security/hakurei
security/hakurei
4
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity
hakurei/cmd/hpkg/with.go
Ophestra 3ed02b0920
Some checks failed
Test / Create distribution (push) Successful in 33s
Details
Test / Sandbox (push) Successful in 2m15s
Details
Test / Hakurei (push) Successful in 3m7s
Details
Test / Hpkg (push) Failing after 4m0s
Details
Test / Sandbox (race detector) (push) Successful in 4m14s
Details
Test / Hakurei (race detector) (push) Successful in 4m51s
Details
Test / Flake checks (push) Has been skipped
Details
container: use absolute for pathname 
This is simultaneously more efficient and less error-prone. This change caused minor API changes in multiple other packages.

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-08-11 04:44:31 +09:00

115 lines
3.3 KiB
Go
Raw Blame History

package main
import (
"context"
"strings"
"hakurei.app/container"
"hakurei.app/container/seccomp"
"hakurei.app/hst"
"hakurei.app/internal"
)
func withNixDaemon(
ctx context.Context,
action string, command []string, net bool, updateConfig func(config *hst.Config) *hst.Config,
app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func(),
) {
mustRunAppDropShell(ctx, updateConfig(&hst.Config{
ID: app.ID,
Path: pathShell,
Args: []string{bash, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
// start nix-daemon
"nix-daemon --store / & " +
// wait for socket to appear
"(while [ ! -S /nix/var/nix/daemon-socket/socket ]; do sleep 0.01; done) && " +
// create directory so nix stops complaining
"mkdir -p /nix/var/nix/profiles/per-user/root/channels && " +
strings.Join(command, " && ") +
// terminate nix-daemon
" && pkill nix-daemon",
},
Username: "hakurei",
Shell: pathShell,
Data: pathSet.homeDir,
Dir: pathDataData.Append(app.ID),
ExtraPerms: []*hst.ExtraPermConfig{
{Path: dataHome, Execute: true},
{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
},
Identity: app.Identity,
Container: &hst.ContainerConfig{
Hostname: formatHostname(app.Name) + "-" + action,
Userns: true, // nix sandbox requires userns
Net: net,
SeccompFlags: seccomp.AllowMultiarch,
Tty: dropShell,
Filesystem: []hst.FilesystemConfig{
{Src: pathSet.nixPath, Dst: pathNix, Write: true, Must: true},
},
Link: []hst.LinkConfig{
{pathCurrentSystem, app.CurrentSystem.String()},
{pathBin, pathSwBin.String()},
{container.AbsFHSUsrBin, pathSwBin.String()},
},
Etc: pathSet.cacheDir.Append("etc"),
AutoEtc: true,
},
}), dropShell, beforeFail)
}
func withCacheDir(
ctx context.Context,
action string, command []string, workDir *container.Absolute,
app *appInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
mustRunAppDropShell(ctx, &hst.Config{
ID: app.ID,
Path: pathShell,
Args: []string{bash, "-lc", strings.Join(command, " && ")},
Username: "nixos",
Shell: pathShell,
Data: pathSet.cacheDir, // this also ensures cacheDir via shim
Dir: pathDataData.Append(app.ID, "cache"),
ExtraPerms: []*hst.ExtraPermConfig{
{Path: dataHome, Execute: true},
{Ensure: true, Path: pathSet.baseDir, Read: true, Write: true, Execute: true},
{Path: workDir, Execute: true},
},
Identity: app.Identity,
Container: &hst.ContainerConfig{
Hostname: formatHostname(app.Name) + "-" + action,
SeccompFlags: seccomp.AllowMultiarch,
Tty: dropShell,
Filesystem: []hst.FilesystemConfig{
{Src: workDir.Append("nix"), Dst: pathNix, Must: true},
{Src: workDir, Dst: hst.AbsTmp.Append("bundle"), Must: true},
},
Link: []hst.LinkConfig{
{pathCurrentSystem, app.CurrentSystem.String()},
{pathBin, pathSwBin.String()},
{container.AbsFHSUsrBin, pathSwBin.String()},
},
Etc: workDir.Append(container.FHSEtc),
AutoEtc: true,
},
}, dropShell, beforeFail)
}
func mustRunAppDropShell(ctx context.Context, config *hst.Config, dropShell bool, beforeFail func()) {
if dropShell {
config.Args = []string{bash, "-l"}
mustRunApp(ctx, config, beforeFail)
beforeFail()
internal.Exit(0)
}
mustRunApp(ctx, config, beforeFail)
}
Reference in New Issue View Git Blame Copy Permalink