release: 0.0.2

Signed-off-by: Ophestra <cat@gensokyo.uk>
cmd/planterette: remove hsu special case
2025-06-25 21:11:11 +09:00 · 2025-06-25 20:50:24 +09:00 · 2025-06-25 20:17:53 +09:00 · 2025-06-25 19:37:45 +09:00
25 changed files with 215 additions and 113 deletions
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@ -73,20 +73,20 @@ jobs:
          path: result/*
          retention-days: 1
-  fpkg:
+  planterette:
-    name: Fpkg
+    name: Planterette
    runs-on: nix
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run NixOS test
-        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.fpkg
+        run: nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.planterette
      - name: Upload test output
        uses: actions/upload-artifact@v3
        with:
-          name: "fpkg-vm-output"
+          name: "planterette-vm-output"
          path: result/*
          retention-days: 1
@ -97,7 +97,7 @@ jobs:
      - race
      - sandbox
      - sandbox-race
-      - fpkg
+      - planterette
    runs-on: nix
    steps:
      - name: Checkout
--- a/.github/workflows/README
+++ b/.github/workflows/README
@ -0,0 +1 @@
 This port is solely for releasing to the github mirror and serves no purpose during development.
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -0,0 +1,46 @@
 name: Release
 on:
  push:
    tags:
      - 'v*'
 jobs:
  release:
    name: Create release
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install Nix
        uses: nixbuild/nix-quick-install-action@v32
        with:
          nix_conf: |
            keep-env-derivations = true
            keep-outputs = true
      - name: Restore and cache Nix store
        uses: nix-community/cache-nix-action@v6
        with:
          primary-key: build-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
          restore-prefixes-first-match: build-${{ runner.os }}-
          gc-max-store-size-linux: 1G
          purge: true
          purge-prefixes: build-${{ runner.os }}-
          purge-created: 60
          purge-primary-key: never
      - name: Build for release
        run: nix build --print-out-paths --print-build-logs .#dist
      - name: Release
        uses: softprops/action-gh-release@v2
        with:
          files: |-
            result/hakurei-**
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -0,0 +1,48 @@
 name: Test
 on:
  - push
 jobs:
  dist:
    name: Create distribution
    runs-on: ubuntu-latest
    permissions:
      actions: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install Nix
        uses: nixbuild/nix-quick-install-action@v32
        with:
          nix_conf: |
            keep-env-derivations = true
            keep-outputs = true
      - name: Restore and cache Nix store
        uses: nix-community/cache-nix-action@v6
        with:
          primary-key: build-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
          restore-prefixes-first-match: build-${{ runner.os }}-
          gc-max-store-size-linux: 1G
          purge: true
          purge-prefixes: build-${{ runner.os }}-
          purge-created: 60
          purge-primary-key: never
      - name: Build for test
        id: build-test
        run: >-
          export HAKUREI_REV="$(git rev-parse --short HEAD)" &&
          sed -i.old 's/version = /version = "0.0.0-'$HAKUREI_REV'"; # version = /' package.nix &&
          nix build --print-out-paths --print-build-logs .#dist &&
          mv package.nix.old package.nix &&
          echo "rev=$HAKUREI_REV" >> $GITHUB_OUTPUT
      - name: Upload test build
        uses: actions/upload-artifact@v4
        with:
          name: "hakurei-${{ steps.build-test.outputs.rev }}"
          path: result/*
          retention-days: 1
--- a/README.md
+++ b/README.md
@ -1,38 +1,29 @@
-Hakurei
+<p align="center">
-=======
+  <a href="https://git.gensokyo.uk/security/hakurei">
    <picture>
      <img src="https://basement.gensokyo.uk/images/yukari1.png" width="200px" alt="Yukari">
    </picture>
  </a>
 </p>
-[![Go Reference](https://pkg.go.dev/badge/git.gensokyo.uk/security/hakurei.svg)](https://pkg.go.dev/git.gensokyo.uk/security/hakurei)
+<p align="center">
-[![Go Report Card](https://goreportcard.com/badge/git.gensokyo.uk/security/hakurei)](https://goreportcard.com/report/git.gensokyo.uk/security/hakurei)
+  <a href="https://pkg.go.dev/git.gensokyo.uk/security/hakurei"><img src="https://pkg.go.dev/badge/git.gensokyo.uk/security/hakurei.svg" alt="Go Reference" /></a>
  <a href="https://goreportcard.com/report/git.gensokyo.uk/security/hakurei"><img src="https://goreportcard.com/badge/git.gensokyo.uk/security/hakurei" alt="Go Report Card" /></a>
 </p>
-Lets you run graphical applications as dedicated subordinate users in a container environment with a nice NixOS
+Hakurei is a tool for running sandboxed graphical applications as dedicated subordinate users on the Linux kernel.
-module to configure target users and provide launch scripts and desktop files.
+It also implements [planterette (WIP)](cmd/planterette), a self-contained Android-like package manager with modern security features.
-Why would you want this?
+## NixOS Module usage
- It protects the desktop environment from applications.
+The NixOS module currently requires home-manager to configure subordinate users. Full module documentation can be found [here](options.md).
 - It protects applications from each other.
 - It provides UID isolation on top of the standard application sandbox.
 If you have a flakes-enabled nix environment, you can try out the tool by running:
 ```shell
 nix run git+https://git.gensokyo.uk/security/hakurei -- help
 ```
 ## Module usage
 The NixOS module currently requires home-manager to configure subordinate users.
 Full module documentation can be found [here](options.md).
 To use the module, import it into your configuration with
 ```nix
 {
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
    hakurei = {
      url = "git+https://git.gensokyo.uk/security/hakurei";
--- a/cmd/fpkg/proc.go
+++ b/cmd/fpkg/proc.go
@ -1,29 +0,0 @@
 package main
 import (
 	"context"
 	"os"
 	"git.gensokyo.uk/security/hakurei/hst"
 	"git.gensokyo.uk/security/hakurei/internal/app"
 	"git.gensokyo.uk/security/hakurei/internal/app/instance"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
 )
 func mustRunApp(ctx context.Context, config *hst.Config, beforeFail func()) {
 	rs := new(app.RunState)
 	a := instance.MustNew(instance.ISetuid, ctx, std)
 	var code int
 	if sa, err := a.Seal(config); err != nil {
 		hlog.PrintBaseError(err, "cannot seal app:")
 		code = 1
 	} else {
 		code = instance.PrintRunStateErr(instance.ISetuid, rs, sa.Run(rs))
 	}
 	if code != 0 {
 		beforeFail()
 		os.Exit(code)
 	}
 }
--- a/cmd/hsu/main.go
+++ b/cmd/hsu/main.go
@ -41,7 +41,7 @@ func main() {
 		log.Fatalf("cannot read parent executable path: %v", err)
 	} else if strings.HasSuffix(p, " (deleted)") {
 		log.Fatal("hakurei executable has been deleted")
-	} else if p != mustCheckPath(hmain) && p != mustCheckPath(fpkg) {
+	} else if p != mustCheckPath(hmain) {
 		log.Fatal("this program must be started by hakurei")
 	} else {
 		toolPath = p
--- a/cmd/hsu/package.nix
+++ b/cmd/hsu/package.nix
@ -16,15 +16,8 @@ buildGoModule {
    go mod init hsu >& /dev/null
  '';
-  ldflags =
+  ldflags = lib.attrsets.foldlAttrs (
-    lib.attrsets.foldlAttrs
+    ldflags: name: value:
-      (
+    ldflags ++ [ "-X main.${name}=${value}" ]
-        ldflags: name: value:
+  ) [ "-s -w" ] { hmain = "${hakurei}/libexec/hakurei"; };
        ldflags ++ [ "-X main.${name}=${value}" ]
      )
      [ "-s -w" ]
      {
        hmain = "${hakurei}/libexec/hakurei";
        fpkg = "${hakurei}/libexec/fpkg";
      };
 }
--- a/cmd/hsu/path.go
+++ b/cmd/hsu/path.go
@ -9,7 +9,6 @@ const compPoison = "INVALIDINVALIDINVALIDINVALIDINVALID"
 var (
 	hmain = compPoison
 	fpkg  = compPoison
 )
 func mustCheckPath(p string) string {
--- a/cmd/planterette/app.go
+++ b/cmd/planterette/app.go
--- a/cmd/planterette/build.nix
+++ b/cmd/planterette/build.nix
--- a/cmd/planterette/main.go
+++ b/cmd/planterette/main.go
@ -13,36 +13,23 @@ import (
 	"git.gensokyo.uk/security/hakurei/command"
 	"git.gensokyo.uk/security/hakurei/hst"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/app/instance"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
 	"git.gensokyo.uk/security/hakurei/internal/sys"
 	"git.gensokyo.uk/security/hakurei/sandbox"
 )
 const shellPath = "/run/current-system/sw/bin/bash"
 var (
 	errSuccess = errors.New("success")
 	std sys.State = new(sys.Std)
 )
 func init() {
-	hlog.Prepare("fpkg")
+	hlog.Prepare("planterette")
 	if err := os.Setenv("SHELL", shellPath); err != nil {
 		log.Fatalf("cannot set $SHELL: %v", err)
 	}
 }
 func main() {
 	// early init path, skips root check and duplicate PR_SET_DUMPABLE
 	sandbox.TryArgv0(hlog.Output{}, hlog.Prepare, internal.InstallFmsg)
 	if err := sandbox.SetDumpable(sandbox.SUID_DUMP_DISABLE); err != nil {
 		log.Printf("cannot set SUID_DUMP_DISABLE: %s", err)
 		// not fatal: this program runs as the privileged user
 	}
 	if os.Geteuid() == 0 {
 		log.Fatal("this program must not run as root")
 	}
@ -55,15 +42,10 @@ func main() {
 		flagVerbose   bool
 		flagDropShell bool
 	)
-	c := command.New(os.Stderr, log.Printf, "fpkg", func([]string) error {
+	c := command.New(os.Stderr, log.Printf, "planterette", func([]string) error { internal.InstallFmsg(flagVerbose); return nil }).
 		internal.InstallFmsg(flagVerbose)
 		return nil
 	}).
 		Flag(&flagVerbose, "v", command.BoolFlag(false), "Print debug messages to the console").
 		Flag(&flagDropShell, "s", command.BoolFlag(false), "Drop to a shell in place of next hakurei action")
 	c.Command("shim", command.UsageInternal, func([]string) error { instance.ShimMain(); return errSuccess })
 	{
 		var (
 			flagDropShellActivate bool
@ -84,7 +66,7 @@ func main() {
 			}
 			/*
-				Look up paths to programs started by fpkg.
+				Look up paths to programs started by planterette.
 				This is done here to ease error handling as cleanup is not yet required.
 			*/
@ -100,7 +82,7 @@ func main() {
 			*/
 			var workDir string
-			if p, err := os.MkdirTemp("", "fpkg.*"); err != nil {
+			if p, err := os.MkdirTemp("", "planterette.*"); err != nil {
 				log.Printf("cannot create temporary directory: %v", err)
 				return err
 			} else {
--- a/cmd/planterette/paths.go
+++ b/cmd/planterette/paths.go
--- a/cmd/planterette/proc.go
+++ b/cmd/planterette/proc.go
@ -0,0 +1,60 @@
 package main
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"io"
 	"log"
 	"os"
 	"os/exec"
 	"git.gensokyo.uk/security/hakurei/hst"
 	"git.gensokyo.uk/security/hakurei/internal"
 	"git.gensokyo.uk/security/hakurei/internal/hlog"
 )
 var hakureiPath = internal.MustHakureiPath()
 func mustRunApp(ctx context.Context, config *hst.Config, beforeFail func()) {
 	var (
 		cmd *exec.Cmd
 		st  io.WriteCloser
 	)
 	if r, w, err := os.Pipe(); err != nil {
 		beforeFail()
 		log.Fatalf("cannot pipe: %v", err)
 	} else {
 		if hlog.Load() {
 			cmd = exec.CommandContext(ctx, hakureiPath, "-v", "app", "3")
 		} else {
 			cmd = exec.CommandContext(ctx, hakureiPath, "app", "3")
 		}
 		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 		cmd.ExtraFiles = []*os.File{r}
 		st = w
 	}
 	go func() {
 		if err := json.NewEncoder(st).Encode(config); err != nil {
 			beforeFail()
 			log.Fatalf("cannot send configuration: %v", err)
 		}
 	}()
 	if err := cmd.Start(); err != nil {
 		beforeFail()
 		log.Fatalf("cannot start hakurei: %v", err)
 	}
 	if err := cmd.Wait(); err != nil {
 		var exitError *exec.ExitError
 		if errors.As(err, &exitError) {
 			beforeFail()
 			internal.Exit(exitError.ExitCode())
 		} else {
 			beforeFail()
 			log.Fatalf("cannot wait: %v", err)
 		}
 	}
 }
--- a/cmd/planterette/test/configuration.nix
+++ b/cmd/planterette/test/configuration.nix
--- a/cmd/planterette/test/default.nix
+++ b/cmd/planterette/test/default.nix
@ -9,7 +9,7 @@ let
  buildPackage = self.buildPackage.${system};
 in
 nixosTest {
-  name = "fpkg";
+  name = "planterette";
  nodes.machine = {
    environment.etc = {
      "foot.pkg".source = callPackage ./foot.nix { inherit buildPackage; };
--- a/cmd/planterette/test/foot.nix
+++ b/cmd/planterette/test/foot.nix
--- a/cmd/planterette/test/test.py
+++ b/cmd/planterette/test/test.py
@ -79,15 +79,15 @@ print(machine.succeed("sudo -u alice -i hakurei version"))
 machine.wait_for_file("/run/user/1000/wayland-1")
 machine.wait_for_file("/tmp/sway-ipc.sock")
-# Prepare fpkg directory:
+# Prepare planterette directory:
 machine.succeed("install -dm 0700 -o alice -g users /var/lib/hakurei/1000")
-# Install fpkg app:
+# Install planterette app:
-swaymsg("exec fpkg -v install /etc/foot.pkg && touch /tmp/fpkg-install-done")
+swaymsg("exec planterette -v install /etc/foot.pkg && touch /tmp/planterette-install-ok")
-machine.wait_for_file("/tmp/fpkg-install-done")
+machine.wait_for_file("/tmp/planterette-install-ok")
 # Start app (foot) with Wayland enablement:
-swaymsg("exec fpkg -v start org.codeberg.dnkl.foot")
+swaymsg("exec planterette -v start org.codeberg.dnkl.foot")
 wait_for_window("hakurei@machine-foot")
 machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
 machine.wait_for_file("/tmp/hakurei.1000/tmpdir/2/success-client")
--- a/cmd/planterette/with.go
+++ b/cmd/planterette/with.go
--- a/dist/install.sh
+++ b/dist/install.sh
@ -2,7 +2,7 @@
 cd "$(dirname -- "$0")" || exit 1
 install -vDm0755 "bin/hakurei" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hakurei"
-install -vDm0755 "bin/fpkg" "${HAKUREI_INSTALL_PREFIX}/usr/bin/fpkg"
+install -vDm0755 "bin/planterette" "${HAKUREI_INSTALL_PREFIX}/usr/bin/planterette"
 install -vDm6511 "bin/hsu" "${HAKUREI_INSTALL_PREFIX}/usr/bin/hsu"
 if [ ! -f "${HAKUREI_INSTALL_PREFIX}/etc/hsurc" ]; then
--- a/dist/release.sh
+++ b/dist/release.sh
@ -11,9 +11,9 @@ cp -rv "dist/comp" "${out}"
 go generate ./...
 go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
  -X git.gensokyo.uk/security/hakurei/internal.version=${VERSION}
  -X git.gensokyo.uk/security/hakurei/internal.hakurei=/usr/bin/hakurei
  -X git.gensokyo.uk/security/hakurei/internal.hsu=/usr/bin/hsu
-  -X main.hmain=/usr/bin/hakurei
+  -X main.hmain=/usr/bin/hakurei" ./...
  -X main.fpkg=/usr/bin/fpkg" ./...
 rm -f "./${out}.tar.gz" && tar -C dist -czf "${out}.tar.gz" "${pname}"
 rm -rf "./${out}"
--- a/flake.nix
+++ b/flake.nix
@ -32,7 +32,7 @@
      buildPackage = forAllSystems (
        system:
        nixpkgsFor.${system}.callPackage (
-          import ./cmd/fpkg/build.nix {
+          import ./cmd/planterette/build.nix {
            inherit
              nixpkgsFor
              system
@ -69,7 +69,7 @@
            withRace = true;
          };
-          fpkg = callPackage ./cmd/fpkg/test { inherit system self; };
+          planterette = callPackage ./cmd/planterette/test { inherit system self; };
          formatting = runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; } ''
            cd ${./.}
@ -125,7 +125,7 @@
              glibc
              xdg-dbus-proxy
-              # fpkg
+              # planterette
              zstd
              gnutar
              coreutils
--- a/internal/path.go
+++ b/internal/path.go
@ -8,16 +8,26 @@ import (
 )
 var (
-	hsu = compPoison
+	hakurei = compPoison
 	hsu     = compPoison
 )
 func MustHakureiPath() string {
 	if name, ok := checkPath(hakurei); ok {
 		return name
 	}
 	hlog.BeforeExit()
 	log.Fatal("invalid hakurei path, this program is compiled incorrectly")
 	return compPoison // unreachable
 }
 func MustHsuPath() string {
 	if name, ok := checkPath(hsu); ok {
 		return name
 	}
 	hlog.BeforeExit()
 	log.Fatal("invalid hsu path, this program is compiled incorrectly")
-	return compPoison
+	return compPoison // unreachable
 }
 func checkPath(p string) (string, bool) { return p, p != compPoison && p != "" && path.IsAbs(p) }
--- a/options.md
+++ b/options.md
@ -35,7 +35,7 @@ package
 *Default:*
-` <derivation hakurei-static-x86_64-unknown-linux-musl-0.4.1> `
+` <derivation hakurei-static-x86_64-unknown-linux-musl-0.0.2> `
@ -916,7 +916,7 @@ package
 *Default:*
-` <derivation hakurei-hsu-0.4.1> `
+` <derivation hakurei-hsu-0.0.2> `
--- a/package.nix
+++ b/package.nix
@ -13,7 +13,7 @@
  wayland-scanner,
  xorg,
-  # for fpkg
+  # for planterette
  zstd,
  gnutar,
  coreutils,
@ -31,7 +31,7 @@
 buildGoModule rec {
  pname = "hakurei";
-  version = "0.0.1";
+  version = "0.0.2";
  srcFiltered = builtins.path {
    name = "${pname}-src";
@ -76,6 +76,7 @@ buildGoModule rec {
      )
      {
        version = "v${version}";
        hakurei = "${placeholder "out"}/libexec/hakurei";
        hsu = "/run/wrappers/bin/hsu";
      };
@ -116,7 +117,7 @@ buildGoModule rec {
      makeBinaryWrapper "$out/libexec/hakurei" "$out/bin/hakurei" \
        --inherit-argv0 --prefix PATH : ${lib.makeBinPath appPackages}
-      makeBinaryWrapper "$out/libexec/fpkg" "$out/bin/fpkg" \
+      makeBinaryWrapper "$out/libexec/planterette" "$out/bin/planterette" \
        --inherit-argv0 --prefix PATH : ${
          lib.makeBinPath (
            appPackages
Author	SHA1	Message	Date
Ophestra	0e957cc9c1	release: 0.0.2 All checks were successful Release / Create release (push) Successful in 43s Details Test / Create distribution (push) Successful in 25s Details Test / Sandbox (push) Successful in 40s Details Test / Hakurei (push) Successful in 45s Details Test / Sandbox (race detector) (push) Successful in 39s Details Test / Planterette (push) Successful in 1m41s Details Test / Hakurei (race detector) (push) Successful in 1m44s Details Test / Flake checks (push) Successful in 1m14s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 21:11:11 +09:00
Ophestra	aa454b158f	cmd/planterette: remove hsu special case All checks were successful Test / Hakurei (push) Successful in 42s Details Test / Create distribution (push) Successful in 25s Details Test / Sandbox (push) Successful in 40s Details Test / Hakurei (race detector) (push) Successful in 43s Details Test / Sandbox (race detector) (push) Successful in 38s Details Test / Planterette (push) Successful in 40s Details Test / Flake checks (push) Successful in 1m15s Details Remove special case and invoke hakurei out of process. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 20:50:24 +09:00
Ophestra	7007bd6a1c	workflows: port release workflow to github All checks were successful Test / Create distribution (push) Successful in 32s Details Test / Sandbox (push) Successful in 1m55s Details Test / Hakurei (push) Successful in 2m46s Details Test / Sandbox (race detector) (push) Successful in 3m6s Details Test / Fpkg (push) Successful in 3m31s Details Test / Hakurei (race detector) (push) Successful in 4m15s Details Test / Flake checks (push) Successful in 1m8s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 20:17:53 +09:00
Ophestra	00efc95ee7	workflows: port test workflow to github All checks were successful Test / Create distribution (push) Successful in 24s Details Test / Sandbox (push) Successful in 1m29s Details Test / Sandbox (race detector) (push) Successful in 2m54s Details Test / Fpkg (push) Successful in 3m10s Details Test / Flake checks (push) Successful in 1m8s Details Test / Hakurei (race detector) (push) Successful in 4m10s Details Test / Hakurei (push) Successful in 1m57s Details This is a much less useful port of the test workflow and runs much slower due to runner limitations. Still better than nothing though. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-06-25 19:37:45 +09:00
		`@ -0,0 +1 @@`
							`This port is solely for releasing to the github mirror and serves no purpose during development.`