cmd/hakurei/command: pd run dbus-verbose nil check

This otherwise dereferences a nil pointer when dbus-verbose is set and either session or system bus are nil. Signed-off-by: Ophestra <cat@gensokyo.uk>
app/seal: leave $DISPLAY as is on host abstract
2025-09-06 00:09:25 +09:00 · 2025-08-27 20:42:03 +09:00 · 2025-08-26 03:33:45 +09:00 · 2025-08-26 03:27:07 +09:00
19 changed files with 51 additions and 18 deletions
--- a/cmd/hakurei/command.go
+++ b/cmd/hakurei/command.go
@@ -162,8 +162,12 @@ func buildCommand(out io.Writer) command.Command {
 				// override log from configuration
 				if dbusVerbose {
-					config.SessionBus.Log = true
+					if config.SessionBus != nil {
-					config.SystemBus.Log = true
+						config.SessionBus.Log = true
 					}
 					if config.SystemBus != nil {
 						config.SystemBus.Log = true
 					}
 				}
 			}
--- a/container/container_test.go
+++ b/container/container_test.go
@@ -100,6 +100,7 @@ var containerTestCases = []struct {
 			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/mqueue", "rw,nosuid,nodev,noexec,relatime", "mqueue", "mqueue", "rw"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 		),
 		1971, 100, nil, 0, seccomp.PresetStrict},
@@ -116,6 +117,7 @@ var containerTestCases = []struct {
 			ent("/urandom", "/dev/urandom", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/tty", "/dev/tty", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/", "/dev/pts", "rw,nosuid,noexec,relatime", "devpts", "devpts", "rw,mode=620,ptmxmode=666"),
 			ent("/", "/dev/shm", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
 		),
 		1971, 100, nil, 0, seccomp.PresetStrict},
--- a/container/initdev.go
+++ b/container/initdev.go
@@ -72,8 +72,9 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 		}
 	}
 	devShmPath := path.Join(target, "shm")
 	devPtsPath := path.Join(target, "pts")
-	for _, name := range []string{path.Join(target, "shm"), devPtsPath} {
+	for _, name := range []string{devShmPath, devPtsPath} {
 		if err := k.mkdir(name, state.ParentPerm); err != nil {
 			return wrapErrSelf(err)
 		}
@@ -117,8 +118,12 @@ func (d *MountDevOp) apply(state *setupState, k syscallDispatcher) error {
 	if d.Write {
 		return nil
 	}
-	return wrapErrSuffix(k.remount(target, MS_RDONLY),
+
-		fmt.Sprintf("cannot remount %q:", target))
+	if err := k.remount(target, MS_RDONLY); err != nil {
 		return wrapErrSuffix(k.remount(target, MS_RDONLY),
 			fmt.Sprintf("cannot remount %q:", target))
 	}
 	return k.mountTmpfs(SourceTmpfs, devShmPath, MS_NOSUID|MS_NODEV, 0, 01777)
 }
 func (d *MountDevOp) Is(op Op) bool {
--- a/container/initdev_test.go
+++ b/container/initdev_test.go
@@ -645,6 +645,7 @@ func TestMountDevOp(t *testing.T) {
 			{"readlink", expectArgs{"/host/proc/self/fd/1"}, "/dev/pts/2", nil},
 			{"bindMount", expectArgs{"/host/dev/pts/2", "/sysroot/dev/console", uintptr(0), false}, nil, nil},
 			{"remount", expectArgs{"/sysroot/dev", uintptr(1)}, nil, nil},
 			{"mountTmpfs", expectArgs{"tmpfs", "/sysroot/dev/shm", uintptr(0x6), 0, os.FileMode(01777)}, nil, nil},
 		}, nil},
 		{"success rw", &Params{ParentPerm: 0750, RetainSession: true}, &MountDevOp{
@@ -715,6 +716,7 @@ func TestMountDevOp(t *testing.T) {
 			{"mkdir", expectArgs{"/sysroot/dev/mqueue", os.FileMode(0750)}, nil, nil},
 			{"mount", expectArgs{"mqueue", "/sysroot/dev/mqueue", "mqueue", uintptr(0xe), ""}, nil, nil},
 			{"remount", expectArgs{"/sysroot/dev", uintptr(1)}, nil, nil},
 			{"mountTmpfs", expectArgs{"tmpfs", "/sysroot/dev/shm", uintptr(0x6), 0, os.FileMode(01777)}, nil, nil},
 		}, nil},
 	})
--- a/container/mount.go
+++ b/container/mount.go
@@ -43,6 +43,8 @@ const (
 	// Note that any source value is allowed when fstype is [FstypeOverlay].
 	SourceOverlay = "overlay"
 	// SourceTmpfs is used when mounting tmpfs.
 	SourceTmpfs = "tmpfs"
 	// SourceTmpfsRootfs is used when mounting the tmpfs instance backing the intermediate root.
 	SourceTmpfsRootfs = "rootfs"
 	// SourceTmpfsDevtmpfs is used when mounting tmpfs representing a subset of host devtmpfs.
--- a/internal/app/app_nixos_linux_test.go
+++ b/internal/app/app_nixos_linux_test.go
@@ -148,6 +148,7 @@ var testCasesNixos = []sealTestCase{
 				Etc(m("/etc/"), "8e2c76b066dabe574cf073bdb46eb5c1").
 				Bind(m("/var/lib/persist/module/hakurei/0/1"), m("/var/lib/persist/module/hakurei/0/1"), container.BindWritable|container.BindEnsure).
 				Remount(m("/dev/"), syscall.MS_RDONLY).
 				Tmpfs(m("/dev/shm"), 0, 01777).
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.1971/runtime/1"), m("/run/user/1971"), container.BindWritable).
 				Bind(m("/tmp/hakurei.1971/tmpdir/1"), m("/tmp/"), container.BindWritable).
--- a/internal/app/app_pd_linux_test.go
+++ b/internal/app/app_pd_linux_test.go
@@ -53,6 +53,7 @@ var testCasesPd = []sealTestCase{
 				Tmpfs(m("/run/user/1971"), 8192, 0755).
 				Tmpfs(m("/run/dbus"), 8192, 0755).
 				Remount(m("/dev/"), syscall.MS_RDONLY).
 				Tmpfs(m("/dev/shm"), 0, 01777).
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.1971/runtime/0"), m("/run/user/65534"), container.BindWritable).
 				Bind(m("/tmp/hakurei.1971/tmpdir/0"), m("/tmp/"), container.BindWritable).
@@ -189,6 +190,7 @@ var testCasesPd = []sealTestCase{
 				Tmpfs(m("/run/user/1971"), 8192, 0755).
 				Tmpfs(m("/run/dbus"), 8192, 0755).
 				Remount(m("/dev/"), syscall.MS_RDONLY).
 				Tmpfs(m("/dev/shm"), 0, 01777).
 				Tmpfs(m("/run/user/"), 4096, 0755).
 				Bind(m("/tmp/hakurei.1971/runtime/9"), m("/run/user/65534"), container.BindWritable).
 				Bind(m("/tmp/hakurei.1971/tmpdir/9"), m("/tmp/"), container.BindWritable).
--- a/internal/app/container_linux.go
+++ b/internal/app/container_linux.go
@@ -233,7 +233,9 @@ func newContainer(s *hst.ContainerConfig, os sys.State, prefix string, uid, gid
 	// no more ContainerConfig paths beyond this point
 	if !s.Device {
-		params.Remount(container.AbsFHSDev, syscall.MS_RDONLY)
+		params.
 			Remount(container.AbsFHSDev, syscall.MS_RDONLY).
 			Tmpfs(container.AbsFHSDev.Append("shm"), 0, 01777)
 	}
 	return params, maps.Clone(s.Env), nil
--- a/internal/app/seal_linux.go
+++ b/internal/app/seal_linux.go
@@ -418,7 +418,9 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *hst.Co
 					}
 				} else {
 					seal.sys.UpdatePermType(system.EX11, socketPath.String(), acl.Read, acl.Write, acl.Execute)
-					d = "unix:" + socketPath.String()
+					if !config.Container.HostAbstract {
 						d = "unix:" + socketPath.String()
 					}
 				}
 			}
--- a/options.md
+++ b/options.md
@@ -35,7 +35,7 @@ package
 *Default:*
-` <derivation hakurei-static-x86_64-unknown-linux-musl-0.2.0> `
+` <derivation hakurei-static-x86_64-unknown-linux-musl-0.2.1> `
@@ -759,7 +759,7 @@ package
 *Default:*
-` <derivation hakurei-hsu-0.2.0> `
+` <derivation hakurei-hsu-0.2.1> `
--- a/package.nix
+++ b/package.nix
@@ -31,7 +31,7 @@
 buildGoModule rec {
  pname = "hakurei";
-  version = "0.2.0";
+  version = "0.2.1";
  srcFiltered = builtins.path {
    name = "${pname}-src";
--- a/test/sandbox/case/default.nix
+++ b/test/sandbox/case/default.nix
@@ -49,6 +49,7 @@ let
        mapRealUid
        useCommonPaths
        userns
        hostAbstract
        ;
      enablements = {
        inherit (tc) x11;
--- a/test/sandbox/case/device.nix
+++ b/test/sandbox/case/device.nix
@@ -26,6 +26,7 @@ in
  useCommonPaths = true;
  userns = false;
  x11 = true;
  hostAbstract = false;
  # 0, PresetStrict
  expectedFilter = {
--- a/test/sandbox/case/mapuid.nix
+++ b/test/sandbox/case/mapuid.nix
@@ -35,6 +35,7 @@ in
  useCommonPaths = true;
  userns = false;
  x11 = false;
  hostAbstract = false;
  # 0, PresetStrict
  expectedFilter = {
@@ -72,7 +73,7 @@ in
        ptmx = fs "80001ff" null null;
        pts = fs "800001ed" { ptmx = fs "42001b6" null null; } null;
        random = fs "42001b6" null null;
-        shm = fs "800001ed" { } null;
+        shm = fs "801001ff" { } null;
        stderr = fs "80001ff" null null;
        stdin = fs "80001ff" null null;
        stdout = fs "80001ff" null null;
@@ -256,6 +257,7 @@ in
      (ent "/" "/.hakurei/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,upperdir=/host/tmp/.hakurei-store-rw/upper,workdir=/host/tmp/.hakurei-store-rw/work,redirect_dir=nofollow,userxattr")
      (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/var/lib/hakurei/u0/a3" "/var/lib/hakurei/u0/a3" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/" "/dev/shm" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,uid=1000003,gid=1000003")
      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
      (ent "/tmp/hakurei.0/runtime/3" "/run/user/1000" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/tmp/hakurei.0/tmpdir/3" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
--- a/test/sandbox/case/pd.nix
+++ b/test/sandbox/case/pd.nix
@@ -36,7 +36,7 @@
        ptmx = fs "80001ff" null null;
        pts = fs "800001ed" { ptmx = fs "42001b6" null null; } null;
        random = fs "42001b6" null null;
-        shm = fs "800001ed" { } null;
+        shm = fs "801001ff" { } null;
        stderr = fs "80001ff" null null;
        stdin = fs "80001ff" null null;
        stdout = fs "80001ff" null null;
@@ -185,6 +185,7 @@
      (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=8k,mode=755,uid=1000000,gid=1000000")
      (ent "/" "/run/dbus" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=8k,mode=755,uid=1000000,gid=1000000")
      (ent "/" "/dev/shm" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,uid=1000000,gid=1000000")
      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000000,gid=1000000")
      (ent "/tmp/hakurei.0/runtime/0" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/tmp/hakurei.0/tmpdir/0" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
--- a/test/sandbox/case/pdlike.nix
+++ b/test/sandbox/case/pdlike.nix
@@ -35,6 +35,7 @@ in
  useCommonPaths = false;
  userns = true;
  x11 = false;
  hostAbstract = false;
  # 0, PresetExt | PresetDenyDevel
  expectedFilter = {
@@ -70,7 +71,7 @@ in
        ptmx = fs "80001ff" null null;
        pts = fs "800001ed" { ptmx = fs "42001b6" null null; } null;
        random = fs "42001b6" null null;
-        shm = fs "800001ed" { } null;
+        shm = fs "801001ff" { } null;
        stderr = fs "80001ff" null null;
        stdin = fs "80001ff" null null;
        stdout = fs "80001ff" null null;
@@ -251,6 +252,7 @@ in
      (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/var/lib/hakurei/u0/a5" "/var/lib/hakurei/u0/a5" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/" "/dev/shm" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,uid=1000005,gid=1000005")
      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000005,gid=1000005")
      (ent "/tmp/hakurei.0/runtime/5" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/tmp/hakurei.0/tmpdir/5" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
--- a/test/sandbox/case/preset.nix
+++ b/test/sandbox/case/preset.nix
@@ -35,6 +35,7 @@ in
  useCommonPaths = false;
  userns = false;
  x11 = false;
  hostAbstract = false;
  # 0, PresetStrict
  expectedFilter = {
@@ -69,7 +70,7 @@ in
        ptmx = fs "80001ff" null null;
        pts = fs "800001ed" { ptmx = fs "42001b6" null null; } null;
        random = fs "42001b6" null null;
-        shm = fs "800001ed" { } null;
+        shm = fs "801001ff" { } null;
        stderr = fs "80001ff" null null;
        stdin = fs "80001ff" null null;
        stdout = fs "80001ff" null null;
@@ -249,6 +250,7 @@ in
      (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
      (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/var/lib/hakurei/u0/a1" "/var/lib/hakurei/u0/a1" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/" "/dev/shm" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,uid=1000001,gid=1000001")
      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000001,gid=1000001")
      (ent "/tmp/hakurei.0/runtime/1" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/tmp/hakurei.0/tmpdir/1" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
--- a/test/sandbox/case/tty.nix
+++ b/test/sandbox/case/tty.nix
@@ -35,6 +35,7 @@ in
  useCommonPaths = true;
  userns = false;
  x11 = true;
  hostAbstract = true;
  # 0, PresetExt | PresetDenyNS | PresetDenyDevel
  expectedFilter = {
@@ -45,7 +46,7 @@ in
  want = {
    env = [
      "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus"
-      "DISPLAY=unix:/tmp/.X11-unix/X0"
+      "DISPLAY=:0"
      "HOME=/var/lib/hakurei/u0/a2"
      "PULSE_SERVER=unix:/run/user/65534/pulse/native"
      "SHELL=/run/current-system/sw/bin/bash"
@@ -74,7 +75,7 @@ in
        ptmx = fs "80001ff" null null;
        pts = fs "800001ed" { ptmx = fs "42001b6" null null; } null;
        random = fs "42001b6" null null;
-        shm = fs "800001ed" { } null;
+        shm = fs "801001ff" { } null;
        stderr = fs "80001ff" null null;
        stdin = fs "80001ff" null null;
        stdout = fs "80001ff" null null;
@@ -261,6 +262,7 @@ in
      (ent "/" "/.hakurei/store" "rw,relatime" "overlay" "overlay" "rw,lowerdir=/host/nix/.ro-store:/host/nix/.rw-store/upper,upperdir=/host/tmp/.hakurei-store-rw/upper,workdir=/host/tmp/.hakurei-store-rw/work,redirect_dir=nofollow,uuid=on,userxattr")
      (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/var/lib/hakurei/u0/a2" "/var/lib/hakurei/u0/a2" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/" "/dev/shm" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,uid=1000002,gid=1000002")
      (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "ephemeral" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
      (ent "/tmp/hakurei.0/runtime/2" "/run/user/65534" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
      (ent "/tmp/hakurei.0/tmpdir/2" "/tmp" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
@@ -275,7 +277,7 @@ in
    seccomp = true;
    try_socket = "/tmp/.X11-unix/X0";
-    socket_abstract = false;
+    socket_abstract = true;
    socket_pathname = true;
  };
 }
--- a/test/test.py
+++ b/test/test.py
@@ -149,7 +149,7 @@ silent_output_interrupt("--wayland -X --dbus --pulse ")
 print(machine.fail("sudo -u alice -i hakurei -v run --wayland true"))
 # Start hakurei permissive defaults within Wayland session:
-hakurei('-v run --wayland --dbus notify-send -a "NixOS Tests" "Test notification" "Notification from within sandbox." && touch /tmp/dbus-ok')
+hakurei('-v run --wayland --dbus --dbus-log notify-send -a "NixOS Tests" "Test notification" "Notification from within sandbox." && touch /tmp/dbus-ok')
 machine.wait_for_file("/tmp/dbus-ok", timeout=15)
 collect_state_ui("dbus_notify_exited")
 # not in pid namespace, verify termination
Author	SHA1	Message	Date
Ophestra	92f510a647	cmd/hakurei/command: pd run dbus-verbose nil check All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Sandbox (push) Successful in 40s Details Test / Sandbox (race detector) (push) Successful in 40s Details Test / Hakurei (race detector) (push) Successful in 43s Details Test / Hpkg (push) Successful in 41s Details Test / Hakurei (push) Successful in 2m23s Details Test / Flake checks (push) Successful in 1m33s Details This otherwise dereferences a nil pointer when dbus-verbose is set and either session or system bus are nil. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-09-06 00:09:25 +09:00
Ophestra	acb6931f3e	app/seal: leave $DISPLAY as is on host abstract All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Hakurei (push) Successful in 42s Details Test / Hakurei (race detector) (push) Successful in 42s Details Test / Sandbox (race detector) (push) Successful in 40s Details Test / Sandbox (push) Successful in 40s Details Test / Hpkg (push) Successful in 40s Details Test / Flake checks (push) Successful in 1m24s Details This helps work around faulty software that misinterprets unix: DISPLAY string. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-27 20:42:03 +09:00
Ophestra	9d932d1039	release: 0.2.1 All checks were successful Release / Create release (push) Successful in 43s Details Test / Sandbox (push) Successful in 40s Details Test / Hakurei (push) Successful in 3m17s Details Test / Create distribution (push) Successful in 24s Details Test / Hpkg (push) Successful in 3m36s Details Test / Sandbox (race detector) (push) Successful in 3m56s Details Test / Hakurei (race detector) (push) Successful in 5m6s Details Test / Flake checks (push) Successful in 1m31s Details Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-26 03:33:45 +09:00
Ophestra	9bc8532d56	container/initdev: mount tmpfs on shm for ro dev All checks were successful Test / Create distribution (push) Successful in 26s Details Test / Sandbox (push) Successful in 2m13s Details Test / Hakurei (push) Successful in 2m51s Details Test / Hpkg (push) Successful in 3m58s Details Test / Sandbox (race detector) (push) Successful in 4m26s Details Test / Hakurei (race detector) (push) Successful in 4m46s Details Test / Flake checks (push) Successful in 1m26s Details Programs expect /dev/shm to be a writable tmpfs. Signed-off-by: Ophestra <cat@gensokyo.uk>	2025-08-26 03:27:07 +09:00