRemove, *pipewire.RegistryGlobalRemove]{
{"sample", []byte{
/* size: rest of data*/ 0x10, 0, 0, 0,
/* type: Struct */ 0xe, 0, 0, 0,
/* size: 4 bytes */ 4, 0, 0, 0,
/* type: Int */ 4, 0, 0, 0,
/* value: 0xbad */ 0xad, 0xb, 0, 0,
/* padding */ 0, 0, 0, 0,
}, pipewire.RegistryGlobalRemove{
ID: 0xbad,
}, nil},
}.run(t)
}
func TestRegistryBind(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.RegistryBind, *pipewire.RegistryBind]{
{"sample", samplePWContainer[3][0][1], pipewire.RegistryBind{
ID: 3,
Type: pipewire.PW_TYPE_INTERFACE_SecurityContext,
Version: pipewire.PW_VERSION_SECURITY_CONTEXT,
NewID: 3, // registry takes up 2
}, nil},
}.run(t)
}
func TestRegistryDestroy(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.RegistryDestroy, *pipewire.RegistryDestroy]{
{"sample", []byte{
/* size: rest of data*/ 0x10, 0, 0, 0,
/* type: Struct */ 0xe, 0, 0, 0,
/* size: 4 bytes */ 4, 0, 0, 0,
/* type: Int */ 4, 0, 0, 0,
/* value: 0xbad */ 0xad, 0xb, 0, 0,
/* padding */ 0, 0, 0, 0,
}, pipewire.RegistryDestroy{
ID: 0xbad,
}, nil},
}.run(t)
}

73
internal/pipewire/header.go
View File

@@ -1,73 +0,0 @@
package pipewire
import (
"encoding/binary"
"errors"
)
const (
// SizeHeader is the fixed size of [Header].
SizeHeader = 16
// SizeMax is the largest value of [Header.Size] that can be represented in its 3-byte segment.
SizeMax = 0x00ffffff
)
var (
// ErrSizeRange indicates that the value of [Header.Size] cannot be represented in its 3-byte segment.
ErrSizeRange = errors.New("size out of range")
// ErrBadHeader indicates that the header slice does not have length [HeaderSize].
ErrBadHeader = errors.New("incorrect header size")
)
// A Header is the fixed-size message header described in protocol native.
type Header struct {
// The message id this is the destination resource/proxy id.
ID Int `json:"Id"`
// The opcode on the resource/proxy interface.
Opcode byte `json:"opcode"`
// The size of the payload and optional footer of the message.
// Note: this value is only 24 bits long in the format.
Size uint32 `json:"size"`
// An increasing sequence number for each message.
Sequence Int `json:"seq"`
// Number of file descriptors in this message.
FileCount Int `json:"n_fds"`
}
// append appends the protocol native message header to data.
//
// Callers must perform bounds check on [Header.Size].
func (h *Header) append(data []byte) []byte {
data = binary.NativeEndian.AppendUint32(data, Word(h.ID))
data = binary.NativeEndian.AppendUint32(data, Word(h.Opcode)<<24|h.Size)
data = binary.NativeEndian.AppendUint32(data, Word(h.Sequence))
data = binary.NativeEndian.AppendUint32(data, Word(h.FileCount))
return data
}
// MarshalBinary encodes the protocol native message header.
func (h *Header) MarshalBinary() (data []byte, err error) {
if h.Size&^SizeMax != 0 {
return nil, ErrSizeRange
}
return h.append(make([]byte, 0, SizeHeader)), nil
}
// unmarshalBinary decodes the protocol native message header.
func (h *Header) unmarshalBinary(data [SizeHeader]byte) {
h.ID = Int(binary.NativeEndian.Uint32(data[0:4]))
h.Size = binary.NativeEndian.Uint32(data[4:8])
h.Opcode = byte(h.Size >> 24)
h.Size &= SizeMax
h.Sequence = Int(binary.NativeEndian.Uint32(data[8:]))
h.FileCount = Int(binary.NativeEndian.Uint32(data[12:]))
}
// UnmarshalBinary decodes the protocol native message header.
func (h *Header) UnmarshalBinary(data []byte) error {
if len(data) != SizeHeader {
return ErrBadHeader
}
h.unmarshalBinary(([SizeHeader]byte)(data))
return nil
}

407
internal/pipewire/header_test.go
View File

@@ -1,407 +0,0 @@
package pipewire_test
import (
"reflect"
"testing"
"hakurei.app/internal/pipewire"
)
func TestHeader(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.Header, *pipewire.Header]{
/* sendmsg 0 */
{"PW_CORE_METHOD_HELLO", samplePWContainer[0][0][0], pipewire.Header{
ID: pipewire.PW_ID_CORE,
Opcode: pipewire.PW_CORE_METHOD_HELLO,
Size: 0x18, Sequence: 0, FileCount: 0,
}, nil},
{"PW_CLIENT_METHOD_UPDATE_PROPERTIES", samplePWContainer[0][1][0], pipewire.Header{
ID: pipewire.PW_ID_CLIENT,
Opcode: pipewire.PW_CLIENT_METHOD_UPDATE_PROPERTIES,
Size: 0x600, Sequence: 1, FileCount: 0,
}, nil},
{"PW_CORE_METHOD_GET_REGISTRY", samplePWContainer[0][2][0], pipewire.Header{
ID: pipewire.PW_ID_CORE,
Opcode: pipewire.PW_CORE_METHOD_GET_REGISTRY,
Size: 0x28, Sequence: 2, FileCount: 0,
}, nil},
{"PW_CORE_METHOD_SYNC 0", samplePWContainer[0][3][0], pipewire.Header{
ID: pipewire.PW_ID_CORE,
Opcode: pipewire.PW_CORE_METHOD_SYNC,
Size: 0x28, Sequence: 3, FileCount: 0,
}, nil},
/* recvmsg 0 */
{"PW_CORE_EVENT_INFO", samplePWContainer[1][0][0], pipewire.Header{
ID: pipewire.PW_ID_CORE,
Opcode: pipewire.PW_CORE_EVENT_INFO,
Size: 0x6b8, Sequence: 0, FileCount: 0,
}, nil},
{"PW_CORE_EVENT_BOUND_PROPS 0", samplePWContainer[1][1][0], pipewire.Header{
ID: pipewire.PW_ID_CORE,
Opcode: pipewire.PW_CORE_EVENT_BOUND_PROPS,
Size: 0x198, Sequence: 1, FileCount: 0,
}, nil},
{"PW_CLIENT_EVENT_INFO 0", samplePWContainer[1][2][0], pipewire.Header{
ID: pipewire.PW_ID_CLIENT,
Opcode: pipewire.PW_CLIENT_EVENT_INFO,
Size: 0x1f0, Sequence: 2, FileCount: 0,
}, nil},
{"PW_CLIENT_EVENT_INFO 1", samplePWContainer[1][3][0], pipewire.Header{
ID: pipewire.PW_ID_CLIENT,
Opcode: pipewire.PW_CLIENT_EVENT_INFO,
Size: 0x7a0, Sequence: 3, FileCount: 0,
}, nil},
{"PW_CLIENT_EVENT_INFO 2", samplePWContainer[1][4][0], pipewire.Header{
ID: pipewire.PW_ID_CLIENT,
Opcode: pipewire.PW_CLIENT_EVENT_INFO,
Size: 0x7d0, Sequence: 4, FileCount: 0,
}, nil},
{"PW_CORE_EVENT_DONE 0", samplePWContainer[1][5][0], pipewire.Header{
ID: pipewire.PW_ID_CORE,
Opcode: pipewire.PW_CORE_EVENT_DONE,
Size: 0x58, Sequence: 5, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 0", samplePWContainer[1][6][0], pipewire.Header{
ID: 2, // this is specified by Core::GetRegistry in samplePWContainer[0][2][1]
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xc8, Sequence: 6, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 1", samplePWContainer[1][7][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xd8, Sequence: 7, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 2", samplePWContainer[1][8][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xa8, Sequence: 8, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 3", samplePWContainer[1][9][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xe8, Sequence: 9, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 4", samplePWContainer[1][10][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xa0, Sequence: 10, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 5", samplePWContainer[1][11][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xe0, Sequence: 11, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 6", samplePWContainer[1][12][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xe0, Sequence: 12, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 7", samplePWContainer[1][13][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x170, Sequence: 13, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 8", samplePWContainer[1][14][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xe8, Sequence: 14, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 9", samplePWContainer[1][15][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x178, Sequence: 15, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 10", samplePWContainer[1][16][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xe8, Sequence: 16, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 11", samplePWContainer[1][17][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x170, Sequence: 17, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 12", samplePWContainer[1][18][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xe0, Sequence: 18, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 13", samplePWContainer[1][19][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x170, Sequence: 19, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 14", samplePWContainer[1][20][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xe8, Sequence: 20, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 15", samplePWContainer[1][21][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x170, Sequence: 21, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 16", samplePWContainer[1][22][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xe0, Sequence: 22, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 17", samplePWContainer[1][23][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xe0, Sequence: 23, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 18", samplePWContainer[1][24][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xe0, Sequence: 24, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 19", samplePWContainer[1][25][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x160, Sequence: 25, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 20", samplePWContainer[1][26][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xe0, Sequence: 26, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 21", samplePWContainer[1][27][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x168, Sequence: 27, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 22", samplePWContainer[1][28][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xe8, Sequence: 28, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 23", samplePWContainer[1][29][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x178, Sequence: 29, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 24", samplePWContainer[1][30][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x178, Sequence: 30, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 25", samplePWContainer[1][31][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x168, Sequence: 31, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 26", samplePWContainer[1][32][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x170, Sequence: 32, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 27", samplePWContainer[1][33][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x178, Sequence: 33, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 28", samplePWContainer[1][34][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x170, Sequence: 34, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 29", samplePWContainer[1][35][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xe0, Sequence: 35, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 30", samplePWContainer[1][36][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xe8, Sequence: 36, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 31", samplePWContainer[1][37][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x118, Sequence: 37, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 32", samplePWContainer[1][38][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x120, Sequence: 38, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 33", samplePWContainer[1][39][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0xd0, Sequence: 39, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 34", samplePWContainer[1][40][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x238, Sequence: 40, FileCount: 0,
}, nil},
{"PW_CORE_EVENT_DONE 1", samplePWContainer[1][41][0], pipewire.Header{
ID: pipewire.PW_ID_CORE,
Opcode: pipewire.PW_CORE_EVENT_DONE,
Size: 0x28, Sequence: 41, FileCount: 0,
}, nil},
{"PW_REGISTRY_EVENT_GLOBAL 35", samplePWContainer[1][42][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_EVENT_GLOBAL,
Size: 0x268, Sequence: 42, FileCount: 0,
}, nil},
/* sendmsg 1 */
{"PW_REGISTRY_METHOD_BIND", samplePWContainer[3][0][0], pipewire.Header{
ID: 2,
Opcode: pipewire.PW_REGISTRY_METHOD_BIND,
Size: 0x98, Sequence: 4, FileCount: 0,
}, nil},
/* recvmsg 1 */
{"PW_CORE_EVENT_BOUND_PROPS 1", samplePWContainer[4][0][0], pipewire.Header{
ID: pipewire.PW_ID_CORE,
Opcode: pipewire.PW_CORE_EVENT_BOUND_PROPS,
Size: 0x68, Sequence: 43, FileCount: 0,
}, nil},
/* sendmsg 2 */
{"PW_SECURITY_CONTEXT_METHOD_CREATE", samplePWContainer[6][0][0], pipewire.Header{
ID: 3,
Opcode: pipewire.PW_SECURITY_CONTEXT_METHOD_CREATE,
Size: 0xd8, Sequence: 5, FileCount: 2,
}, nil},
{"PW_CORE_METHOD_SYNC 1", samplePWContainer[6][1][0], pipewire.Header{
ID: pipewire.PW_ID_CORE,
Opcode: pipewire.PW_CORE_METHOD_SYNC,
Size: 0x28, Sequence: 6, FileCount: 0,
}, nil},
/* recvmsg 2 */
{"PW_CORE_EVENT_DONE 2", samplePWContainer[7][0][0], pipewire.Header{
ID: pipewire.PW_ID_CORE,
Opcode: pipewire.PW_CORE_EVENT_DONE,
Size: 0x28, Sequence: 44, FileCount: 0,
}, nil},
/* excerpts */
{"PW_CORE_EVENT_ERROR", []byte{
/* Id: */ 0, 0, 0, 0,
/* size: */ 0x60, 0, 0,
/* opcode: */ 3,
/* seq: */ 0xf5, 0, 0, 0,
/* n_fds: */ 0, 0, 0, 0,
}, pipewire.Header{
ID: pipewire.PW_ID_CORE,
Opcode: pipewire.PW_CORE_EVENT_ERROR,
Size: 0x60, Sequence: 0xf5, FileCount: 0,
}, nil},
/* handmade samples */
{"PW_CORE_EVENT_PING", []byte{
/* Id: */ 0, 0, 0, 0,
/* size: */ 0xed, 0xb, 0,
/* opcode: */ 2,
/* seq: */ 0xff, 0xff, 0, 0,
/* n_fds: */ 0xfe, 0xca, 0, 0,
}, pipewire.Header{
ID: pipewire.PW_ID_CORE,
Opcode: pipewire.PW_CORE_EVENT_PING,
Size: 0xbed, Sequence: 0xffff, FileCount: 0xcafe,
}, nil},
{"PW_CORE_METHOD_PONG", []byte{
/* Id: */ 0, 0, 0, 0,
/* size: */ 0xed, 0xb, 0,
/* opcode: */ 3,
/* seq: */ 0xff, 0xff, 0, 0,
/* n_fds: */ 0xfe, 0xca, 0, 0,
}, pipewire.Header{
ID: pipewire.PW_ID_CORE,
Opcode: pipewire.PW_CORE_METHOD_PONG,
Size: 0xbed, Sequence: 0xffff, FileCount: 0xcafe,
}, nil},
{"PW_CORE_METHOD_ERROR", []byte{
/* Id: */ 0, 0, 0, 0,
/* size: */ 0xad, 0xb, 0,
/* opcode: */ 4,
/* seq: */ 0xfe, 0xfe, 0, 0,
/* n_fds: */ 0xfe, 0xca, 0, 0,
}, pipewire.Header{
ID: pipewire.PW_ID_CORE,
Opcode: pipewire.PW_CORE_METHOD_ERROR,
Size: 0xbad, Sequence: 0xfefe, FileCount: 0xcafe,
}, nil},
}.run(t)
t.Run("size range", func(t *testing.T) {
t.Parallel()
if _, err := (&pipewire.Header{Size: 0xff000000}).MarshalBinary(); !reflect.DeepEqual(err, pipewire.ErrSizeRange) {
t.Errorf("UnmarshalBinary: error = %v", err)
}
})
t.Run("header size", func(t *testing.T) {
t.Parallel()
if err := (*pipewire.Header)(nil).UnmarshalBinary(nil); !reflect.DeepEqual(err, pipewire.ErrBadHeader) {
t.Errorf("UnmarshalBinary: error = %v", err)
}
})
}

252
internal/pipewire/pipewire-helper.c Normal file
View File

@@ -0,0 +1,252 @@
#include "pipewire-helper.h"
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <spa/utils/result.h>
#include <spa/utils/string.h>
#include <spa/utils/ansi.h>
#include <spa/debug/pod.h>
#include <spa/debug/format.h>
#include <spa/debug/types.h>
#include <spa/debug/file.h>
#include <pipewire/pipewire.h>
#include <pipewire/extensions/security-context.h>
/* contains most of the state used by hakurei_pw_security_context_bind,
* not ideal, but it is too painful to separate state with the abysmal
* API of pipewire */
struct hakurei_pw_security_context_state {
struct pw_main_loop *loop;
struct pw_context *context;
struct pw_core *core;
struct spa_hook core_listener;
struct pw_registry *registry;
struct spa_hook registry_listener;
struct pw_properties *props;
struct pw_security_context *sec;
int pending_create;
int create_result;
int pending;
int done;
};
/* for field global of registry_events */
static void registry_event_global(
void *data, uint32_t id,
uint32_t permissions, const char *type, uint32_t version,
const struct spa_dict *props) {
struct hakurei_pw_security_context_state *state = data;
if (spa_streq(type, PW_TYPE_INTERFACE_SecurityContext))
state->sec = pw_registry_bind(state->registry, id, type, version, 0);
}
/* for field global_remove of registry_events */
static void registry_event_global_remove(void *data, uint32_t id) {} /* no-op */
static const struct pw_registry_events registry_events = {
PW_VERSION_REGISTRY_EVENTS,
.global = registry_event_global,
.global_remove = registry_event_global_remove,
};
/* for field error of core_events */
static void on_core_error(void *data, uint32_t id, int seq, int res, const char *message) {
struct hakurei_pw_security_context_state *state = data;
pw_log_error("error id:%u seq:%d res:%d (%s): %s",
id, seq, res, spa_strerror(res), message);
if (seq == SPA_RESULT_ASYNC_SEQ(state->pending_create))
state->create_result = res;
if (id == PW_ID_CORE && res == -EPIPE) {
state->done = true;
pw_main_loop_quit(state->loop);
}
}
static const struct pw_core_events core_events = {
PW_VERSION_CORE_EVENTS,
.error = on_core_error,
};
/* for field done of stack allocated core_events in roundtrip */
static void core_event_done(void *data, uint32_t id, int seq) {
struct hakurei_pw_security_context_state *state = data;
if (id == PW_ID_CORE && seq == state->pending) {
state->done = true;
pw_main_loop_quit(state->loop);
}
}
static void roundtrip(struct hakurei_pw_security_context_state *state) {
struct spa_hook core_listener;
static const struct pw_core_events core_events = {
PW_VERSION_CORE_EVENTS,
.done = core_event_done,
};
spa_zero(core_listener);
pw_core_add_listener(state->core, &core_listener, &core_events, state);
state->done = false;
state->pending = pw_core_sync(state->core, PW_ID_CORE, 0);
while (!state->done)
pw_main_loop_run(state->loop);
spa_hook_remove(&core_listener);
}
hakurei_pipewire_res hakurei_pw_security_context_bind(
char *socket_path,
char *remote_path,
int close_fd) {
hakurei_pipewire_res res = HAKUREI_PIPEWIRE_SUCCESS; /* see pipewire.go for handling */
struct hakurei_pw_security_context_state state = {0};
struct pw_loop *l;
struct spa_error_location loc;
int listen_fd;
struct sockaddr_un sockaddr = {0};
/* stack allocated because pw_deinit is always called before returning,
* in the implementation it actually does nothing with these addresses
* and I have no idea why it would even need these, still it is safe to
* do this to not risk a future version of pipewire clobbering strings */
int fake_argc = 1;
char *fake_argv[] = {"hakurei", NULL};
/* this makes multiple getenv calls, caller must ensure to NOT setenv
* before this function returns */
pw_init(&fake_argc, (char ***)&fake_argv);
/* as far as I can tell, setting engine to "org.flatpak" gets special
* treatment, and should never be used here because the .flatpak-info
* hack is vulnerable to a confused deputy attack */
state.props = pw_properties_new(
PW_KEY_SEC_ENGINE, "app.hakurei",
PW_KEY_ACCESS, "restricted",
NULL);
/* this is unfortunately required to do ANYTHING with pipewire */
state.loop = pw_main_loop_new(NULL);
if (state.loop == NULL) {
res = HAKUREI_PIPEWIRE_MAINLOOP;
goto out;
}
l = pw_main_loop_get_loop(state.loop);
/* boilerplate from src/tools/pw-container.c */
state.context = pw_context_new(l, NULL, 0);
if (state.context == NULL) {
res = HAKUREI_PIPEWIRE_CTX;
goto out;
}
/* boilerplate from src/tools/pw-container.c;
* this does not unsetenv, so special handling is not required
* unlike for libwayland-client */
state.core = pw_context_connect(
state.context,
pw_properties_new(
PW_KEY_REMOTE_INTENTION, "manager",
PW_KEY_REMOTE_NAME, remote_path,
NULL),
0);
if (state.core == NULL) {
res = HAKUREI_PIPEWIRE_CONNECT;
goto out;
}
/* obtains the security context */
pw_core_add_listener(state.core, &state.core_listener, &core_events, &state);
state.registry = pw_core_get_registry(state.core, PW_VERSION_REGISTRY, 0);
if (state.registry == NULL) {
res = HAKUREI_PIPEWIRE_REGISTRY;
goto out;
}
/* undocumented, this ends up calling registry_method_marshal_add_listener,
* which is hard-coded to return 0, note that the function pointer this calls
* is uninitialised for some pw_registry objects so if you are using this code
* as an example you must keep that in mind */
pw_registry_add_listener(state.registry, &state.registry_listener, &registry_events, &state);
roundtrip(&state);
if (state.sec == NULL) {
res = HAKUREI_PIPEWIRE_NOT_AVAIL;
goto out;
}
/* socket to attach security context */
listen_fd = socket(AF_UNIX, SOCK_STREAM, 0);
if (listen_fd < 0) {
res = HAKUREI_PIPEWIRE_SOCKET;
goto out;
}
/* similar to libwayland, pipewire requires bind and listen to be called
* on the socket before being passed to pw_security_context_create */
sockaddr.sun_family = AF_UNIX;
snprintf(sockaddr.sun_path, sizeof(sockaddr.sun_path), "%s", socket_path);
if (bind(listen_fd, (struct sockaddr *)&sockaddr, sizeof(sockaddr)) != 0) {
res = HAKUREI_PIPEWIRE_BIND;
goto out;
}
if (listen(listen_fd, 0) != 0) {
res = HAKUREI_PIPEWIRE_LISTEN;
goto out;
}
/* attach security context to socket */
state.create_result = 0;
state.pending_create = pw_security_context_create(state.sec, listen_fd, close_fd, &state.props->dict);
if (SPA_RESULT_IS_ASYNC(state.pending_create)) {
pw_log_debug("create: %d", state.pending_create);
roundtrip(&state);
}
pw_log_debug("create result: %d", state.create_result);
if (state.create_result < 0) {
/* spa_strerror */
if (SPA_RESULT_IS_ASYNC(-state.create_result))
errno = EINPROGRESS;
else
errno = -state.create_result;
res = HAKUREI_PIPEWIRE_ATTACH;
goto out;
}
out:
if (listen_fd >= 0)
close(listen_fd);
if (state.sec != NULL)
pw_proxy_destroy((struct pw_proxy *)state.sec);
if (state.registry != NULL)
pw_proxy_destroy((struct pw_proxy *)state.registry);
if (state.core != NULL) {
/* these happen after core is checked non-NULL and always succeeds */
spa_hook_remove(&state.registry_listener);
spa_hook_remove(&state.core_listener);
pw_core_disconnect(state.core);
}
if (state.context != NULL)
pw_context_destroy(state.context);
if (state.loop != NULL)
pw_main_loop_destroy(state.loop);
pw_properties_free(state.props);
pw_deinit();
free((void *)socket_path);
if (remote_path != NULL)
free((void *)remote_path);
return res;
}

40
internal/pipewire/pipewire-helper.h Normal file
View File

@@ -0,0 +1,40 @@
#include <stdbool.h>
#include <sys/un.h>
typedef enum {
HAKUREI_PIPEWIRE_SUCCESS,
/* pw_main_loop_new failed, errno */
HAKUREI_PIPEWIRE_MAINLOOP,
/* pw_context_new failed, errno */
HAKUREI_PIPEWIRE_CTX,
/* pw_context_connect failed, errno */
HAKUREI_PIPEWIRE_CONNECT,
/* pw_core_get_registry failed */
HAKUREI_PIPEWIRE_REGISTRY,
/* no security context object found */
HAKUREI_PIPEWIRE_NOT_AVAIL,
/* socket failed, errno */
HAKUREI_PIPEWIRE_SOCKET,
/* bind failed, errno */
HAKUREI_PIPEWIRE_BIND,
/* listen failed, errno */
HAKUREI_PIPEWIRE_LISTEN,
/* pw_security_context_create failed, translated errno */
HAKUREI_PIPEWIRE_ATTACH,
/* ensure pathname failed, implemented in conn.go */
HAKUREI_PIPEWIRE_CREAT,
/* cleanup failed, implemented in conn.go */
HAKUREI_PIPEWIRE_CLEANUP,
} hakurei_pipewire_res;
hakurei_pipewire_res hakurei_pw_security_context_bind(
char *socket_path,
char *remote_path,
int close_fd);
/* returns whether the specified size fits in the sun_path field of sockaddr_un */
static inline bool hakurei_pw_is_valid_size_sun_path(size_t sz) {
struct sockaddr_un sockaddr;
return sz <= sizeof(sockaddr.sun_path);
};

1039
internal/pipewire/pipewire.go
View File

File diff suppressed because it is too large Load Diff

977
internal/pipewire/pipewire_test.go
View File

File diff suppressed because it is too large Load Diff

641
internal/pipewire/pod.go
View File

@@ -1,641 +0,0 @@
package pipewire
import (
"encoding/binary"
"io"
"math"
"reflect"
"slices"
"strconv"
)
type (
// A Word is a 32-bit unsigned integer.
//
// Values internal to a message appear to always be aligned to 32-bit boundary.
Word = uint32
// A Bool is a boolean value representing SPA_TYPE_Bool.
Bool = bool
// An Id is an enumerated value representing SPA_TYPE_Id.
Id = Word
// An Int is a signed integer value representing SPA_TYPE_Int.
Int = int32
// A Long is a signed integer value representing SPA_TYPE_Long.
Long = int64
// A Float is a floating point value representing SPA_TYPE_Float.
Float = float32
// A Double is a floating point value representing SPA_TYPE_Double.
Double = float64
// A String is a string value representing SPA_TYPE_String.
String = string
// Bytes is a byte slice representing SPA_TYPE_Bytes.
Bytes = []byte
// A Fd is a signed integer value representing SPA_TYPE_Fd.
Fd Long
)
const (
// SizeAlign is the boundary which POD starts are always aligned to.
SizeAlign = 8
// SizeSPrefix is the fixed, unpadded size of the fixed-size prefix encoding POD wire size.
SizeSPrefix = 4
// SizeTPrefix is the fixed, unpadded size of the fixed-size prefix encoding POD value type.
SizeTPrefix = 4
// SizePrefix is the fixed, unpadded size of the fixed-size POD prefix.
SizePrefix = SizeSPrefix + SizeTPrefix
// SizeId is the fixed, unpadded size of a [SPA_TYPE_Id] value.
SizeId Word = 4
// SizeInt is the fixed, unpadded size of a [SPA_TYPE_Int] value.
SizeInt Word = 4
// SizeLong is the fixed, unpadded size of a [SPA_TYPE_Long] value.
SizeLong Word = 8
// SizeFd is the fixed, unpadded size of a [SPA_TYPE_Fd] value.
SizeFd = SizeLong
)
// A KnownSize value has known POD encoded size before serialisation.
type KnownSize interface {
// Size returns the POD encoded size of the receiver.
Size() Word
}
// PaddingSize returns the padding size corresponding to a wire size.
func PaddingSize[W Word | int](wireSize W) W { return (SizeAlign - (wireSize)%SizeAlign) % SizeAlign }
// PaddedSize returns the padded size corresponding to a wire size.
func PaddedSize[W Word | int](wireSize W) W { return wireSize + PaddingSize(wireSize) }
// Size returns prefixed and padded size corresponding to a wire size.
func Size[W Word | int](wireSize W) W { return SizePrefix + PaddedSize(wireSize) }
// SizeString returns prefixed and padded size corresponding to a string.
func SizeString[W Word | int](s string) W { return Size(W(len(s)) + 1) }
// PODMarshaler is the interface implemented by an object that can
// marshal itself into PipeWire POD encoding.
type PODMarshaler interface {
// MarshalPOD encodes the receiver into PipeWire POD encoding,
// appends it to data, and returns the result.
MarshalPOD(data []byte) ([]byte, error)
}
// An UnsupportedTypeError is returned by [Marshal] when attempting
// to encode an unsupported value type.
type UnsupportedTypeError struct{ Type reflect.Type }
func (e *UnsupportedTypeError) Error() string { return "unsupported type " + e.Type.String() }
// An UnsupportedSizeError is returned by [Marshal] when attempting
// to encode a value with its encoded size exceeding what could be
// represented by the format.
type UnsupportedSizeError int
func (e UnsupportedSizeError) Error() string { return "size " + strconv.Itoa(int(e)) + " out of range" }
// Marshal returns the PipeWire POD encoding of v.
func Marshal(v any) ([]byte, error) {
var data []byte
if s, ok := v.(KnownSize); ok {
data = make([]byte, 0, s.Size())
}
return MarshalAppend(data, v)
}
// MarshalAppend appends the PipeWire POD encoding of v to data.
func MarshalAppend(data []byte, v any) ([]byte, error) {
return marshalValueAppend(data, reflect.ValueOf(v))
}
// appendInner calls f and handles size prefix and padding around the appended data.
// f must only append to data.
func appendInner(data []byte, f func(data []byte) ([]byte, error)) ([]byte, error) {
data = append(data, make([]byte, SizeSPrefix)...)
rData, err := f(data)
if err != nil {
return data, err
}
size := len(rData) - len(data) + SizeSPrefix
// compensated for size and type prefix
wireSize := size - SizePrefix
if wireSize > math.MaxUint32 {
return data, UnsupportedSizeError(wireSize)
}
binary.NativeEndian.PutUint32(rData[len(data)-SizeSPrefix:len(data)], Word(wireSize))
rData = append(rData, make([]byte, PaddingSize(size))...)
return rData, nil
}
// marshalValueAppendRaw implements [MarshalAppend] on [reflect.Value].
func marshalValueAppend(data []byte, v reflect.Value) ([]byte, error) {
if v.CanInterface() && (v.Kind() != reflect.Pointer || !v.IsNil()) {
if m, ok := v.Interface().(PODMarshaler); ok {
var err error
data, err = m.MarshalPOD(data)
return data, err
}
}
return appendInner(data, func(data []byte) ([]byte, error) { return marshalValueAppendRaw(data, v) })
}
// marshalValueAppendRaw implements [MarshalAppend] on [reflect.Value] without the size prefix.
func marshalValueAppendRaw(data []byte, v reflect.Value) ([]byte, error) {
if v.CanInterface() {
switch c := v.Interface().(type) {
case Fd:
data = SPA_TYPE_Fd.append(data)
data = binary.NativeEndian.AppendUint64(data, uint64(c))
return data, nil
}
}
switch v.Kind() {
case reflect.Uint32:
data = SPA_TYPE_Id.append(data)
data = binary.NativeEndian.AppendUint32(data, Word(v.Uint()))
return data, nil
case reflect.Int32:
data = SPA_TYPE_Int.append(data)
data = binary.NativeEndian.AppendUint32(data, Word(v.Int()))
return data, nil
case reflect.Int64:
data = SPA_TYPE_Long.append(data)
data = binary.NativeEndian.AppendUint64(data, uint64(v.Int()))
return data, nil
case reflect.Struct:
data = SPA_TYPE_Struct.append(data)
var err error
for i := 0; i < v.NumField(); i++ {
data, err = marshalValueAppend(data, v.Field(i))
if err != nil {
return data, err
}
}
return data, nil
case reflect.Pointer:
if v.IsNil() {
data = SPA_TYPE_None.append(data)
return data, nil
}
return marshalValueAppendRaw(data, v.Elem())
case reflect.String:
data = SPA_TYPE_String.append(data)
data = append(data, []byte(v.String())...)
data = append(data, 0)
return data, nil
default:
return data, &UnsupportedTypeError{v.Type()}
}
}
// PODUnmarshaler is the interface implemented by an object that can
// unmarshal a PipeWire POD encoding representation of itself.
type PODUnmarshaler interface {
// UnmarshalPOD must be able to decode the form generated by MarshalPOD.
// UnmarshalPOD must copy the data if it wishes to retain the data
// after returning.
UnmarshalPOD(data []byte) (Word, error)
}
// An InvalidUnmarshalError describes an invalid argument passed to [Unmarshal].
// (The argument to [Unmarshal] must be a non-nil pointer.)
type InvalidUnmarshalError struct{ Type reflect.Type }
func (e *InvalidUnmarshalError) Error() string {
if e.Type == nil {
return "attempting to unmarshal to nil"
}
if e.Type.Kind() != reflect.Pointer {
return "attempting to unmarshal to non-pointer type " + e.Type.String()
}
return "attempting to unmarshal to nil " + e.Type.String()
}
// UnexpectedEOFError describes an unexpected EOF encountered in the middle of decoding POD data.
type UnexpectedEOFError uintptr
const (
// ErrEOFPrefix is returned when unexpectedly encountering EOF
// decoding the fixed-size POD prefix.
ErrEOFPrefix UnexpectedEOFError = iota
// ErrEOFData is returned when unexpectedly encountering EOF
// establishing POD data bounds.
ErrEOFData
// ErrEOFDataString is returned when unexpectedly encountering EOF
// establishing POD [String] bounds.
ErrEOFDataString
)
func (UnexpectedEOFError) Unwrap() error { return io.ErrUnexpectedEOF }
func (e UnexpectedEOFError) Error() string {
var suffix string
switch e {
case ErrEOFPrefix:
suffix = "decoding fixed-size POD prefix"
case ErrEOFData:
suffix = "establishing POD data bounds"
case ErrEOFDataString:
suffix = "establishing POD String bounds"
default:
return "unexpected EOF"
}
return "unexpected EOF " + suffix
}
// Unmarshal parses the PipeWire POD encoded data and stores the result
// in the value pointed to by v. If v is nil or not a pointer,
// Unmarshal returns an [InvalidUnmarshalError].
func Unmarshal(data []byte, v any) error {
if n, err := UnmarshalNext(data, v); err != nil {
return err
} else if len(data) > int(n) {
return TrailingGarbageError(data[int(n):])
}
return nil
}
// UnmarshalNext implements [Unmarshal] but returns the size of message decoded
// and skips the final trailing garbage check.
func UnmarshalNext(data []byte, v any) (size Word, err error) {
rv := reflect.ValueOf(v)
if rv.Kind() != reflect.Pointer || rv.IsNil() {
return 0, &InvalidUnmarshalError{reflect.TypeOf(v)}
}
err = unmarshalValue(data, rv.Elem(), &size)
// prefix and padding size
size = Size(size)
return
}
// UnmarshalSetError describes a value that cannot be set during [Unmarshal].
// This is likely an unexported struct field.
type UnmarshalSetError struct{ Type reflect.Type }
func (u *UnmarshalSetError) Error() string { return "cannot set " + u.Type.String() }
// A TrailingGarbageError describes extra bytes after decoding
// has completed during [Unmarshal].
type TrailingGarbageError []byte
func (e TrailingGarbageError) Error() string {
if len(e) < SizePrefix {
return "got " + strconv.Itoa(len(e)) + " bytes of trailing garbage"
}
return "data has extra values starting with " + SPAKind(binary.NativeEndian.Uint32(e[SizeSPrefix:])).String()
}
// A StringTerminationError describes an incorrectly terminated string
// encountered during [Unmarshal].
type StringTerminationError byte
func (e StringTerminationError) Error() string {
return "got byte " + strconv.Itoa(int(e)) + " instead of NUL"
}
// unmarshalValue implements [Unmarshal] on [reflect.Value] without compensating for prefix and padding size.
func unmarshalValue(data []byte, v reflect.Value, wireSizeP *Word) error {
if !v.CanSet() {
return &UnmarshalSetError{v.Type()}
}
if v.CanInterface() {
if v.Kind() == reflect.Pointer {
v.Set(reflect.New(v.Type().Elem()))
}
if u, ok := v.Interface().(PODUnmarshaler); ok {
var err error
*wireSizeP, err = u.UnmarshalPOD(data)
return err
}
switch v.Interface().(type) {
case Fd:
*wireSizeP = SizeFd
if err := unmarshalCheckTypeBounds(&data, SPA_TYPE_Fd, wireSizeP); err != nil {
return err
}
v.SetInt(int64(binary.NativeEndian.Uint64(data)))
return nil
}
}
switch v.Kind() {
case reflect.Uint32:
*wireSizeP = SizeId
if err := unmarshalCheckTypeBounds(&data, SPA_TYPE_Id, wireSizeP); err != nil {
return err
}
v.SetUint(uint64(binary.NativeEndian.Uint32(data)))
return nil
case reflect.Int32:
*wireSizeP = SizeInt
if err := unmarshalCheckTypeBounds(&data, SPA_TYPE_Int, wireSizeP); err != nil {
return err
}
v.SetInt(int64(binary.NativeEndian.Uint32(data)))
return nil
case reflect.Int64:
*wireSizeP = SizeLong
if err := unmarshalCheckTypeBounds(&data, SPA_TYPE_Long, wireSizeP); err != nil {
return err
}
v.SetInt(int64(binary.NativeEndian.Uint64(data)))
return nil
case reflect.Struct:
*wireSizeP = 0
if err := unmarshalCheckTypeBounds(&data, SPA_TYPE_Struct, wireSizeP); err != nil {
return err
}
var fieldWireSize Word
for i := 0; i < v.NumField(); i++ {
if err := unmarshalValue(data, v.Field(i), &fieldWireSize); err != nil {
return err
}
// bounds check completed in successful call to unmarshalValue
data = data[Size(fieldWireSize):]
}
if len(data) != 0 {
return TrailingGarbageError(data)
}
return nil
case reflect.Pointer:
if ok, err := unmarshalHandleNone(&data, wireSizeP); err != nil {
return err
} else if ok {
v.SetZero()
return nil
}
v.Set(reflect.New(v.Type().Elem()))
return unmarshalValue(data, v.Elem(), wireSizeP)
case reflect.String:
*wireSizeP = 0
if err := unmarshalCheckTypeBounds(&data, SPA_TYPE_String, wireSizeP); err != nil {
return err
}
// string size, one extra NUL byte
size := int(*wireSizeP)
if len(data) < size {
return ErrEOFDataString
}
// the serialised strings still include NUL termination
if data[size-1] != 0 {
return StringTerminationError(data[size-1])
}
v.SetString(string(data[:size-1]))
return nil
default:
return &UnsupportedTypeError{v.Type()}
}
}
// unmarshalHandleNone establishes prefix bounds and, for a value of type [SPA_TYPE_None],
// validates its size and skips the header. This is for unmarshalling values that can be nil.
func unmarshalHandleNone(data *[]byte, wireSizeP *Word) (bool, error) {
if len(*data) < SizePrefix {
return false, ErrEOFPrefix
}
if SPAKind(binary.NativeEndian.Uint32((*data)[SizeSPrefix:])) != SPA_TYPE_None {
return false, nil
}
*wireSizeP = 0
if err := unmarshalCheckTypeBounds(data, SPA_TYPE_None, wireSizeP); err != nil {
return true, err
}
if len(*data) != 0 {
return true, TrailingGarbageError(*data)
}
return true, nil
}
// An InconsistentSizeError describes an inconsistent size prefix encountered
// in data passed to [Unmarshal].
type InconsistentSizeError struct{ Prefix, Expect Word }
func (e InconsistentSizeError) Error() string {
return "prefix claims size " + strconv.Itoa(int(e.Prefix)) +
" for a " + strconv.Itoa(int(e.Expect)) + "-byte long segment"
}
// An UnexpectedTypeError describes an unexpected type encountered
// in data passed to [Unmarshal].
type UnexpectedTypeError struct{ Type, Expect SPAKind }
func (e UnexpectedTypeError) Error() string {
return "received " + e.Type.String() + " for a value of type " + e.Expect.String()
}
// unmarshalCheckTypeBounds performs bounds checks on data and validates the type and size prefixes.
// An expected size of zero skips further bounds checks.
func unmarshalCheckTypeBounds(data *[]byte, t SPAKind, sizeP *Word) error {
if len(*data) < SizePrefix {
return ErrEOFPrefix
}
wantSize := *sizeP
gotSize := binary.NativeEndian.Uint32(*data)
*sizeP = gotSize
if wantSize != 0 && gotSize != wantSize {
return InconsistentSizeError{gotSize, wantSize}
}
if len(*data)-SizePrefix < int(gotSize) {
return ErrEOFData
}
gotType := SPAKind(binary.NativeEndian.Uint32((*data)[SizeSPrefix:]))
if gotType != t {
return UnexpectedTypeError{gotType, t}
}
*data = (*data)[SizePrefix : gotSize+SizePrefix]
return nil
}
// The Footer contains additional messages, not directed to
// the destination object defined by the Id field.
type Footer[P KnownSize] struct {
// The footer opcode.
Opcode Id `json:"opcode"`
// The footer payload struct.
Payload P `json:"payload"`
}
// Size satisfies [KnownSize] with a usually compile-time known value.
func (f *Footer[P]) Size() Word {
return SizePrefix +
Size(SizeId) +
f.Payload.Size()
}
// MarshalBinary satisfies [encoding.BinaryMarshaler] via [Marshal].
func (f *Footer[T]) MarshalBinary() ([]byte, error) { return Marshal(f) }
// UnmarshalBinary satisfies [encoding.BinaryUnmarshaler] via [Unmarshal].
func (f *Footer[T]) UnmarshalBinary(data []byte) error { return Unmarshal(data, f) }
// SPADictItem represents spa_dict_item.
type SPADictItem struct {
// Dot-separated string.
Key string `json:"key"`
// Arbitrary string.
//
// Integer values are represented in base 10,
// boolean values are represented as "true" or "false".
Value string `json:"value"`
}
// SPADict represents spa_dict.
type SPADict []SPADictItem
// Size satisfies [KnownSize] with a value computed at runtime.
func (d *SPADict) Size() Word {
if d == nil {
return 0
}
// struct prefix, NItems value
size := SizePrefix + int(Size(SizeInt))
for i := range *d {
size += SizeString[int]((*d)[i].Key)
size += SizeString[int]((*d)[i].Value)
}
return Word(size)
}
// MarshalPOD satisfies [PODMarshaler] as [SPADict] violates the POD type system.
func (d *SPADict) MarshalPOD(data []byte) ([]byte, error) {
return appendInner(data, func(dataPrefix []byte) (data []byte, err error) {
data = SPA_TYPE_Struct.append(dataPrefix)
if data, err = MarshalAppend(data, Int(len(*d))); err != nil {
return
}
for i := range *d {
if data, err = MarshalAppend(data, (*d)[i].Key); err != nil {
return
}
if data, err = MarshalAppend(data, (*d)[i].Value); err != nil {
return
}
}
return
})
}
// UnmarshalPOD satisfies [PODUnmarshaler] as [SPADict] violates the POD type system.
func (d *SPADict) UnmarshalPOD(data []byte) (Word, error) {
var wireSize Word
if err := unmarshalCheckTypeBounds(&data, SPA_TYPE_Struct, &wireSize); err != nil {
return wireSize, err
}
// bounds check completed in successful call to unmarshalCheckTypeBounds
data = data[:wireSize]
var count Int
if size, err := UnmarshalNext(data, &count); err != nil {
return wireSize, err
} else {
// bounds check completed in successful call to Unmarshal
data = data[size:]
}
*d = make([]SPADictItem, count)
for i := range *d {
if size, err := UnmarshalNext(data, &(*d)[i].Key); err != nil {
return wireSize, err
} else {
// bounds check completed in successful call to Unmarshal
data = data[size:]
}
if size, err := UnmarshalNext(data, &(*d)[i].Value); err != nil {
return wireSize, err
} else {
// bounds check completed in successful call to Unmarshal
data = data[size:]
}
}
if len(data) != 0 {
return wireSize, TrailingGarbageError(data)
}
return wireSize, nil
}
// A Message is a value that can be transmitted as a message over PipeWire protocol native.
type Message interface {
// Opcode returns the opcode of this message.
Opcode() byte
// FileCount returns the number of files associated with this message.
FileCount() Int
KnownSize
}
// A MessageEncoder provides methods for encoding a [Message].
type MessageEncoder struct{ Message }
// SizeMessage returns the size of Message transmitted over protocol native.
func (m MessageEncoder) SizeMessage(footer KnownSize) (size Word) {
size = SizeHeader + m.Message.Size()
if footer != nil {
size += footer.Size()
}
return
}
// AppendMessage appends the protocol native encoding of Message to dst and returns the appended slice.
func (m MessageEncoder) AppendMessage(dst []byte, Id, sequence Int, footer KnownSize) (data []byte, err error) {
size := m.SizeMessage(footer)
if size&^SizeMax != 0 {
return dst, ErrSizeRange
}
data = slices.Grow(dst, int(size))
data = (&Header{
ID: Id,
Opcode: m.Message.Opcode(),
Size: size - SizeHeader,
Sequence: sequence,
FileCount: m.Message.FileCount(),
}).append(data)
data, err = MarshalAppend(data, m.Message)
if err == nil && footer != nil {
data, err = MarshalAppend(data, footer)
}
return
}

226
internal/pipewire/pod_test.go
View File

@@ -1,226 +0,0 @@
package pipewire_test
import (
"bytes"
"encoding"
"encoding/gob"
"encoding/json"
"io"
"reflect"
"testing"
"hakurei.app/internal/pipewire"
)
type encodingTestCases[V any, S interface {
encoding.BinaryMarshaler
encoding.BinaryUnmarshaler
*V
}] []struct {
// Uninterpreted name of subtest.
name string
// Encoded data.
wantData []byte
// Value corresponding to wantData.
value V
// Expected decoding error. Skips encoding check if non-nil.
wantErr error
}
// run runs all test cases as subtests of [testing.T].
func (testCases encodingTestCases[V, S]) run(t *testing.T) {
t.Helper()
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
t.Run("decode", func(t *testing.T) {
t.Parallel()
var value V
if err := S(&value).UnmarshalBinary(tc.wantData); err != nil {
t.Fatalf("UnmarshalBinary: error = %v", err)
}
if !reflect.DeepEqual(&value, &tc.value) {
t.Fatalf("UnmarshalBinary:\n%s\nwant\n%s", mustMarshalJSON(value), mustMarshalJSON(tc.value))
}
})
t.Run("encode", func(t *testing.T) {
t.Parallel()
if gotData, err := S(&tc.value).MarshalBinary(); err != nil {
t.Fatalf("MarshalBinary: error = %v", err)
} else if string(gotData) != string(tc.wantData) {
t.Fatalf("MarshalBinary: %#v, want %#v", gotData, tc.wantData)
}
})
if s, ok := any(&tc.value).(pipewire.KnownSize); ok {
t.Run("size", func(t *testing.T) {
if got := int(s.Size()); got != len(tc.wantData) {
t.Errorf("Size: %d, want %d", got, len(tc.wantData))
}
})
}
})
}
}
func TestPODErrors(t *testing.T) {
t.Parallel()
testCases := []struct {
name string
err error
want string
}{
{"UnsupportedTypeError", &pipewire.UnsupportedTypeError{
Type: reflect.TypeFor[any](),
}, "unsupported type interface {}"},
{"UnsupportedSizeError", pipewire.UnsupportedSizeError(pipewire.SizeMax + 1), "size 16777216 out of range"},
{"InvalidUnmarshalError untyped nil", new(pipewire.InvalidUnmarshalError), "attempting to unmarshal to nil"},
{"InvalidUnmarshalError non-pointer", &pipewire.InvalidUnmarshalError{
Type: reflect.TypeFor[uintptr](),
}, "attempting to unmarshal to non-pointer type uintptr"},
{"InvalidUnmarshalError nil", &pipewire.InvalidUnmarshalError{
Type: reflect.TypeFor[*uintptr](),
}, "attempting to unmarshal to nil *uintptr"},
{"UnexpectedEOFError ErrEOFPrefix", pipewire.ErrEOFPrefix, "unexpected EOF decoding fixed-size POD prefix"},
{"UnexpectedEOFError ErrEOFData", pipewire.ErrEOFData, "unexpected EOF establishing POD data bounds"},
{"UnexpectedEOFError ErrEOFDataString", pipewire.ErrEOFDataString, "unexpected EOF establishing POD String bounds"},
{"UnexpectedEOFError invalid", pipewire.UnexpectedEOFError(0xbad), "unexpected EOF"},
{"UnmarshalSetError", &pipewire.UnmarshalSetError{
Type: reflect.TypeFor[*uintptr](),
}, "cannot set *uintptr"},
{"TrailingGarbageError short", make(pipewire.TrailingGarbageError, 1<<3-1), "got 7 bytes of trailing garbage"},
{"TrailingGarbageError String", pipewire.TrailingGarbageError{
/* size: */ 0, 0, 0, 0,
/* type: */ byte(pipewire.SPA_TYPE_String), 0, 0, 0,
}, "data has extra values starting with String"},
{"TrailingGarbageError invalid", pipewire.TrailingGarbageError{
/* size: */ 0, 0, 0, 0,
/* type: */ 0xff, 0xff, 0xff, 0xff,
/* garbage: */ 0,
}, "data has extra values starting with invalid type field 0xffffffff"},
{"StringTerminationError", pipewire.StringTerminationError(0xff), "got byte 255 instead of NUL"},
{"InconsistentSizeError", pipewire.InconsistentSizeError{
Prefix: 0xbad,
Expect: 0xff,
}, "prefix claims size 2989 for a 255-byte long segment"},
{"UnexpectedTypeError zero", pipewire.UnexpectedTypeError{}, "received invalid type field 0x0 for a value of type invalid type field 0x0"},
{"UnexpectedTypeError", pipewire.UnexpectedTypeError{
Type: pipewire.SPA_TYPE_String,
Expect: pipewire.SPA_TYPE_Array,
}, "received String for a value of type Array"},
{"UnexpectedTypeError invalid", pipewire.UnexpectedTypeError{
Type: 0xdeadbeef,
Expect: pipewire.SPA_TYPE_Long,
}, "received invalid type field 0xdeadbeef for a value of type Long"},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
if got := tc.err.Error(); got != tc.want {
t.Errorf("Error: %q, want %q", got, tc.want)
}
})
}
}
var benchmarkSample = func() (sample pipewire.CoreInfo) {
if err := sample.UnmarshalBinary(samplePWContainer[1][0][1]); err != nil {
panic(err)
}
return
}()
func BenchmarkMarshal(b *testing.B) {
for b.Loop() {
if _, err := benchmarkSample.MarshalBinary(); err != nil {
b.Fatalf("MarshalBinary: error = %v", err)
}
}
}
func BenchmarkMarshalJSON(b *testing.B) {
for b.Loop() {
if _, err := json.Marshal(benchmarkSample); err != nil {
b.Fatalf("json.Marshal: error = %v", err)
}
}
}
func BenchmarkGobEncode(b *testing.B) {
e := gob.NewEncoder(io.Discard)
type sampleRaw pipewire.CoreInfo
for b.Loop() {
if err := e.Encode((*sampleRaw)(&benchmarkSample)); err != nil {
b.Fatalf("(*gob.Encoder).Encode: error = %v", err)
}
}
}
func BenchmarkUnmarshal(b *testing.B) {
var got pipewire.CoreInfo
for b.Loop() {
if err := got.UnmarshalBinary(samplePWContainer[1][0][1]); err != nil {
b.Fatalf("UnmarshalBinary: error = %v", err)
}
}
}
func BenchmarkUnmarshalJSON(b *testing.B) {
var got pipewire.CoreInfo
data, err := json.Marshal(benchmarkSample)
if err != nil {
b.Fatalf("json.Marshal: error = %v", err)
}
for b.Loop() {
if err = json.Unmarshal(data, &got); err != nil {
b.Fatalf("json.Unmarshal: error = %v", err)
}
}
}
func BenchmarkGobDecode(b *testing.B) {
type sampleRaw pipewire.CoreInfo
var buf bytes.Buffer
e := gob.NewEncoder(&buf)
d := gob.NewDecoder(&buf)
for b.Loop() {
b.StopTimer()
if err := e.Encode((*sampleRaw)(&benchmarkSample)); err != nil {
b.Fatalf("(*gob.Encoder).Encode: error = %v", err)
}
b.StartTimer()
if err := d.Decode(new(sampleRaw)); err != nil {
b.Fatalf("(*gob.Encoder).Decode: error = %v", err)
}
}
}
// mustMarshalJSON calls [json.Marshal] and returns the result.
func mustMarshalJSON(v any) string {
if data, err := json.Marshal(v); err != nil {
panic(err)
} else {
return string(data)
}
}

247
internal/pipewire/securitycontext.go
View File

@@ -1,247 +0,0 @@
package pipewire
import (
"errors"
"io"
"os"
"runtime"
"syscall"
)
/* pipewire/extensions/security-context.h */
const (
PW_TYPE_INTERFACE_SecurityContext = PW_TYPE_INFO_INTERFACE_BASE + "SecurityContext"
PW_SECURITY_CONTEXT_PERM_MASK = PW_PERM_RWX
PW_VERSION_SECURITY_CONTEXT = 3
PW_EXTENSION_MODULE_SECURITY_CONTEXT = PIPEWIRE_MODULE_PREFIX + "module-security-context"
)
const (
PW_SECURITY_CONTEXT_EVENT_NUM = iota
PW_VERSION_SECURITY_CONTEXT_EVENTS = 0
)
const (
PW_SECURITY_CONTEXT_METHOD_ADD_LISTENER = iota
PW_SECURITY_CONTEXT_METHOD_CREATE
PW_SECURITY_CONTEXT_METHOD_NUM
PW_VERSION_SECURITY_CONTEXT_METHODS = 0
)
// SecurityContextCreate is sent to create a new security context.
//
// Creates a new security context with a socket listening FD.
// PipeWire will accept new client connections on listen_fd.
//
// listen_fd must be ready to accept new connections when this
// request is sent by the client. In other words, the client must
// call bind(2) and listen(2) before sending the FD.
//
// close_fd is a FD closed by the client when PipeWire should stop
// accepting new connections on listen_fd.
//
// PipeWire must continue to accept connections on listen_fd when
// the client which created the security context disconnects.
//
// After sending this request, closing listen_fd and close_fd
// remains the only valid operation on them.
type SecurityContextCreate struct {
// The offset in the SCM_RIGHTS msg_control message to
// the fd to listen on for new connections.
ListenFd Fd
// The offset in the SCM_RIGHTS msg_control message to
// the fd used to stop listening.
CloseFd Fd
// Extra properties. These will be copied on the client
// that connects through this context.
Properties *SPADict `json:"props"`
}
// Opcode satisfies [Message] with a constant value.
func (c *SecurityContextCreate) Opcode() byte { return PW_SECURITY_CONTEXT_METHOD_CREATE }
// FileCount satisfies [Message] with a constant value.
func (c *SecurityContextCreate) FileCount() Int { return 2 }
// Size satisfies [KnownSize] with a value computed at runtime.
func (c *SecurityContextCreate) Size() Word {
return SizePrefix +
Size(SizeFd) +
Size(SizeFd) +
c.Properties.Size()
}
// MarshalBinary satisfies [encoding.BinaryMarshaler] via [Marshal].
func (c *SecurityContextCreate) MarshalBinary() ([]byte, error) { return Marshal(c) }
// UnmarshalBinary satisfies [encoding.BinaryUnmarshaler] via [Unmarshal].
func (c *SecurityContextCreate) UnmarshalBinary(data []byte) error { return Unmarshal(data, c) }
// SecurityContext holds state of [PW_TYPE_INTERFACE_SecurityContext].
type SecurityContext struct {
// Proxy id as tracked by [Context].
ID Int `json:"proxy_id"`
// Global id as tracked by [Registry].
GlobalID Int `json:"id"`
ctx *Context
destructible
}
// GetSecurityContext queues a [RegistryBind] message for the PipeWire server
// and returns the address of the newly allocated [SecurityContext].
func (registry *Registry) GetSecurityContext() (securityContext *SecurityContext, err error) {
securityContext = &SecurityContext{ctx: registry.ctx}
for globalId, object := range registry.Objects {
if object.Type == securityContext.String() {
securityContext.GlobalID = globalId
securityContext.ID, err = registry.bind(securityContext, securityContext.GlobalID, PW_VERSION_SECURITY_CONTEXT)
return
}
}
return nil, UnsupportedObjectTypeError(securityContext.String())
}
// Create queues a [SecurityContextCreate] message for the PipeWire server.
func (securityContext *SecurityContext) Create(listenFd, closeFd int, props SPADict) (err error) {
if err = securityContext.checkDestroy(); err != nil {
return
}
asCoreError := securityContext.ctx.expectsCoreError(securityContext.ID, &err)
if err != nil {
return
}
// queued in reverse based on upstream behaviour, unsure why
offset := securityContext.ctx.queueFiles(closeFd, listenFd)
if err = securityContext.ctx.writeMessage(
securityContext.ID,
&SecurityContextCreate{ListenFd: offset + 1, CloseFd: offset + 0, Properties: &props},
); err != nil {
return
}
if err = securityContext.ctx.GetCore().Sync(); err == nil {
return nil
}
if coreError := asCoreError(); coreError == nil {
return
} else {
switch syscall.Errno(-coreError.Result) {
case syscall.EPERM:
return &PermissionError{securityContext.ID, coreError.Message}
default:
return coreError
}
}
}
// securityContextCloser holds onto resources associated to the security context.
type securityContextCloser struct {
// Pipe with its write end passed to [SecurityContextCreate.CloseFd].
closeFds [2]int
// Pathname the socket was bound to.
pathname string
}
// Close closes both ends of the pipe.
func (scc *securityContextCloser) Close() (err error) {
err = errors.Join(
syscall.Close(scc.closeFds[1]),
syscall.Close(scc.closeFds[0]),
// there is still technically a TOCTOU here but this is internal
// and has access to the privileged pipewire socket, so it only
// receives trusted input (e.g. from cmd/hakurei) anyway
os.Remove(scc.pathname),
)
// no need for a finalizer anymore
runtime.SetFinalizer(scc, nil)
return
}
// BindAndCreate binds a new socket to the specified pathname and pass it to Create.
// It returns an [io.Closer] corresponding to [SecurityContextCreate.CloseFd].
func (securityContext *SecurityContext) BindAndCreate(pathname string, props SPADict) (io.Closer, error) {
if err := securityContext.checkDestroy(); err != nil {
return nil, err
}
var scc securityContextCloser
// ensure pathname is available
if f, err := os.Create(pathname); err != nil {
return nil, err
} else if err = f.Close(); err != nil {
_ = os.Remove(pathname)
return nil, err
} else if err = os.Remove(pathname); err != nil {
return nil, err
}
scc.pathname = pathname
var listenFd int
if fd, err := syscall.Socket(syscall.AF_UNIX, syscall.SOCK_STREAM|syscall.SOCK_CLOEXEC, 0); err != nil {
return nil, os.NewSyscallError("socket", err)
} else {
securityContext.ctx.cleanup(func() error { return syscall.Close(fd) })
listenFd = fd
}
if err := syscall.Bind(listenFd, &syscall.SockaddrUnix{Name: pathname}); err != nil {
return nil, os.NewSyscallError("bind", err)
} else if err = syscall.Listen(listenFd, 0); err != nil {
_ = os.Remove(pathname)
return nil, os.NewSyscallError("listen", err)
}
if err := syscall.Pipe2(scc.closeFds[0:], syscall.O_CLOEXEC); err != nil {
_ = os.Remove(pathname)
return nil, err
}
runtime.SetFinalizer(&scc, (*securityContextCloser).Close)
if err := securityContext.Create(listenFd, scc.closeFds[1], props); err != nil {
_ = scc.Close()
return nil, err
}
return &scc, nil
}
func (securityContext *SecurityContext) consume(opcode byte, files []int, _ func(v any)) error {
securityContext.mustCheckDestroy()
closeReceivedFiles(files...)
switch opcode {
// SecurityContext does not receive any events
default:
panic(&UnsupportedOpcodeError{opcode, securityContext.String()})
}
}
func (securityContext *SecurityContext) setBoundProps(event *CoreBoundProps) error {
securityContext.mustCheckDestroy()
if securityContext.ID != event.ID {
return &InconsistentIdError{Proxy: securityContext, ID: securityContext.ID, ServerID: event.ID}
}
if securityContext.GlobalID != event.GlobalID {
return &InconsistentIdError{Global: true, Proxy: securityContext, ID: securityContext.GlobalID, ServerID: event.GlobalID}
}
return nil
}
// Destroy destroys this [SecurityContext] proxy.
func (securityContext *SecurityContext) Destroy() error {
return securityContext.destroy(securityContext.ctx, securityContext.ID)
}
func (securityContext *SecurityContext) String() string { return PW_TYPE_INTERFACE_SecurityContext }

21
internal/pipewire/securitycontext_test.go
View File

@@ -1,21 +0,0 @@
package pipewire_test
import (
"testing"
"hakurei.app/internal/pipewire"
)
func TestSecurityContextCreate(t *testing.T) {
t.Parallel()
encodingTestCases[pipewire.SecurityContextCreate, *pipewire.SecurityContextCreate]{
{"sample", samplePWContainer[6][0][1], pipewire.SecurityContextCreate{
ListenFd: 1 /* 21: duplicated from listen_fd */, CloseFd: 0, /* 20: duplicated from close_fd */
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_SEC_ENGINE, Value: "org.flatpak"},
{Key: pipewire.PW_KEY_ACCESS, Value: "restricted"},
},
}, nil},
}.run(t)
}

837
internal/pipewire/spa.go
View File

@@ -1,837 +0,0 @@
package pipewire
import (
"encoding/binary"
"fmt"
)
// A SPAKind describes the kind of data being encoded right after it.
//
// These do not always follow the same rules, and encoding/decoding
// is very much context-dependent. Callers should therefore not
// attempt to use these values directly and rely on [Marshal] and
// [Unmarshal] and their variants instead.
type SPAKind Word
/* Basic types */
const (
/* POD's can contain a number of basic SPA types: */
SPA_TYPE_START SPAKind = 0x00000 + iota
SPA_TYPE_None // No value or a NULL pointer.
SPA_TYPE_Bool // A boolean value.
SPA_TYPE_Id // An enumerated value.
SPA_TYPE_Int // An integer value, 32-bit.
SPA_TYPE_Long // An integer value, 64-bit.
SPA_TYPE_Float // A floating point value, 32-bit.
SPA_TYPE_Double // A floating point value, 64-bit.
SPA_TYPE_String // A string.
SPA_TYPE_Bytes // A byte array.
SPA_TYPE_Rectangle // A rectangle with width and height.
SPA_TYPE_Fraction // A fraction with numerator and denominator.
SPA_TYPE_Bitmap // An array of bits.
/* POD's can be grouped together in these container types: */
SPA_TYPE_Array // An array of equal sized objects.
SPA_TYPE_Struct // A collection of types and objects.
SPA_TYPE_Object // An object with properties.
SPA_TYPE_Sequence // A timed sequence of POD's.
/* POD's can also contain some extra types: */
SPA_TYPE_Pointer // A typed pointer in memory.
SPA_TYPE_Fd // A file descriptor.
SPA_TYPE_Choice // A choice of values.
SPA_TYPE_Pod // A generic type for the POD itself.
_SPA_TYPE_LAST // not part of ABI
)
// append appends the representation of [SPAKind] to data and returns the appended slice.
func (kind SPAKind) append(data []byte) []byte {
return binary.NativeEndian.AppendUint32(data, Word(kind))
}
// String returns the name of the [SPAKind] for basic types.
func (kind SPAKind) String() string {
switch kind {
case SPA_TYPE_None:
return "None"
case SPA_TYPE_Bool:
return "Bool"
case SPA_TYPE_Id:
return "Id"
case SPA_TYPE_Int:
return "Int"
case SPA_TYPE_Long:
return "Long"
case SPA_TYPE_Float:
return "Float"
case SPA_TYPE_Double:
return "Double"
case SPA_TYPE_String:
return "String"
case SPA_TYPE_Bytes:
return "Bytes"
case SPA_TYPE_Rectangle:
return "Rectangle"
case SPA_TYPE_Fraction:
return "Fraction"
case SPA_TYPE_Bitmap:
return "Bitmap"
case SPA_TYPE_Array:
return "Array"
case SPA_TYPE_Struct:
return "Struct"
case SPA_TYPE_Object:
return "Object"
case SPA_TYPE_Sequence:
return "Sequence"
case SPA_TYPE_Pointer:
return "Pointer"
case SPA_TYPE_Fd:
return "Fd"
case SPA_TYPE_Choice:
return "Choice"
case SPA_TYPE_Pod:
return "Pod"
default:
return fmt.Sprintf("invalid type field %#x", Word(kind))
}
}
/* Pointers */
const (
SPA_TYPE_POINTER_START = 0x10000 + iota
SPA_TYPE_POINTER_Buffer
SPA_TYPE_POINTER_Meta
SPA_TYPE_POINTER_Dict
_SPA_TYPE_POINTER_LAST // not part of ABI
)
/* Events */
const (
SPA_TYPE_EVENT_START = 0x20000 + iota
SPA_TYPE_EVENT_Device
SPA_TYPE_EVENT_Node
_SPA_TYPE_EVENT_LAST // not part of ABI
)
/* Commands */
const (
SPA_TYPE_COMMAND_START = 0x30000 + iota
SPA_TYPE_COMMAND_Device
SPA_TYPE_COMMAND_Node
_SPA_TYPE_COMMAND_LAST // not part of ABI
)
/* Objects */
const (
SPA_TYPE_OBJECT_START = 0x40000 + iota
SPA_TYPE_OBJECT_PropInfo
SPA_TYPE_OBJECT_Props
SPA_TYPE_OBJECT_Format
SPA_TYPE_OBJECT_ParamBuffers
SPA_TYPE_OBJECT_ParamMeta
SPA_TYPE_OBJECT_ParamIO
SPA_TYPE_OBJECT_ParamProfile
SPA_TYPE_OBJECT_ParamPortConfig
SPA_TYPE_OBJECT_ParamRoute
SPA_TYPE_OBJECT_Profiler
SPA_TYPE_OBJECT_ParamLatency
SPA_TYPE_OBJECT_ParamProcessLatency
SPA_TYPE_OBJECT_ParamTag
_SPA_TYPE_OBJECT_LAST // not part of ABI
)
/* vendor extensions */
const (
SPA_TYPE_VENDOR_PipeWire = 0x02000000
SPA_TYPE_VENDOR_Other = 0x7f000000
)
/* spa/include/spa/utils/type.h */
const (
SPA_TYPE_INFO_BASE = "Spa:"
SPA_TYPE_INFO_Flags = SPA_TYPE_INFO_BASE + "Flags"
SPA_TYPE_INFO_FLAGS_BASE = SPA_TYPE_INFO_Flags + ":"
SPA_TYPE_INFO_Enum = SPA_TYPE_INFO_BASE + "Enum"
SPA_TYPE_INFO_ENUM_BASE = SPA_TYPE_INFO_Enum + ":"
SPA_TYPE_INFO_Pod = SPA_TYPE_INFO_BASE + "Pod"
SPA_TYPE_INFO_POD_BASE = SPA_TYPE_INFO_Pod + ":"
SPA_TYPE_INFO_Struct = SPA_TYPE_INFO_POD_BASE + "Struct"
SPA_TYPE_INFO_STRUCT_BASE = SPA_TYPE_INFO_Struct + ":"
SPA_TYPE_INFO_Object = SPA_TYPE_INFO_POD_BASE + "Object"
SPA_TYPE_INFO_OBJECT_BASE = SPA_TYPE_INFO_Object + ":"
SPA_TYPE_INFO_Pointer = SPA_TYPE_INFO_BASE + "Pointer"
SPA_TYPE_INFO_POINTER_BASE = SPA_TYPE_INFO_Pointer + ":"
SPA_TYPE_INFO_Interface = SPA_TYPE_INFO_POINTER_BASE + "Interface"
SPA_TYPE_INFO_INTERFACE_BASE = SPA_TYPE_INFO_Interface + ":"
SPA_TYPE_INFO_Event = SPA_TYPE_INFO_OBJECT_BASE + "Event"
SPA_TYPE_INFO_EVENT_BASE = SPA_TYPE_INFO_Event + ":"
SPA_TYPE_INFO_Command = SPA_TYPE_INFO_OBJECT_BASE + "Command"
SPA_TYPE_INFO_COMMAND_BASE = SPA_TYPE_INFO_Command + ":"
)
/* pipewire/device.h */
const (
PW_TYPE_INTERFACE_Device = PW_TYPE_INFO_INTERFACE_BASE + "Device"
PW_DEVICE_PERM_MASK = PW_PERM_RWXM
PW_VERSION_DEVICE = 3
)
const (
PW_DEVICE_CHANGE_MASK_PROPS = 1 << iota
PW_DEVICE_CHANGE_MASK_PARAMS
PW_DEVICE_CHANGE_MASK_ALL = 1<<iota - 1
)
const (
PW_DEVICE_EVENT_INFO = iota
PW_DEVICE_EVENT_PARAM
PW_DEVICE_EVENT_NUM
PW_VERSION_DEVICE_EVENTS = 0
)
const (
PW_DEVICE_METHOD_ADD_LISTENER = iota
PW_DEVICE_METHOD_SUBSCRIBE_PARAMS
PW_DEVICE_METHOD_ENUM_PARAMS
PW_DEVICE_METHOD_SET_PARAM
PW_DEVICE_METHOD_NUM
PW_VERSION_DEVICE_METHODS = 0
)
/* pipewire/factory.h */
const (
PW_TYPE_INTERFACE_Factory = PW_TYPE_INFO_INTERFACE_BASE + "Factory"
PW_FACTORY_PERM_MASK = PW_PERM_R | PW_PERM_M
PW_VERSION_FACTORY = 3
)
const (
PW_FACTORY_CHANGE_MASK_PROPS = 1 << iota
PW_FACTORY_CHANGE_MASK_ALL = 1<<iota - 1
)
const (
PW_FACTORY_EVENT_INFO = iota
PW_FACTORY_EVENT_NUM
PW_VERSION_FACTORY_EVENTS = 0
)
const (
PW_FACTORY_METHOD_ADD_LISTENER = iota
PW_FACTORY_METHOD_NUM
PW_VERSION_FACTORY_METHODS = 0
)
/* pipewire/link.h */
const (
PW_TYPE_INTERFACE_Link = PW_TYPE_INFO_INTERFACE_BASE + "Link"
PW_LINK_PERM_MASK = PW_PERM_R | PW_PERM_X
PW_VERSION_LINK = 3
)
const (
PW_LINK_STATE_ERROR = iota - 2 // the link is in error
PW_LINK_STATE_UNLINKED // the link is unlinked
PW_LINK_STATE_INIT // the link is initialized
PW_LINK_STATE_NEGOTIATING // the link is negotiating formats
PW_LINK_STATE_ALLOCATING // the link is allocating buffers
PW_LINK_STATE_PAUSED // the link is paused
PW_LINK_STATE_ACTIVE // the link is active
)
const (
PW_LINK_CHANGE_MASK_STATE = (1 << iota)
PW_LINK_CHANGE_MASK_FORMAT
PW_LINK_CHANGE_MASK_PROPS
PW_LINK_CHANGE_MASK_ALL = 1<<iota - 1
)
const (
PW_LINK_EVENT_INFO = iota
PW_LINK_EVENT_NUM
PW_VERSION_LINK_EVENTS = 0
)
const (
PW_LINK_METHOD_ADD_LISTENER = iota
PW_LINK_METHOD_NUM
PW_VERSION_LINK_METHODS = 0
)
/* pipewire/module.h */
const (
PW_TYPE_INTERFACE_Module = PW_TYPE_INFO_INTERFACE_BASE + "Module"
PW_MODULE_PERM_MASK = PW_PERM_R | PW_PERM_M
PW_VERSION_MODULE = 3
)
const (
PW_MODULE_CHANGE_MASK_PROPS = 1 << iota
PW_MODULE_CHANGE_MASK_ALL = 1<<iota - 1
)
const (
PW_MODULE_EVENT_INFO = iota
PW_MODULE_EVENT_NUM
PW_VERSION_MODULE_EVENTS = 0
)
const (
PW_MODULE_METHOD_ADD_LISTENER = iota
PW_MODULE_METHOD_NUM
PW_VERSION_MODULE_METHODS = 0
)
/* pipewire/impl-module.h */
const (
PIPEWIRE_SYMBOL_MODULE_INIT = "pipewire__module_init"
PIPEWIRE_MODULE_PREFIX = "libpipewire-"
PW_VERSION_IMPL_MODULE_EVENTS = 0
)
/* pipewire/node.h */
const (
PW_TYPE_INTERFACE_Node = PW_TYPE_INFO_INTERFACE_BASE + "Node"
PW_NODE_PERM_MASK = PW_PERM_RWXML
PW_VERSION_NODE = 3
)
const (
PW_NODE_STATE_ERROR = iota - 1 // error state
PW_NODE_STATE_CREATING // the node is being created
PW_NODE_STATE_SUSPENDED // the node is suspended, the device might be closed
PW_NODE_STATE_IDLE // the node is running but there is no active port
PW_NODE_STATE_RUNNING // the node is running
)
const (
PW_NODE_CHANGE_MASK_INPUT_PORTS = 1 << iota
PW_NODE_CHANGE_MASK_OUTPUT_PORTS
PW_NODE_CHANGE_MASK_STATE
PW_NODE_CHANGE_MASK_PROPS
PW_NODE_CHANGE_MASK_PARAMS
PW_NODE_CHANGE_MASK_ALL = 1<<iota - 1
)
const (
PW_NODE_EVENT_INFO = iota
PW_NODE_EVENT_PARAM
PW_NODE_EVENT_NUM
PW_VERSION_NODE_EVENTS = 0
)
const (
PW_NODE_METHOD_ADD_LISTENER = iota
PW_NODE_METHOD_SUBSCRIBE_PARAMS
PW_NODE_METHOD_ENUM_PARAMS
PW_NODE_METHOD_SET_PARAM
PW_NODE_METHOD_SEND_COMMAND
PW_NODE_METHOD_NUM
PW_VERSION_NODE_METHODS = 0
)
/* pipewire/permission.h */
const (
PW_PERM_R = 0400 // object can be seen and events can be received
PW_PERM_W = 0200 // methods can be called that modify the object
PW_PERM_X = 0100 // methods can be called on the object. The W flag must be present in order to call methods that modify the object.
PW_PERM_M = 0010 // metadata can be set on object, Since 0.3.9
PW_PERM_L = 0020 // a link can be made between a node that doesn't have permission to see the other node, Since 0.3.77
PW_PERM_RW = PW_PERM_R | PW_PERM_W
PW_PERM_RWX = PW_PERM_RW | PW_PERM_X
PW_PERM_RWXM = PW_PERM_RWX | PW_PERM_M
PW_PERM_RWXML = PW_PERM_RWXM | PW_PERM_L
PW_PERM_ALL = PW_PERM_RWXM
PW_PERM_INVALID Word = 0xffffffff
)
/* pipewire/port.h */
const (
PW_TYPE_INTERFACE_Port = PW_TYPE_INFO_INTERFACE_BASE + "Port"
PW_PORT_PERM_MASK = PW_PERM_R | PW_PERM_X | PW_PERM_M
PW_VERSION_PORT = 3
)
const (
PW_PORT_CHANGE_MASK_PROPS = 1 << iota
PW_PORT_CHANGE_MASK_PARAMS
PW_PORT_CHANGE_MASK_ALL = 1<<iota - 1
)
const (
PW_PORT_EVENT_INFO = iota
PW_PORT_EVENT_PARAM
PW_PORT_EVENT_NUM
PW_VERSION_PORT_EVENTS = 0
)
const (
PW_PORT_METHOD_ADD_LISTENER = iota
PW_PORT_METHOD_SUBSCRIBE_PARAMS
PW_PORT_METHOD_ENUM_PARAMS
PW_PORT_METHOD_NUM
PW_VERSION_PORT_METHODS = 0
)
/* pipewire/extensions/client-node.h */
const (
PW_TYPE_INTERFACE_ClientNode = PW_TYPE_INFO_INTERFACE_BASE + "ClientNode"
PW_VERSION_CLIENT_NODE = 6
PW_EXTENSION_MODULE_CLIENT_NODE = PIPEWIRE_MODULE_PREFIX + "module-client-node"
)
const (
PW_CLIENT_NODE_EVENT_TRANSPORT = iota
PW_CLIENT_NODE_EVENT_SET_PARAM
PW_CLIENT_NODE_EVENT_SET_IO
PW_CLIENT_NODE_EVENT_EVENT
PW_CLIENT_NODE_EVENT_COMMAND
PW_CLIENT_NODE_EVENT_ADD_PORT
PW_CLIENT_NODE_EVENT_REMOVE_PORT
PW_CLIENT_NODE_EVENT_PORT_SET_PARAM
PW_CLIENT_NODE_EVENT_PORT_USE_BUFFERS
PW_CLIENT_NODE_EVENT_PORT_SET_IO
PW_CLIENT_NODE_EVENT_SET_ACTIVATION
PW_CLIENT_NODE_EVENT_PORT_SET_MIX_INFO
PW_CLIENT_NODE_EVENT_NUM
PW_VERSION_CLIENT_NODE_EVENTS = 1
)
const (
PW_CLIENT_NODE_METHOD_ADD_LISTENER = iota
PW_CLIENT_NODE_METHOD_GET_NODE
PW_CLIENT_NODE_METHOD_UPDATE
PW_CLIENT_NODE_METHOD_PORT_UPDATE
PW_CLIENT_NODE_METHOD_SET_ACTIVE
PW_CLIENT_NODE_METHOD_EVENT
PW_CLIENT_NODE_METHOD_PORT_BUFFERS
PW_CLIENT_NODE_METHOD_NUM
PW_VERSION_CLIENT_NODE_METHODS = 0
)
const (
PW_CLIENT_NODE_UPDATE_PARAMS = 1 << iota
PW_CLIENT_NODE_UPDATE_INFO
)
const (
PW_CLIENT_NODE_PORT_UPDATE_PARAMS = 1 << iota
PW_CLIENT_NODE_PORT_UPDATE_INFO
)
/* pipewire/extensions/metadata.h */
const (
PW_TYPE_INTERFACE_Metadata = PW_TYPE_INFO_INTERFACE_BASE + "Metadata"
PW_METADATA_PERM_MASK = PW_PERM_RWX
PW_VERSION_METADATA = 3
PW_EXTENSION_MODULE_METADATA = PIPEWIRE_MODULE_PREFIX + "module-metadata"
)
const (
PW_METADATA_EVENT_PROPERTY = iota
PW_METADATA_EVENT_NUM
PW_VERSION_METADATA_EVENTS = 0
)
const (
PW_METADATA_METHOD_ADD_LISTENER = iota
PW_METADATA_METHOD_SET_PROPERTY
PW_METADATA_METHOD_CLEAR
PW_METADATA_METHOD_NUM
PW_VERSION_METADATA_METHODS = 0
)
const (
PW_KEY_METADATA_NAME = "metadata.name"
PW_KEY_METADATA_VALUES = "metadata.values"
)
/* pipewire/extensions/profiler.h */
const (
PW_TYPE_INTERFACE_Profiler = PW_TYPE_INFO_INTERFACE_BASE + "Profiler"
PW_VERSION_PROFILER = 3
PW_PROFILER_PERM_MASK = PW_PERM_R
PW_EXTENSION_MODULE_PROFILER = PIPEWIRE_MODULE_PREFIX + "module-profiler"
)
const (
PW_PROFILER_EVENT_PROFILE = iota
PW_PROFILER_EVENT_NUM
PW_VERSION_PROFILER_EVENTS = 0
)
const (
PW_PROFILER_METHOD_ADD_LISTENER = iota
PW_PROFILER_METHOD_NUM
PW_VERSION_PROFILER_METHODS = 0
)
const (
PW_KEY_PROFILER_NAME = "profiler.name"
)
/* pipewire/type.h */
const (
PW_TYPE_INFO_BASE = "PipeWire:"
PW_TYPE_INFO_Object = PW_TYPE_INFO_BASE + "Object"
PW_TYPE_INFO_OBJECT_BASE = PW_TYPE_INFO_Object + ":"
PW_TYPE_INFO_Interface = PW_TYPE_INFO_BASE + "Interface"
PW_TYPE_INFO_INTERFACE_BASE = PW_TYPE_INFO_Interface + ":"
)
/* pipewire/keys.h */
/**
* Key Names
*
* A collection of keys that are used to add extra information on objects.
*
* Keys that start with "pipewire." are in general set-once and then
* read-only. They are usually used for security sensitive information that
* needs to be fixed.
*
* Properties from other objects can also appear. This usually suggests some
* sort of parent/child or owner/owned relationship.
*
*/
const (
PW_KEY_PROTOCOL = "pipewire.protocol" /* protocol used for connection */
PW_KEY_ACCESS = "pipewire.access" /* how the client access is controlled */
PW_KEY_CLIENT_ACCESS = "pipewire.client.access" /* how the client wants to be access controlled */
/** Various keys related to the identity of a client process and its security.
* Must be obtained from trusted sources by the protocol and placed as
* read-only properties. */
PW_KEY_SEC_PID = "pipewire.sec.pid" /* Client pid, set by protocol */
PW_KEY_SEC_UID = "pipewire.sec.uid" /* Client uid, set by protocol*/
PW_KEY_SEC_GID = "pipewire.sec.gid" /* client gid, set by protocol*/
PW_KEY_SEC_LABEL = "pipewire.sec.label" /* client security label, set by protocol*/
PW_KEY_SEC_SOCKET = "pipewire.sec.socket" /* client socket name, set by protocol */
PW_KEY_SEC_ENGINE = "pipewire.sec.engine" /* client secure context engine, set by protocol. This can also be set by a client when making a new security context. */
PW_KEY_SEC_APP_ID = "pipewire.sec.app-id" /* client secure application id */
PW_KEY_SEC_INSTANCE_ID = "pipewire.sec.instance-id" /* client secure instance id */
PW_KEY_LIBRARY_NAME_SYSTEM = "library.name.system" /* name of the system library to use */
PW_KEY_LIBRARY_NAME_LOOP = "library.name.loop" /* name of the loop library to use */
PW_KEY_LIBRARY_NAME_DBUS = "library.name.dbus" /* name of the dbus library to use */
/** object properties */
PW_KEY_OBJECT_PATH = "object.path" /* unique path to construct the object */
PW_KEY_OBJECT_ID = "object.id" /* a global object id */
PW_KEY_OBJECT_SERIAL = "object.serial" /* a 64 bit object serial number. This is a number incremented for each object that is created. The lower 32 bits are guaranteed to never be SPA_ID_INVALID. */
PW_KEY_OBJECT_LINGER = "object.linger" /* the object lives on even after the client that created it has been destroyed */
PW_KEY_OBJECT_REGISTER = "object.register" /* If the object should be registered. */
PW_KEY_OBJECT_EXPORT = "object.export" /* If the object should be exported, since 0.3.72 */
/* config */
PW_KEY_CONFIG_PREFIX = "config.prefix" /* a config prefix directory */
PW_KEY_CONFIG_NAME = "config.name" /* a config file name */
PW_KEY_CONFIG_OVERRIDE_PREFIX = "config.override.prefix" /* a config override prefix directory */
PW_KEY_CONFIG_OVERRIDE_NAME = "config.override.name" /* a config override file name */
/* loop */
PW_KEY_LOOP_NAME = "loop.name" /* the name of a loop */
PW_KEY_LOOP_CLASS = "loop.class" /* the classes this loop handles, array of strings */
PW_KEY_LOOP_RT_PRIO = "loop.rt-prio" /* realtime priority of the loop */
PW_KEY_LOOP_CANCEL = "loop.cancel" /* if the loop can be canceled */
/* context */
PW_KEY_CONTEXT_PROFILE_MODULES = "context.profile.modules" /* a context profile for modules, deprecated */
PW_KEY_USER_NAME = "context.user-name" /* The user name that runs pipewire */
PW_KEY_HOST_NAME = "context.host-name" /* The host name of the machine */
/* core */
PW_KEY_CORE_NAME = "core.name" /* The name of the core. Default is `pipewire-<username>-<pid>`, overwritten by env(PIPEWIRE_CORE) */
PW_KEY_CORE_VERSION = "core.version" /* The version of the core. */
PW_KEY_CORE_DAEMON = "core.daemon" /* If the core is listening for connections. */
PW_KEY_CORE_ID = "core.id" /* the core id */
PW_KEY_CORE_MONITORS = "core.monitors" /* the apis monitored by core. */
/* cpu */
PW_KEY_CPU_MAX_ALIGN = "cpu.max-align" /* maximum alignment needed to support all CPU optimizations */
PW_KEY_CPU_CORES = "cpu.cores" /* number of cores */
/* priorities */
PW_KEY_PRIORITY_SESSION = "priority.session" /* priority in session manager */
PW_KEY_PRIORITY_DRIVER = "priority.driver" /* priority to be a driver */
/* remote keys */
PW_KEY_REMOTE_NAME = "remote.name" /* The name of the remote to connect to, default pipewire-0, overwritten by env(PIPEWIRE_REMOTE). May also be a SPA-JSON array of sockets, to be tried in order. The "internal" remote name and "generic" intention connects to the local PipeWire instance. */
PW_KEY_REMOTE_INTENTION = "remote.intention" /* The intention of the remote connection, "generic", "screencast", "manager" */
/** application keys */
PW_KEY_APP_NAME = "application.name" /* application name. Ex: "Totem Music Player" */
PW_KEY_APP_ID = "application.id" /* a textual id for identifying an application logically. Ex: "org.gnome.Totem" */
PW_KEY_APP_VERSION = "application.version" /* application version. Ex: "1.2.0" */
PW_KEY_APP_ICON = "application.icon" /* aa base64 blob with PNG image data */
PW_KEY_APP_ICON_NAME = "application.icon-name" /* an XDG icon name for the application. Ex: "totem" */
PW_KEY_APP_LANGUAGE = "application.language" /* application language if applicable, in standard POSIX format. Ex: "en_GB" */
PW_KEY_APP_PROCESS_ID = "application.process.id" /* process id (pid)*/
PW_KEY_APP_PROCESS_BINARY = "application.process.binary" /* binary name */
PW_KEY_APP_PROCESS_USER = "application.process.user" /* user name */
PW_KEY_APP_PROCESS_HOST = "application.process.host" /* host name */
PW_KEY_APP_PROCESS_MACHINE_ID = "application.process.machine-id" /* the D-Bus host id the application runs on */
PW_KEY_APP_PROCESS_SESSION_ID = "application.process.session-id" /* login session of the application, on Unix the value of $XDG_SESSION_ID. */
/** window system */
PW_KEY_WINDOW_X11_DISPLAY = "window.x11.display" /* the X11 display string. Ex. ":0.0" */
/** Client properties */
PW_KEY_CLIENT_ID = "client.id" /* a client id */
PW_KEY_CLIENT_NAME = "client.name" /* the client name */
PW_KEY_CLIENT_API = "client.api" /* the client api used to access PipeWire */
/** Node keys */
PW_KEY_NODE_ID = "node.id" /* node id */
PW_KEY_NODE_NAME = "node.name" /* node name */
PW_KEY_NODE_NICK = "node.nick" /* short node name */
PW_KEY_NODE_DESCRIPTION = "node.description" /* localized human readable node one-line description. Ex. "Foobar USB Headset" */
PW_KEY_NODE_PLUGGED = "node.plugged" /* when the node was created. As a uint64 in nanoseconds. */
PW_KEY_NODE_SESSION = "node.session" /* the session id this node is part of */
PW_KEY_NODE_GROUP = "node.group" /* the group id this node is part of. Nodes in the same group are always scheduled with the same driver. Can be an array of group names. */
PW_KEY_NODE_SYNC_GROUP = "node.sync-group" /* the sync group this node is part of. Nodes in the same sync group are always scheduled together with the same driver when the sync is active. Can be an array of sync names. */
PW_KEY_NODE_SYNC = "node.sync" /* if the sync-group is active or not */
PW_KEY_NODE_TRANSPORT = "node.transport" /* if the transport is active or not */
PW_KEY_NODE_EXCLUSIVE = "node.exclusive" /* node wants exclusive access to resources */
PW_KEY_NODE_AUTOCONNECT = "node.autoconnect" /* node wants to be automatically connected to a compatible node */
PW_KEY_NODE_LATENCY = "node.latency" /* the requested latency of the node as a fraction. Ex: 128/48000 */
PW_KEY_NODE_MAX_LATENCY = "node.max-latency" /* the maximum supported latency of the node as a fraction. Ex: 1024/48000 */
PW_KEY_NODE_LOCK_QUANTUM = "node.lock-quantum" /* don't change quantum when this node is active */
PW_KEY_NODE_FORCE_QUANTUM = "node.force-quantum" /* force a quantum while the node is active */
PW_KEY_NODE_RATE = "node.rate" /* the requested rate of the graph as a fraction. Ex: 1/48000 */
PW_KEY_NODE_LOCK_RATE = "node.lock-rate" /* don't change rate when this node is active */
PW_KEY_NODE_FORCE_RATE = "node.force-rate" /* force a rate while the node is active. A value of 0 takes the denominator of node.rate */
PW_KEY_NODE_DONT_RECONNECT = "node.dont-reconnect" /* don't reconnect this node. The node is initially linked to target.object or the default node. If the target is removed, the node is destroyed */
PW_KEY_NODE_ALWAYS_PROCESS = "node.always-process" /* process even when unlinked */
PW_KEY_NODE_WANT_DRIVER = "node.want-driver" /* the node wants to be grouped with a driver node in order to schedule the graph. */
PW_KEY_NODE_PAUSE_ON_IDLE = "node.pause-on-idle" /* pause the node when idle */
PW_KEY_NODE_SUSPEND_ON_IDLE = "node.suspend-on-idle" /* suspend the node when idle */
PW_KEY_NODE_CACHE_PARAMS = "node.cache-params" /* cache the node params */
PW_KEY_NODE_TRANSPORT_SYNC = "node.transport.sync" /* the node handles transport sync */
PW_KEY_NODE_DRIVER = "node.driver" /* node can drive the graph. When the node is selected as the driver, it needs to start the graph periodically. */
PW_KEY_NODE_SUPPORTS_LAZY = "node.supports-lazy" /* the node can be a lazy driver. It will listen to RequestProcess commands and take them into account when deciding to start the graph. A value of 0 disables support, a value of > 0 enables with increasing preference. */
PW_KEY_NODE_SUPPORTS_REQUEST = "node.supports-request" /* The node supports emiting RequestProcess events when it wants the graph to be scheduled. A value of 0 disables support, a value of > 0 enables with increasing preference. */
PW_KEY_NODE_DRIVER_ID = "node.driver-id" /* the node id of the node assigned as driver for this node */
PW_KEY_NODE_ASYNC = "node.async" /* the node wants async scheduling */
PW_KEY_NODE_LOOP_NAME = "node.loop.name" /* the loop name fnmatch pattern to run in */
PW_KEY_NODE_LOOP_CLASS = "node.loop.class" /* the loop class fnmatch pattern to run in */
PW_KEY_NODE_STREAM = "node.stream" /* node is a stream, the server side should add a converter */
PW_KEY_NODE_VIRTUAL = "node.virtual" /* the node is some sort of virtual object */
PW_KEY_NODE_PASSIVE = "node.passive" /* indicate that a node wants passive links on output/input/all ports when the value is "out"/"in"/"true" respectively */
PW_KEY_NODE_LINK_GROUP = "node.link-group" /* the node is internally linked to nodes with the same link-group. Can be an array of group names. */
PW_KEY_NODE_NETWORK = "node.network" /* the node is on a network */
PW_KEY_NODE_TRIGGER = "node.trigger" /* the node is not scheduled automatically based on the dependencies in the graph but it will be triggered explicitly. */
PW_KEY_NODE_CHANNELNAMES = "node.channel-names" /* names of node's channels (unrelated to positions) */
PW_KEY_NODE_DEVICE_PORT_NAME_PREFIX = "node.device-port-name-prefix" /* override port name prefix for device ports, like capture and playback or disable the prefix completely if an empty string is provided */
PW_KEY_NODE_PHYSICAL = "node.physical" /* ports from the node are physical */
PW_KEY_NODE_TERMINAL = "node.terminal" /* ports from the node are terminal */
PW_KEY_NODE_RELIABLE = "node.reliable" /* node uses reliable transport 1.6.0 */
/** Port keys */
PW_KEY_PORT_ID = "port.id" /* port id */
PW_KEY_PORT_NAME = "port.name" /* port name */
PW_KEY_PORT_DIRECTION = "port.direction" /* the port direction, one of "in" or "out" or "control" and "notify" for control ports */
PW_KEY_PORT_ALIAS = "port.alias" /* port alias */
PW_KEY_PORT_PHYSICAL = "port.physical" /* if this is a physical port */
PW_KEY_PORT_TERMINAL = "port.terminal" /* if this port consumes the data */
PW_KEY_PORT_CONTROL = "port.control" /* if this port is a control port */
PW_KEY_PORT_MONITOR = "port.monitor" /* if this port is a monitor port */
PW_KEY_PORT_CACHE_PARAMS = "port.cache-params" /* cache the node port params */
PW_KEY_PORT_EXTRA = "port.extra" /* api specific extra port info, API name should be prefixed. "jack:flags:56" */
PW_KEY_PORT_PASSIVE = "port.passive" /* the ports wants passive links, since 0.3.67 */
PW_KEY_PORT_IGNORE_LATENCY = "port.ignore-latency" /* latency ignored by peers, since 0.3.71 */
PW_KEY_PORT_GROUP = "port.group" /* the port group of the port 1.2.0 */
PW_KEY_PORT_EXCLUSIVE = "port.exclusive" /* link port only once 1.6.0 */
PW_KEY_PORT_RELIABLE = "port.reliable" /* port uses reliable transport 1.6.0 */
/** link properties */
PW_KEY_LINK_ID = "link.id" /* a link id */
PW_KEY_LINK_INPUT_NODE = "link.input.node" /* input node id of a link */
PW_KEY_LINK_INPUT_PORT = "link.input.port" /* input port id of a link */
PW_KEY_LINK_OUTPUT_NODE = "link.output.node" /* output node id of a link */
PW_KEY_LINK_OUTPUT_PORT = "link.output.port" /* output port id of a link */
PW_KEY_LINK_PASSIVE = "link.passive" /* indicate that a link is passive and does not cause the graph to be runnable. */
PW_KEY_LINK_FEEDBACK = "link.feedback" /* indicate that a link is a feedback link and the target will receive data in the next cycle */
PW_KEY_LINK_ASYNC = "link.async" /* the link is using async io */
/** device properties */
PW_KEY_DEVICE_ID = "device.id" /* device id */
PW_KEY_DEVICE_NAME = "device.name" /* device name */
PW_KEY_DEVICE_PLUGGED = "device.plugged" /* when the device was created. As a uint64 in nanoseconds. */
PW_KEY_DEVICE_NICK = "device.nick" /* a short device nickname */
PW_KEY_DEVICE_STRING = "device.string" /* device string in the underlying layer's format. Ex. "surround51:0" */
PW_KEY_DEVICE_API = "device.api" /* API this device is accessed with. Ex. "alsa", "v4l2" */
PW_KEY_DEVICE_DESCRIPTION = "device.description" /* localized human readable device one-line description. Ex. "Foobar USB Headset" */
PW_KEY_DEVICE_BUS_PATH = "device.bus-path" /* bus path to the device in the OS' format. Ex. "pci-0000:00:14.0-usb-0:3.2:1.0" */
PW_KEY_DEVICE_SERIAL = "device.serial" /* Serial number if applicable */
PW_KEY_DEVICE_VENDOR_ID = "device.vendor.id" /* vendor ID if applicable */
PW_KEY_DEVICE_VENDOR_NAME = "device.vendor.name" /* vendor name if applicable */
PW_KEY_DEVICE_PRODUCT_ID = "device.product.id" /* product ID if applicable */
PW_KEY_DEVICE_PRODUCT_NAME = "device.product.name" /* product name if applicable */
PW_KEY_DEVICE_CLASS = "device.class" /* device class */
PW_KEY_DEVICE_FORM_FACTOR = "device.form-factor" /* form factor if applicable. One of "internal", "speaker", "handset", "tv", "webcam", "microphone", "headset", "headphone", "hands-free", "car", "hifi", "computer", "portable" */
PW_KEY_DEVICE_BUS = "device.bus" /* bus of the device if applicable. One of "isa", "pci", "usb", "firewire", "bluetooth" */
PW_KEY_DEVICE_SUBSYSTEM = "device.subsystem" /* device subsystem */
PW_KEY_DEVICE_SYSFS_PATH = "device.sysfs.path" /* device sysfs path */
PW_KEY_DEVICE_ICON = "device.icon" /* icon for the device. A base64 blob containing PNG image data */
PW_KEY_DEVICE_ICON_NAME = "device.icon-name" /* an XDG icon name for the device. Ex. "sound-card-speakers-usb" */
PW_KEY_DEVICE_INTENDED_ROLES = "device.intended-roles" /* intended use. A space separated list of roles (see PW_KEY_MEDIA_ROLE) this device is particularly well suited for, due to latency, quality or form factor. */
PW_KEY_DEVICE_CACHE_PARAMS = "device.cache-params" /* cache the device spa params */
/** module properties */
PW_KEY_MODULE_ID = "module.id" /* the module id */
PW_KEY_MODULE_NAME = "module.name" /* the name of the module */
PW_KEY_MODULE_AUTHOR = "module.author" /* the author's name */
PW_KEY_MODULE_DESCRIPTION = "module.description" /* a human readable one-line description of the module's purpose.*/
PW_KEY_MODULE_USAGE = "module.usage" /* a human readable usage description of the module's arguments. */
PW_KEY_MODULE_VERSION = "module.version" /* a version string for the module. */
PW_KEY_MODULE_DEPRECATED = "module.deprecated" /* the module is deprecated with this message */
/** Factory properties */
PW_KEY_FACTORY_ID = "factory.id" /* the factory id */
PW_KEY_FACTORY_NAME = "factory.name" /* the name of the factory */
PW_KEY_FACTORY_USAGE = "factory.usage" /* the usage of the factory */
PW_KEY_FACTORY_TYPE_NAME = "factory.type.name" /* the name of the type created by a factory */
PW_KEY_FACTORY_TYPE_VERSION = "factory.type.version" /* the version of the type created by a factory */
/** Stream properties */
PW_KEY_STREAM_IS_LIVE = "stream.is-live" /* Indicates that the stream is live. */
PW_KEY_STREAM_LATENCY_MIN = "stream.latency.min" /* The minimum latency of the stream. */
PW_KEY_STREAM_LATENCY_MAX = "stream.latency.max" /* The maximum latency of the stream */
PW_KEY_STREAM_MONITOR = "stream.monitor" /* Indicates that the stream is monitoring and might select a less accurate but faster conversion algorithm. Monitor streams are also ignored when calculating the latency of their peer ports (since 0.3.71).
*/
PW_KEY_STREAM_DONT_REMIX = "stream.dont-remix" /* don't remix channels */
PW_KEY_STREAM_CAPTURE_SINK = "stream.capture.sink" /* Try to capture the sink output instead of source output */
/** Media */
PW_KEY_MEDIA_TYPE = "media.type" /* Media type, one of Audio, Video, Midi */
PW_KEY_MEDIA_CATEGORY = "media.category" /* Media Category: Playback, Capture, Duplex, Monitor, Manager */
PW_KEY_MEDIA_ROLE = "media.role" /* Role: Movie, Music, Camera, Screen, Communication, Game, Notification, DSP, Production, Accessibility, Test */
PW_KEY_MEDIA_CLASS = "media.class" /* class Ex: "Video/Source" */
PW_KEY_MEDIA_NAME = "media.name" /* media name. Ex: "Pink Floyd: Time" */
PW_KEY_MEDIA_TITLE = "media.title" /* title. Ex: "Time" */
PW_KEY_MEDIA_ARTIST = "media.artist" /* artist. Ex: "Pink Floyd" */
PW_KEY_MEDIA_ALBUM = "media.album" /* album. Ex: "Dark Side of the Moon" */
PW_KEY_MEDIA_COPYRIGHT = "media.copyright" /* copyright string */
PW_KEY_MEDIA_SOFTWARE = "media.software" /* generator software */
PW_KEY_MEDIA_LANGUAGE = "media.language" /* language in POSIX format. Ex: en_GB */
PW_KEY_MEDIA_FILENAME = "media.filename" /* filename */
PW_KEY_MEDIA_ICON = "media.icon" /* icon for the media, a base64 blob with PNG image data */
PW_KEY_MEDIA_ICON_NAME = "media.icon-name" /* an XDG icon name for the media. Ex: "audio-x-mp3" */
PW_KEY_MEDIA_COMMENT = "media.comment" /* extra comment */
PW_KEY_MEDIA_DATE = "media.date" /* date of the media */
PW_KEY_MEDIA_FORMAT = "media.format" /* format of the media */
/** format related properties */
PW_KEY_FORMAT_DSP = "format.dsp" /* a dsp format. Ex: "32 bit float mono audio" */
/** audio related properties */
PW_KEY_AUDIO_CHANNEL = "audio.channel" /* an audio channel. Ex: "FL" */
PW_KEY_AUDIO_RATE = "audio.rate" /* an audio samplerate */
PW_KEY_AUDIO_CHANNELS = "audio.channels" /* number of audio channels */
PW_KEY_AUDIO_FORMAT = "audio.format" /* an audio format. Ex: "S16LE" */
PW_KEY_AUDIO_ALLOWED_RATES = "audio.allowed-rates" /* a list of allowed samplerates ex. "[ 44100 48000 ]" */
/** video related properties */
PW_KEY_VIDEO_RATE = "video.framerate" /* a video framerate */
PW_KEY_VIDEO_FORMAT = "video.format" /* a video format */
PW_KEY_VIDEO_SIZE = "video.size" /* a video size as "<width>x<height" */
PW_KEY_TARGET_OBJECT = "target.object" /* a target object to link to. This can be and object name or object.serial */
)

81
internal/pipewire/spa_test.go
View File

@@ -1,81 +0,0 @@
package pipewire_test
import (
_ "embed"
"encoding/binary"
"testing"
"hakurei.app/internal/pipewire"
)
func TestSPAKind(t *testing.T) {
t.Parallel()
testCases := []struct {
name string
v pipewire.SPAKind
want string
}{
{"invalid", 0xdeadbeef, "invalid type field 0xdeadbeef"},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
if got := tc.v.String(); got != tc.want {
t.Errorf("String: %q, want %q", got, tc.want)
}
})
}
}
// splitMessages splits concatenated messages into groups of
// header, payload, footer of each individual message.
// splitMessages panics on any decoding error.
func splitMessages(iovec string) (messages [][3][]byte) {
data := []byte(iovec)
messages = make([][3][]byte, 0, 1<<7)
var header pipewire.Header
for len(data) != 0 {
if err := header.UnmarshalBinary(data[:pipewire.SizeHeader]); err != nil {
panic(err)
}
size := pipewire.SizePrefix + binary.NativeEndian.Uint32(data[pipewire.SizeHeader:])
messages = append(messages, [3][]byte{
data[:pipewire.SizeHeader],
data[pipewire.SizeHeader : pipewire.SizeHeader+size],
data[pipewire.SizeHeader+size : pipewire.SizeHeader+header.Size],
})
data = data[pipewire.SizeHeader+header.Size:]
}
return
}
var (
//go:embed testdata/pw-container-00-sendmsg
samplePWContainer00 string
//go:embed testdata/pw-container-01-recvmsg
samplePWContainer01 string
//go:embed testdata/pw-container-03-sendmsg
samplePWContainer03 string
//go:embed testdata/pw-container-04-recvmsg
samplePWContainer04 string
//go:embed testdata/pw-container-06-sendmsg
samplePWContainer06 string
//go:embed testdata/pw-container-07-recvmsg
samplePWContainer07 string
// samplePWContainer is a collection of messages from the pw-container sample.
samplePWContainer = [...][][3][]byte{
splitMessages(samplePWContainer00),
splitMessages(samplePWContainer01),
nil,
splitMessages(samplePWContainer03),
splitMessages(samplePWContainer04),
nil,
splitMessages(samplePWContainer06),
splitMessages(samplePWContainer07),
nil,
}
)

BIN
internal/pipewire/testdata/pw-container-00-sendmsg vendored
View File

Binary file not shown.

BIN
internal/pipewire/testdata/pw-container-01-recvmsg vendored
View File

Binary file not shown.

BIN
internal/pipewire/testdata/pw-container-03-sendmsg vendored
View File

Binary file not shown.

BIN
internal/pipewire/testdata/pw-container-04-recvmsg vendored
View File

Binary file not shown.

BIN
internal/pipewire/testdata/pw-container-06-sendmsg vendored
View File

Binary file not shown.

BIN
internal/pipewire/testdata/pw-container-07-recvmsg vendored
View File

Binary file not shown.

2
internal/store/header_test.go
View File

@@ -34,7 +34,7 @@ func TestEntryHeader(t *testing.T) {
{"success high", [entryHeaderSize]byte{0x00, 0xff, 0xca, 0xfe, 0x00, 0x00,
0xff, 0x00}, 0xff, nil},
{"success", [entryHeaderSize]byte{0x00, 0xff, 0xca, 0xfe, 0x00, 0x00,
0x09, 0xf6}, hst.EWayland | hst.EPipeWire, nil},
0x09, 0xf6}, hst.EWayland | hst.EPulse, nil},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {

2
internal/system/acl_test.go
View File

@@ -13,7 +13,7 @@ import (
func TestACLUpdateOp(t *testing.T) {
t.Parallel()
checkOpBehaviour(t, 0, []opBehaviourTestCase{
checkOpBehaviour(t, []opBehaviourTestCase{
{"apply aclUpdate", 0xbeef, 0xff,
&aclUpdateOp{Process, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}, []stub.Call{
call("verbose", stub.ExpectArgs{[]any{"applying ACL", &aclUpdateOp{Process, "/proc/nonexistent", []acl.Perm{acl.Read, acl.Write, acl.Execute}}}}, nil, nil),

2
internal/system/dbus_test.go
View File

@@ -18,7 +18,7 @@ import (
func TestDBusProxyOp(t *testing.T) {
t.Parallel()
checkOpBehaviour(t, 0, []opBehaviourTestCase{
checkOpBehaviour(t, []opBehaviourTestCase{
{"dbusProxyStart", 0xdead, 0xff, &dbusProxyOp{
final: dbusNewFinalSample(4),
out: new(linePrefixWriter), // panics on write

11
internal/system/dispatcher.go
View File

@@ -10,7 +10,6 @@ import (
"hakurei.app/hst"
"hakurei.app/internal/acl"
"hakurei.app/internal/dbus"
"hakurei.app/internal/pipewire"
"hakurei.app/internal/wayland"
"hakurei.app/internal/xcb"
)
@@ -48,11 +47,7 @@ type syscallDispatcher interface {
// aclUpdate provides [acl.Update].
aclUpdate(name string, uid int, perms ...acl.Perm) error
// waylandNew provides [wayland.New].
waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (io.Closer, error)
// pipewireConnect provides [pipewire.Connect].
pipewireConnect() (*pipewire.Context, error)
waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (*wayland.SecurityContext, error)
// xcbChangeHosts provides [xcb.ChangeHosts].
xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error
@@ -85,12 +80,10 @@ func (k direct) aclUpdate(name string, uid int, perms ...acl.Perm) error {
return acl.Update(name, uid, perms...)
}
func (k direct) waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (io.Closer, error) {
func (k direct) waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (*wayland.SecurityContext, error) {
return wayland.New(displayPath, bindPath, appID, instanceID)
}
func (k direct) pipewireConnect() (*pipewire.Context, error) { return pipewire.Connect(true, nil) }
func (k direct) xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error {
return xcb.ChangeHosts(mode, family, address)
}

65
internal/system/dispatcher_test.go
View File

@@ -1,7 +1,6 @@
package system
import (
"io"
"log"
"os"
"reflect"
@@ -14,7 +13,7 @@ import (
"hakurei.app/hst"
"hakurei.app/internal/acl"
"hakurei.app/internal/dbus"
"hakurei.app/internal/pipewire"
"hakurei.app/internal/wayland"
"hakurei.app/internal/xcb"
)
@@ -37,26 +36,17 @@ type opBehaviourTestCase struct {
wantErrRevert error
}
const (
// checkNoParallel causes checkOpBehaviour to skip setting tests as parallel.
checkNoParallel = 1 << iota
)
func checkOpBehaviour(t *testing.T, flags int, testCases []opBehaviourTestCase) {
func checkOpBehaviour(t *testing.T, testCases []opBehaviourTestCase) {
t.Helper()
t.Run("behaviour", func(t *testing.T) {
t.Helper()
if flags&checkNoParallel == 0 {
t.Parallel()
}
t.Parallel()
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
t.Helper()
if flags&checkNoParallel == 0 {
t.Parallel()
}
t.Parallel()
var ec *Criteria
if tc.ec != 0xff {
@@ -246,16 +236,8 @@ func (k *kstub) mkdir(name string, perm os.FileMode) error {
func (k *kstub) chmod(name string, mode os.FileMode) error {
k.Helper()
expect := k.Expects("chmod")
// translate ignored name
nameVal := any(name)
if _, ok := expect.Args[0].(ignoreValue); ok {
nameVal = ignoreValue{}
}
return expect.Error(
stub.CheckArgReflect(k.Stub, "name", nameVal, 0),
return k.Expects("chmod").Error(
stub.CheckArg(k.Stub, "name", name, 0),
stub.CheckArg(k.Stub, "mode", mode, 1))
}
@@ -282,35 +264,21 @@ func (k *kstub) println(v ...any) {
func (k *kstub) aclUpdate(name string, uid int, perms ...acl.Perm) error {
k.Helper()
expect := k.Expects("aclUpdate")
// translate ignored name
nameVal := any(name)
if _, ok := expect.Args[0].(ignoreValue); ok {
nameVal = ignoreValue{}
}
return expect.Error(
stub.CheckArgReflect(k.Stub, "name", nameVal, 0),
return k.Expects("aclUpdate").Error(
stub.CheckArg(k.Stub, "name", name, 0),
stub.CheckArg(k.Stub, "uid", uid, 1),
stub.CheckArgReflect(k.Stub, "perms", perms, 2))
}
func (k *kstub) waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (io.Closer, error) {
func (k *kstub) waylandNew(displayPath, bindPath *check.Absolute, appID, instanceID string) (*wayland.SecurityContext, error) {
k.Helper()
return io.NopCloser(nil), k.Expects("waylandNew").Error(
return nil, k.Expects("waylandNew").Error(
stub.CheckArgReflect(k.Stub, "displayPath", displayPath, 0),
stub.CheckArgReflect(k.Stub, "bindPath", bindPath, 1),
stub.CheckArg(k.Stub, "appID", appID, 2),
stub.CheckArg(k.Stub, "instanceID", instanceID, 3))
}
func (k *kstub) pipewireConnect() (*pipewire.Context, error) {
k.Helper()
expect := k.Expects("pipewireConnect")
return expect.Ret.(func() *pipewire.Context)(), expect.Error()
}
func (k *kstub) xcbChangeHosts(mode xcb.HostMode, family xcb.Family, address string) error {
k.Helper()
return k.Expects("xcbChangeHosts").Error(
@@ -410,18 +378,7 @@ func (k *kstub) Verbose(v ...any) {
func (k *kstub) Verbosef(format string, v ...any) {
k.Helper()
expect := k.Expects("verbosef")
// translate ignores in v
if want, ok := expect.Args[1].([]any); ok && len(v) == len(want) {
for i, a := range want {
if _, ok = a.(ignoreValue); ok {
v[i] = ignoreValue{}
}
}
}
if expect.Error(
if k.Expects("verbosef").Error(
stub.CheckArg(k.Stub, "format", format, 0),
stub.CheckArgReflect(k.Stub, "v", v, 1)) != nil {
k.FailNow()

2
internal/system/link_test.go
View File

@@ -10,7 +10,7 @@ import (
func TestHardlinkOp(t *testing.T) {
t.Parallel()
checkOpBehaviour(t, 0, []opBehaviourTestCase{
checkOpBehaviour(t, []opBehaviourTestCase{
{"link", 0xbeef, 0xff, &hardlinkOp{hst.EPulse, "/run/user/1000/hakurei/9663730666a44cfc2a81610379e02ed6/pulse", "/run/user/1000/pulse/native"}, []stub.Call{
call("verbose", stub.ExpectArgs{[]any{"linking", &hardlinkOp{hst.EPulse, "/run/user/1000/hakurei/9663730666a44cfc2a81610379e02ed6/pulse", "/run/user/1000/pulse/native"}}}, nil, nil),
call("link", stub.ExpectArgs{"/run/user/1000/pulse/native", "/run/user/1000/hakurei/9663730666a44cfc2a81610379e02ed6/pulse"}, nil, stub.UniqueError(1)),

2
internal/system/mkdir_test.go
View File

@@ -10,7 +10,7 @@ import (
func TestMkdirOp(t *testing.T) {
t.Parallel()
checkOpBehaviour(t, 0, []opBehaviourTestCase{
checkOpBehaviour(t, []opBehaviourTestCase{
{"mkdir", 0xbeef, 0xff, &mkdirOp{User, "/tmp/hakurei.0/f2f3bcd492d0266438fa9bf164fe90d9", 0711, false}, []stub.Call{
call("verbose", stub.ExpectArgs{[]any{"ensuring directory", &mkdirOp{User, "/tmp/hakurei.0/f2f3bcd492d0266438fa9bf164fe90d9", 0711, false}}}, nil, nil),
call("mkdir", stub.ExpectArgs{"/tmp/hakurei.0/f2f3bcd492d0266438fa9bf164fe90d9", os.FileMode(0711)}, nil, stub.UniqueError(2)),

1
internal/system/output.go
View File

@@ -26,7 +26,6 @@ func (e *OpError) Error() string {
switch {
case errors.As(e.Err, new(*os.PathError)),
errors.As(e.Err, new(*os.LinkError)),
errors.As(e.Err, new(*os.SyscallError)),
errors.As(e.Err, new(*net.OpError)),
errors.As(e.Err, new(*container.StartError)):
return e.Err.Error()

5
internal/system/output_test.go
View File

@@ -44,11 +44,6 @@ func TestOpError(t *testing.T) {
syscall.EISDIR, syscall.ENOTDIR,
"cannot stat /run/dbus: is a directory"},
{"syscall", newOpError("pipewire", os.NewSyscallError("pipe2", syscall.ENOTRECOVERABLE), false),
"pipe2: state not recoverable",
syscall.ENOTRECOVERABLE, syscall.ENOTDIR,
"cannot pipe2: state not recoverable"},
{"net", newOpError("wayland", &net.OpError{Op: "dial", Net: "unix", Addr: &net.UnixAddr{Name: "/run/user/1000/wayland-1", Net: "unix"}, Err: syscall.ENOENT}, false),
"dial unix /run/user/1000/wayland-1: no such file or directory",
syscall.ENOENT, syscall.EPERM,

102
internal/system/pipewire.go
View File

@@ -1,102 +0,0 @@
package system
import (
"errors"
"fmt"
"io"
"hakurei.app/container/check"
"hakurei.app/hst"
"hakurei.app/internal/acl"
"hakurei.app/internal/pipewire"
)
// PipeWire maintains a pipewire socket with SecurityContext attached via [pipewire].
// The socket stops accepting connections once the pipe referred to by sync is closed.
// The socket is pathname only and is destroyed on revert.
func (sys *I) PipeWire(dst *check.Absolute, appID, instanceID string) *I {
sys.ops = append(sys.ops, &pipewireOp{nil, dst, appID, instanceID})
return sys
}
// pipewireOp implements [I.PipeWire].
type pipewireOp struct {
scc io.Closer
dst *check.Absolute
appID, instanceID string
}
func (p *pipewireOp) Type() hst.Enablement { return Process }
func (p *pipewireOp) apply(sys *I) (err error) {
var ctx *pipewire.Context
if ctx, err = sys.pipewireConnect(); err != nil {
return newOpError("pipewire", err, false)
}
defer func() {
if closeErr := ctx.Close(); closeErr != nil && err == nil {
err = newOpError("pipewire", closeErr, false)
}
}()
sys.msg.Verbosef("pipewire pathname socket on %q", p.dst)
var registry *pipewire.Registry
if registry, err = ctx.GetRegistry(); err != nil {
return newOpError("pipewire", err, false)
} else if err = ctx.GetCore().Sync(); err != nil {
return newOpError("pipewire", err, false)
}
var securityContext *pipewire.SecurityContext
if securityContext, err = registry.GetSecurityContext(); err != nil {
return newOpError("pipewire", err, false)
} else if err = ctx.Roundtrip(); err != nil {
return newOpError("pipewire", err, false)
}
if p.scc, err = securityContext.BindAndCreate(p.dst.String(), pipewire.SPADict{
{Key: pipewire.PW_KEY_SEC_ENGINE, Value: "app.hakurei"},
{Key: pipewire.PW_KEY_SEC_APP_ID, Value: p.appID},
{Key: pipewire.PW_KEY_SEC_INSTANCE_ID, Value: p.instanceID},
{Key: pipewire.PW_KEY_ACCESS, Value: "restricted"},
}); err != nil {
return newOpError("pipewire", err, false)
}
if err = sys.chmod(p.dst.String(), 0); err != nil {
if closeErr := p.scc.Close(); closeErr != nil {
return newOpError("pipewire", errors.Join(err, closeErr), false)
}
return newOpError("pipewire", err, false)
}
if err = sys.aclUpdate(p.dst.String(), sys.uid, acl.Read, acl.Write, acl.Execute); err != nil {
if closeErr := p.scc.Close(); closeErr != nil {
return newOpError("pipewire", errors.Join(err, closeErr), false)
}
return newOpError("pipewire", err, false)
}
return nil
}
func (p *pipewireOp) revert(sys *I, _ *Criteria) error {
if p.scc != nil {
sys.msg.Verbosef("hanging up pipewire socket on %q", p.dst)
return newOpError("pipewire", p.scc.Close(), true)
}
return nil
}
func (p *pipewireOp) Is(o Op) bool {
target, ok := o.(*pipewireOp)
return ok && p != nil && target != nil &&
p.dst.Is(target.dst) &&
p.appID == target.appID &&
p.instanceID == target.instanceID
}
func (p *pipewireOp) Path() string { return p.dst.String() }
func (p *pipewireOp) String() string { return fmt.Sprintf("pipewire socket at %q", p.dst) }

545
internal/system/pipewire_test.go
View File

@@ -1,545 +0,0 @@
package system
import (
"fmt"
"os"
"path"
"syscall"
"testing"
"hakurei.app/container/stub"
"hakurei.app/internal/acl"
"hakurei.app/internal/pipewire"
)
func TestPipeWireOp(t *testing.T) {
t.Parallel()
checkOpBehaviour(t, checkNoParallel, []opBehaviourTestCase{
{"success", 0xbeef, 0xff, &pipewireOp{nil,
m(path.Join(t.TempDir(), "pipewire")),
"org.chromium.Chromium",
"ebf083d1b175911782d413369b64ce7c",
}, []stub.Call{
call("pipewireConnect", stub.ExpectArgs{}, func() *pipewire.Context {
if ctx, err := pipewire.New(&stubPipeWireConn{sendmsg: []string{
/* roundtrip 0 */
string([]byte{
// header: Core::Hello
0, 0, 0, 0,
0x18, 0, 0, 1,
0, 0, 0, 0,
0, 0, 0, 0,
// Struct
0x10, 0, 0, 0,
0xe, 0, 0, 0,
// Int: version = 4
4, 0, 0, 0,
4, 0, 0, 0,
4, 0, 0, 0,
0, 0, 0, 0,
// header: Client::UpdateProperties
1, 0, 0, 0,
0x50, 0, 0, 2,
1, 0, 0, 0,
0, 0, 0, 0,
// Struct: spa_dict
0x48, 0, 0, 0,
0xe, 0, 0, 0,
// Struct: spa_dict_item
0x40, 0, 0, 0,
0xe, 0, 0, 0,
// Int: n_items
4, 0, 0, 0,
4, 0, 0, 0,
1, 0, 0, 0,
0, 0, 0, 0,
// String: key = "remote.intention"
0x11, 0, 0, 0,
8, 0, 0, 0,
0x72, 0x65, 0x6d, 0x6f,
0x74, 0x65, 0x2e, 0x69,
0x6e, 0x74, 0x65, 0x6e,
0x74, 0x69, 0x6f, 0x6e,
0, 0, 0, 0,
0, 0, 0, 0,
// String: value = "manager"
8, 0, 0, 0,
8, 0, 0, 0,
0x6d, 0x61, 0x6e, 0x61,
0x67, 0x65, 0x72, 0,
// header: Core::GetRegistry
0, 0, 0, 0,
0x28, 0, 0, 5,
2, 0, 0, 0,
0, 0, 0, 0,
// Struct
0x20, 0, 0, 0,
0xe, 0, 0, 0,
// Int: version = 3
4, 0, 0, 0,
4, 0, 0, 0,
3, 0, 0, 0,
0, 0, 0, 0,
// Int: new_id = 2
4, 0, 0, 0,
4, 0, 0, 0,
2, 0, 0, 0,
0, 0, 0, 0,
// header: Core::Sync
0, 0, 0, 0,
0x28, 0, 0, 2,
3, 0, 0, 0,
0, 0, 0, 0,
// Struct
0x20, 0, 0, 0,
0xe, 0, 0, 0,
// Int: id = 0
4, 0, 0, 0,
4, 0, 0, 0,
0, 0, 0, 0,
0, 0, 0, 0,
// Int: seq = 0x40000003
4, 0, 0, 0,
4, 0, 0, 0,
3, 0, 0, 0x40,
0, 0, 0, 0,
}),
/* roundtrip 1 */
string([]byte{
// header: Registry::Bind
2, 0, 0, 0,
0x68, 0, 0, 1,
4, 0, 0, 0,
0, 0, 0, 0,
// Struct
0x60, 0, 0, 0,
0xe, 0, 0, 0,
// Int: id = 3
4, 0, 0, 0,
4, 0, 0, 0,
3, 0, 0, 0,
0, 0, 0, 0,
// String: type = "PipeWire:Interface:SecurityContext"
0x23, 0, 0, 0,
8, 0, 0, 0,
0x50, 0x69, 0x70, 0x65,
0x57, 0x69, 0x72, 0x65,
0x3a, 0x49, 0x6e, 0x74,
0x65, 0x72, 0x66, 0x61,
0x63, 0x65, 0x3a, 0x53,
0x65, 0x63, 0x75, 0x72,
0x69, 0x74, 0x79, 0x43,
0x6f, 0x6e, 0x74, 0x65,
0x78, 0x74, 0, 0,
0, 0, 0, 0,
// Int: version = 3
4, 0, 0, 0,
4, 0, 0, 0,
3, 0, 0, 0,
0, 0, 0, 0,
// Int: new_id = 3
4, 0, 0, 0,
4, 0, 0, 0,
3, 0, 0, 0,
0, 0, 0, 0,
}),
/* roundtrip 2 */
string([]byte{
// header: SecurityContext::Create
3, 0, 0, 0,
0x40, 1, 0, 1,
5, 0, 0, 0,
2, 0, 0, 0,
// Struct
0x38, 1, 0, 0,
0xe, 0, 0, 0,
// Fd: listen_fd = 1
8, 0, 0, 0,
0x12, 0, 0, 0,
1, 0, 0, 0,
0, 0, 0, 0,
// Fd: close_fd = 0
8, 0, 0, 0,
0x12, 0, 0, 0,
0, 0, 0, 0,
0, 0, 0, 0,
// Struct: spa_dict
0x10, 1, 0, 0,
0xe, 0, 0, 0,
// Int: n_items = 4
4, 0, 0, 0,
4, 0, 0, 0,
4, 0, 0, 0,
0, 0, 0, 0,
// String: key = "pipewire.sec.engine"
0x14, 0, 0, 0,
8, 0, 0, 0,
0x70, 0x69, 0x70, 0x65,
0x77, 0x69, 0x72, 0x65,
0x2e, 0x73, 0x65, 0x63,
0x2e, 0x65, 0x6e, 0x67,
0x69, 0x6e, 0x65, 0,
0, 0, 0, 0,
// String: value = "app.hakurei"
0xc, 0, 0, 0,
8, 0, 0, 0,
0x61, 0x70, 0x70, 0x2e,
0x68, 0x61, 0x6b, 0x75,
0x72, 0x65, 0x69, 0,
0, 0, 0, 0,
// String: key = "pipewire.sec.app-id"
0x14, 0, 0, 0,
8, 0, 0, 0,
0x70, 0x69, 0x70, 0x65,
0x77, 0x69, 0x72, 0x65,
0x2e, 0x73, 0x65, 0x63,
0x2e, 0x61, 0x70, 0x70,
0x2d, 0x69, 0x64, 0,
0, 0, 0, 0,
// String: value = "org.chromium.Chromium"
0x16, 0, 0, 0,
8, 0, 0, 0,
0x6f, 0x72, 0x67, 0x2e,
0x63, 0x68, 0x72, 0x6f,
0x6d, 0x69, 0x75, 0x6d,
0x2e, 0x43, 0x68, 0x72,
0x6f, 0x6d, 0x69, 0x75,
// String: key = "pipewire.sec.instance-id"
0x6d, 0, 0, 0,
0x19, 0, 0, 0,
8, 0, 0, 0,
0x70, 0x69, 0x70, 0x65,
0x77, 0x69, 0x72, 0x65,
0x2e, 0x73, 0x65, 0x63,
0x2e, 0x69, 0x6e, 0x73,
0x74, 0x61, 0x6e, 0x63,
0x65, 0x2d, 0x69, 0x64,
0, 0, 0, 0,
0, 0, 0, 0,
// String: value = "ebf083d1b175911782d413369b64ce7c"
0x21, 0, 0, 0,
8, 0, 0, 0,
0x65, 0x62, 0x66, 0x30,
0x38, 0x33, 0x64, 0x31,
0x62, 0x31, 0x37, 0x35,
0x39, 0x31, 0x31, 0x37,
0x38, 0x32, 0x64, 0x34,
0x31, 0x33, 0x33, 0x36,
0x39, 0x62, 0x36, 0x34,
0x63, 0x65, 0x37, 0x63,
0, 0, 0, 0,
0, 0, 0, 0,
// String: key = "pipewire.access"
0x10, 0, 0, 0,
8, 0, 0, 0,
0x70, 0x69, 0x70, 0x65,
0x77, 0x69, 0x72, 0x65,
0x2e, 0x61, 0x63, 0x63,
0x65, 0x73, 0x73, 0,
// String: value = "restricted"
0xb, 0, 0, 0,
8, 0, 0, 0,
0x72, 0x65, 0x73, 0x74,
0x72, 0x69, 0x63, 0x74,
0x65, 0x64, 0, 0,
0, 0, 0, 0,
// header: Core::Sync
0, 0, 0, 0,
0x28, 0, 0, 2,
6, 0, 0, 0,
0, 0, 0, 0,
// Struct
0x20, 0, 0, 0,
0xe, 0, 0, 0,
// Int: id = 0
4, 0, 0, 0,
4, 0, 0, 0,
0, 0, 0, 0,
0, 0, 0, 0,
// Int: seq = 0x40000006
4, 0, 0, 0,
4, 0, 0, 0,
6, 0, 0, 0x40,
0, 0, 0, 0,
}),
}, recvmsg: []*stubMessage{
/* roundtrip 0 */
{pipewire.PW_ID_CORE, nil, &pipewire.CoreInfo{
ID: pipewire.PW_ID_CORE,
Cookie: -2069267610,
UserName: "alice",
HostName: "nixos",
Version: "1.4.7",
Name: "pipewire-0",
ChangeMask: pipewire.PW_CORE_CHANGE_MASK_PROPS,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_CONFIG_NAME, Value: "pipewire.conf"},
{Key: pipewire.PW_KEY_APP_NAME, Value: "pipewire"},
{Key: pipewire.PW_KEY_APP_PROCESS_BINARY, Value: "pipewire"},
{Key: pipewire.PW_KEY_APP_LANGUAGE, Value: "en_US.UTF-8"},
{Key: pipewire.PW_KEY_APP_PROCESS_ID, Value: "1446"},
{Key: pipewire.PW_KEY_APP_PROCESS_USER, Value: "alice"},
{Key: pipewire.PW_KEY_APP_PROCESS_HOST, Value: "nixos"},
{Key: pipewire.PW_KEY_CORE_DAEMON, Value: "true"},
{Key: pipewire.PW_KEY_CORE_NAME, Value: "pipewire-0"},
{Key: pipewire.PW_KEY_OBJECT_ID, Value: "0"},
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "0"},
},
}},
{pipewire.PW_ID_CORE, nil, &pipewire.CoreBoundProps{
ID: pipewire.PW_ID_CLIENT,
GlobalID: 34,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "34"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "2"},
{Key: pipewire.PW_KEY_PROTOCOL, Value: "protocol-native"},
{Key: pipewire.PW_KEY_SEC_PID, Value: "1443"},
{Key: pipewire.PW_KEY_SEC_UID, Value: "1000"},
{Key: pipewire.PW_KEY_SEC_GID, Value: "100"},
{Key: pipewire.PW_KEY_SEC_SOCKET, Value: "pipewire-0-manager"},
},
}},
{pipewire.PW_ID_CLIENT, nil, &pipewire.ClientInfo{
ID: 34,
ChangeMask: pipewire.PW_CLIENT_CHANGE_MASK_PROPS,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_PROTOCOL, Value: "protocol-native"},
{Key: pipewire.PW_KEY_CORE_NAME, Value: "pipewire-alice-1443"},
{Key: pipewire.PW_KEY_SEC_SOCKET, Value: "pipewire-0-manager"},
{Key: pipewire.PW_KEY_SEC_PID, Value: "1443"},
{Key: pipewire.PW_KEY_SEC_UID, Value: "1000"},
{Key: pipewire.PW_KEY_SEC_GID, Value: "100"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "2"},
{Key: pipewire.PW_KEY_OBJECT_ID, Value: "34"},
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "34"},
{Key: pipewire.PW_KEY_REMOTE_INTENTION, Value: "manager"},
{Key: pipewire.PW_KEY_ACCESS, Value: "unrestricted"},
},
}},
{pipewire.PW_ID_CORE, nil, &pipewire.CoreDone{
ID: -1,
Sequence: 0,
}},
{2, nil, &pipewire.RegistryGlobal{
ID: pipewire.PW_ID_CORE,
Permissions: pipewire.PW_CORE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Core,
Version: pipewire.PW_VERSION_CORE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "0"},
{Key: pipewire.PW_KEY_CORE_NAME, Value: "pipewire-0"},
},
}},
{2, nil, &pipewire.RegistryGlobal{
ID: 1,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "1"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-rt"},
},
}},
{2, nil, &pipewire.RegistryGlobal{
ID: 3,
Permissions: pipewire.PW_SECURITY_CONTEXT_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_SecurityContext,
Version: pipewire.PW_VERSION_SECURITY_CONTEXT,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "3"},
},
}},
{2, nil, &pipewire.RegistryGlobal{
ID: 2,
Permissions: pipewire.PW_MODULE_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Module,
Version: pipewire.PW_VERSION_MODULE,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "2"},
{Key: pipewire.PW_KEY_MODULE_NAME, Value: pipewire.PIPEWIRE_MODULE_PREFIX + "module-protocol-native"},
},
}},
{pipewire.PW_ID_CORE, nil, &pipewire.CoreDone{
ID: 0,
Sequence: pipewire.CoreSyncSequenceOffset + 3,
}},
{2, nil, &pipewire.RegistryGlobal{
ID: 4,
Permissions: pipewire.PW_CLIENT_PERM_MASK,
Type: pipewire.PW_TYPE_INTERFACE_Client,
Version: pipewire.PW_VERSION_CLIENT,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "4"},
{Key: pipewire.PW_KEY_MODULE_ID, Value: "2"},
{Key: pipewire.PW_KEY_PROTOCOL, Value: "protocol-native"},
{Key: pipewire.PW_KEY_SEC_PID, Value: "1447"},
{Key: pipewire.PW_KEY_SEC_UID, Value: "1000"},
{Key: pipewire.PW_KEY_SEC_GID, Value: "100"},
{Key: pipewire.PW_KEY_SEC_SOCKET, Value: "pipewire-0-manager"},
{Key: pipewire.PW_KEY_ACCESS, Value: "unrestricted"},
{Key: pipewire.PW_KEY_APP_NAME, Value: "WirePlumber"},
},
}},
nil,
/* roundtrip 1 */
{pipewire.PW_ID_CORE, nil, &pipewire.CoreBoundProps{
ID: 3,
GlobalID: 3,
Properties: &pipewire.SPADict{
{Key: pipewire.PW_KEY_OBJECT_SERIAL, Value: "3"},
},
}},
nil,
/* roundtrip 2 */
{pipewire.PW_ID_CORE, nil, &pipewire.CoreDone{
ID: 0,
Sequence: pipewire.CoreSyncSequenceOffset + 6,
}},
nil,
}}, pipewire.SPADict{
{Key: pipewire.PW_KEY_REMOTE_INTENTION, Value: "manager"},
}); err != nil {
panic(err)
} else {
return ctx
}
}, nil),
call("verbosef", stub.ExpectArgs{"pipewire pathname socket on %q", []any{ignoreValue{}}}, nil, nil),
call("chmod", stub.ExpectArgs{ignoreValue{}, os.FileMode(0)}, nil, nil),
call("aclUpdate", stub.ExpectArgs{ignoreValue{}, 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, nil),
}, nil, []stub.Call{
call("verbosef", stub.ExpectArgs{"hanging up pipewire socket on %q", []any{ignoreValue{}}}, nil, nil),
}, nil},
})
checkOpsBuilder(t, "PipeWire", []opsBuilderTestCase{
{"sample", 0xcafe, func(_ *testing.T, sys *I) {
sys.PipeWire(m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/pipewire"),
"org.chromium.Chromium",
"ebf083d1b175911782d413369b64ce7c")
}, []Op{&pipewireOp{nil,
m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/pipewire"),
"org.chromium.Chromium",
"ebf083d1b175911782d413369b64ce7c",
}}, stub.Expect{}},
})
checkOpIs(t, []opIsTestCase{
{"dst differs", &pipewireOp{nil,
m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7d/pipewire"),
"org.chromium.Chromium",
"ebf083d1b175911782d413369b64ce7c",
}, &pipewireOp{nil,
m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/pipewire"),
"org.chromium.Chromium",
"ebf083d1b175911782d413369b64ce7c",
}, false},
{"equals", &pipewireOp{nil,
m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/pipewire"),
"org.chromium.Chromium",
"ebf083d1b175911782d413369b64ce7c",
}, &pipewireOp{nil,
m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/pipewire"),
"org.chromium.Chromium",
"ebf083d1b175911782d413369b64ce7c",
}, true},
})
checkOpMeta(t, []opMetaTestCase{
{"sample", &pipewireOp{nil,
m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/pipewire"),
"org.chromium.Chromium",
"ebf083d1b175911782d413369b64ce7c",
}, Process, "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/pipewire",
`pipewire socket at "/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/pipewire"`},
})
}
// stubMessage is a [pipewire.Message] prepared ahead of time.
type stubMessage struct {
// Proxy Id included in the [pipewire.Header].
id pipewire.Int
// Footer optionally appended after the message body.
footer pipewire.KnownSize
// Known-good message prepared ahead of time.
m pipewire.Message
}
// stubPipeWireConn implements [pipewire.Conn] and checks the behaviour of [pipewire.Context].
type stubPipeWireConn struct {
// Marshaled and sent for Recvmsg.
recvmsg []*stubMessage
// Current position in recvmsg.
curRecvmsg int
// Current server seq number.
sequence pipewire.Int
// Compared against calls to Sendmsg.
sendmsg []string
// Current position in sendmsg.
curSendmsg int
}
// Recvmsg marshals and copies a stubMessage prepared ahead of time.
func (conn *stubPipeWireConn) Recvmsg(p, _ []byte, _ int) (n, _, recvflags int, err error) {
defer func() { conn.curRecvmsg++ }()
recvflags = syscall.MSG_CMSG_CLOEXEC
if conn.recvmsg[conn.curRecvmsg] == nil {
err = syscall.EAGAIN
return
}
defer func() { conn.sequence++ }()
if data, marshalErr := (pipewire.MessageEncoder{Message: conn.recvmsg[conn.curRecvmsg].m}).AppendMessage(nil,
conn.recvmsg[conn.curRecvmsg].id,
conn.sequence,
conn.recvmsg[conn.curRecvmsg].footer,
); marshalErr != nil {
panic(marshalErr)
} else {
n = copy(p, data)
}
return
}
// Sendmsg checks a client message against a known-good sample.
func (conn *stubPipeWireConn) Sendmsg(p, _ []byte, _ int) (n int, err error) {
defer func() { conn.curSendmsg++ }()
n = len(p)
if string(p) != conn.sendmsg[conn.curSendmsg] {
err = fmt.Errorf("%#v, want %#v", p, []byte(conn.sendmsg[conn.curSendmsg]))
}
return
}
// Close checks whether Recvmsg and Sendmsg has depleted all samples.
func (conn *stubPipeWireConn) Close() error {
if conn.curRecvmsg != len(conn.recvmsg) {
return fmt.Errorf("consumed %d recvmsg samples, want %d", conn.curRecvmsg, len(conn.recvmsg))
}
if conn.curSendmsg != len(conn.sendmsg) {
return fmt.Errorf("consumed %d sendmsg samples, want %d", conn.curSendmsg, len(conn.sendmsg))
}
return nil
}

16
internal/system/wayland.go
View File

@@ -3,11 +3,11 @@ package system
import (
"errors"
"fmt"
"io"
"hakurei.app/container/check"
"hakurei.app/hst"
"hakurei.app/internal/acl"
"hakurei.app/internal/wayland"
)
// Wayland maintains a wayland socket with security-context-v1 attached via [wayland].
@@ -21,7 +21,7 @@ func (sys *I) Wayland(dst, src *check.Absolute, appID, instanceID string) *I {
// waylandOp implements [I.Wayland].
type waylandOp struct {
ctx io.Closer
ctx *wayland.SecurityContext
dst, src *check.Absolute
appID, instanceID string
}
@@ -53,11 +53,17 @@ func (w *waylandOp) apply(sys *I) (err error) {
}
func (w *waylandOp) revert(sys *I, _ *Criteria) error {
var (
hangupErr error
removeErr error
)
sys.msg.Verbosef("hanging up wayland socket on %q", w.dst)
if w.ctx != nil {
sys.msg.Verbosef("hanging up wayland socket on %q", w.dst)
return newOpError("wayland", w.ctx.Close(), true)
hangupErr = w.ctx.Close()
}
return nil
return newOpError("wayland", errors.Join(hangupErr, removeErr), true)
}
func (w *waylandOp) Is(o Op) bool {

7
internal/system/wayland_test.go
View File

@@ -1,6 +1,7 @@
package system
import (
"errors"
"os"
"testing"
@@ -11,7 +12,7 @@ import (
func TestWaylandOp(t *testing.T) {
t.Parallel()
checkOpBehaviour(t, 0, []opBehaviourTestCase{
checkOpBehaviour(t, []opBehaviourTestCase{
{"chmod", 0xbeef, 0xff, &waylandOp{nil,
m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
m("/run/user/1971/wayland-0"),
@@ -21,7 +22,7 @@ func TestWaylandOp(t *testing.T) {
call("waylandNew", stub.ExpectArgs{m("/run/user/1971/wayland-0"), m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c"}, nil, nil),
call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil),
call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, stub.UniqueError(3)),
}, &OpError{Op: "wayland", Err: stub.UniqueError(3)}, nil, nil},
}, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(3), os.ErrInvalid)}, nil, nil},
{"aclUpdate", 0xbeef, 0xff, &waylandOp{nil,
m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),
@@ -33,7 +34,7 @@ func TestWaylandOp(t *testing.T) {
call("verbosef", stub.ExpectArgs{"wayland pathname socket on %q via %q", []any{m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0")}}, nil, nil),
call("chmod", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", os.FileMode(0)}, nil, nil),
call("aclUpdate", stub.ExpectArgs{"/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland", 0xbeef, []acl.Perm{acl.Read, acl.Write, acl.Execute}}, nil, stub.UniqueError(2)),
}, &OpError{Op: "wayland", Err: stub.UniqueError(2)}, nil, nil},
}, &OpError{Op: "wayland", Err: errors.Join(stub.UniqueError(2), os.ErrInvalid)}, nil, nil},
{"success", 0xbeef, 0xff, &waylandOp{nil,
m("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/wayland"),

2
internal/system/xhost_test.go
View File

@@ -11,7 +11,7 @@ import (
func TestXHostOp(t *testing.T) {
t.Parallel()
checkOpBehaviour(t, 0, []opBehaviourTestCase{
checkOpBehaviour(t, []opBehaviourTestCase{
{"xcbChangeHosts revert", 0xbeef, hst.EX11, xhostOp("chronos"), []stub.Call{
call("verbosef", stub.ExpectArgs{"inserting entry %s to X11", []any{xhostOp("chronos")}}, nil, nil),
call("xcbChangeHosts", stub.ExpectArgs{xcb.HostMode(xcb.HostModeInsert), xcb.Family(xcb.FamilyServerInterpreted), "localuser\x00chronos"}, nil, stub.UniqueError(1)),

1
internal/wayland/conn.go
View File

@@ -52,7 +52,6 @@ func New(displayPath, bindPath *check.Absolute, appID, instanceID string) (*Secu
if f, err := os.Create(bindPath.String()); err != nil {
return nil, &Error{RCreate, bindPath.String(), displayPath.String(), err}
} else if err = f.Close(); err != nil {
_ = os.Remove(bindPath.String())
return nil, &Error{RCreate, bindPath.String(), displayPath.String(), err}
} else if err = os.Remove(bindPath.String()); err != nil {
return nil, &Error{RCreate, bindPath.String(), displayPath.String(), err}

2
nixos.nix
View File

@@ -68,7 +68,7 @@ in
home-manager =
let
privPackages = mapAttrs (_: userid: {
privPackages = mapAttrs (username: userid: {
home.packages = foldlAttrs (
acc: id: app:
[

10
options.md
View File

@@ -35,7 +35,7 @@ package
*Default:*
` <derivation hakurei-static-x86_64-unknown-linux-musl-0.3.3> `
` <derivation hakurei-static-x86_64-unknown-linux-musl-0.3.1> `
@@ -73,11 +73,11 @@ null or boolean
## environment\.hakurei\.apps\.\<name>\.enablements\.pipewire
## environment\.hakurei\.apps\.\<name>\.enablements\.pulse
Whether to share the PipeWire server via pipewire-pulse on a SecurityContext socket\.
Whether to share the PulseAudio socket and cookie\.
@@ -95,7 +95,7 @@ null or boolean
Whether to share the Wayland server via security-context-v1\.
Whether to share the Wayland socket\.
@@ -805,7 +805,7 @@ package
*Default:*
` <derivation hakurei-hsu-0.3.3> `
` <derivation hakurei-hsu-0.3.1> `

10
options.nix
View File

@@ -12,13 +12,13 @@ in
package = mkOption {
type = types.package;
default = packages.${pkgs.stdenv.hostPlatform.system}.hakurei;
default = packages.${pkgs.system}.hakurei;
description = "The hakurei package to use.";
};
hsuPackage = mkOption {
type = types.package;
default = packages.${pkgs.stdenv.hostPlatform.system}.hsu;
default = packages.${pkgs.system}.hsu;
description = "The hsu package to use.";
};
@@ -218,7 +218,7 @@ in
type = nullOr bool;
default = true;
description = ''
Whether to share the Wayland server via security-context-v1.
Whether to share the Wayland socket.
'';
};
@@ -238,11 +238,11 @@ in
'';
};
pipewire = mkOption {
pulse = mkOption {
type = nullOr bool;
default = true;
description = ''
Whether to share the PipeWire server via pipewire-pulse on a SecurityContext socket.
Whether to share the PulseAudio socket and cookie.
'';
};
};

4
package.nix
View File

@@ -11,6 +11,7 @@
wayland,
wayland-protocols,
wayland-scanner,
pipewire,
xorg,
# for hpkg
@@ -32,7 +33,7 @@
buildGoModule rec {
pname = "hakurei";
version = "0.3.3";
version = "0.3.1";
srcFiltered = builtins.path {
name = "${pname}-src";
@@ -94,6 +95,7 @@ buildGoModule rec {
libseccomp
acl
wayland
pipewire
]
++ (with xorg; [
libxcb

14
test/configuration.nix
View File

@@ -84,7 +84,7 @@
virtualisation = {
# Hopefully reduces spurious test failures:
memorySize = if pkgs.stdenv.hostPlatform.is32bit then 2046 else 8192;
memorySize = if pkgs.hostPlatform.is32bit then 2046 else 8192;
qemu.options = [
# Need to switch to a different GPU driver than the default one (-vga std) so that Sway can launch:
@@ -133,7 +133,7 @@
wait_delay = 1;
enablements = {
wayland = false;
pipewire = false;
pulse = false;
};
};
@@ -152,7 +152,7 @@
command = "foot";
enablements = {
dbus = false;
pipewire = false;
pulse = false;
};
};
@@ -167,7 +167,7 @@
command = "foot";
enablements = {
dbus = false;
pipewire = false;
pulse = false;
};
};
@@ -199,7 +199,7 @@
wayland = false;
x11 = true;
dbus = false;
pipewire = false;
pulse = false;
};
};
@@ -218,7 +218,7 @@
command = "foot";
enablements = {
dbus = false;
pipewire = false;
pulse = false;
};
};
@@ -232,7 +232,7 @@
wayland = false;
x11 = false;
dbus = false;
pipewire = false;
pulse = false;
};
};
};

4
test/default.nix
View File

@@ -1,6 +1,6 @@
{
lib,
testers,
nixosTest,
buildFHSEnv,
writeShellScriptBin,
@@ -9,7 +9,7 @@
withRace ? false,
}:
testers.nixosTest {
nixosTest {
name = "hakurei" + (if withRace then "-race" else "");
nodes.machine =
{ options, pkgs, ... }:

23
test/interactive/hakurei.nix
View File

@@ -15,30 +15,9 @@
command = "foot";
enablements = {
dbus = false;
pipewire = false;
pulse = false;
};
};
"cat.gensokyo.extern.foot.badDaemon" = {
name = "bd-foot";
identity = 1;
shareUid = true;
verbose = true;
share = pkgs.foot;
packages = [ pkgs.foot ];
command = "foot";
enablements = {
dbus = false;
};
extraPaths = [
{
type = "daemon";
dst = "/proc/nonexistent";
path = "/usr/bin/env";
args = [ "false" ];
}
];
};
};
extraHomeConfig.home.stateVersion = "23.05";

31
test/sandbox/case/device.nix
View File

@@ -41,6 +41,7 @@ in
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
"DISPLAY=unix:/tmp/.X11-unix/X0"
"HOME=/var/lib/hakurei/u0/a4"
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
"SHELL=/run/current-system/sw/bin/bash"
"TERM=linux"
"USER=u0_a4"
@@ -48,7 +49,6 @@ in
"XDG_RUNTIME_DIR=/run/user/65534"
"XDG_SESSION_CLASS=user"
"XDG_SESSION_TYPE=wayland"
"PULSE_SERVER=unix:/run/user/65534/pulse/native"
];
fs = fs "dead" {
@@ -75,7 +75,6 @@ in
"fstab" = fs "80001ff" null null;
"hsurc" = fs "80001ff" null null;
"fuse.conf" = fs "80001ff" null null;
"gai.conf" = fs "80001ff" null null;
"group" = fs "180" null "hakurei:x:65534:\n";
"host.conf" = fs "80001ff" null null;
"hostname" = fs "80001ff" null null;
@@ -138,7 +137,7 @@ in
user = fs "800001ed" {
"65534" = fs "800001c0" {
bus = fs "10001fd" null null;
pulse = fs "800001c0" { native = fs "10001ff" null null; } null;
pulse = fs "800001c0" { native = fs "10001b6" null null; } null;
wayland-0 = fs "1000038" null null;
} null;
} null;
@@ -190,6 +189,8 @@ in
home-manager = fs "800001ed" { gcroots = fs "800001ed" { current-home = fs "80001ff" null null; } null; } null;
nix = fs "800001ed" {
profiles = fs "800001ed" {
home-manager = fs "80001ff" null null;
home-manager-1-link = fs "80001ff" null null;
profile = fs "80001ff" null null;
profile-1-link = fs "80001ff" null null;
} null;
@@ -219,15 +220,16 @@ in
(ent "/" ignore ignore ignore ignore ignore)
(ent "/" ignore ignore ignore ignore ignore)
(ent "/" "/dev/shm" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,uid=10004,gid=10004")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=16384k,mode=755,uid=10004,gid=10004")
(ent "/tmp/hakurei.0/tmpdir/4" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=10004,gid=10004")
(ent "/tmp/hakurei.0/tmpdir/4" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent ignore "/etc/passwd" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10004,gid=10004")
(ent ignore "/etc/group" "ro,nosuid,nodev,relatime" "tmpfs" "rootfs" "rw,uid=10004,gid=10004")
(ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
(ent "/tmp/.X11-unix" "/tmp/.X11-unix" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
(ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
(ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
(ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
(ent ignore "/run/user/65534/wayland-0" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/tmp/.X11-unix" "/tmp/.X11-unix" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "tmpfs" "tmpfs" ignore)
(ent ignore "/run/user/65534/bus" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/bin" "/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/usr/bin" "/usr/bin" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/nix/store" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on")
(ent "/block" "/sys/block" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/bus" "/sys/bus" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
@@ -235,13 +237,12 @@ in
(ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/var/tmp" "/var/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
(ent "/var/tmp" "/var/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/.hakurei/.ro-store" "rw,relatime" "overlay" "overlay" "ro,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,redirect_dir=nofollow,userxattr")
(ent "/" "/.hakurei/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,upperdir=/host/tmp/.hakurei-store-rw/upper,workdir=/host/tmp/.hakurei-store-rw/work,redirect_dir=nofollow,userxattr")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
(ent "/var/lib/hakurei/u0/a4" "/var/lib/hakurei/u0/a4" "rw,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
(ent ignore "/run/user/65534/pulse/native" "ro,nosuid,nodev,relatime" "ext4" "/dev/vda" "rw")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/var/lib/hakurei/u0/a4" "/var/lib/hakurei/u0/a4" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
];
seccomp = true;

Some files were not shown because too many files have changed in this diff Show More