From 159f8ccf98981e07a2007e7770ee0ce674159a4c Mon Sep 17 00:00:00 2001 From: Colin Date: Tue, 17 Dec 2024 02:18:30 +0000 Subject: [PATCH] bunpen: dont make `/tmp` a new tmpfs in the sandboxed environment this makes fs use more visible, e.g. Signal is storing 60+MB in /tmp --- hosts/common/programs/signal-desktop.nix | 2 ++ pkgs/by-name/bunpen/restrict/ns/mount_ns.ha | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/hosts/common/programs/signal-desktop.nix b/hosts/common/programs/signal-desktop.nix index 2505d957f..1ffa1f501 100644 --- a/hosts/common/programs/signal-desktop.nix +++ b/hosts/common/programs/signal-desktop.nix @@ -3,6 +3,8 @@ # - it may hang on exit (?), characterized by these log messages: # Dec 03 13:46:23 moby signal-desktop[4097]: [4097:1203/134623.906367:ERROR:ozone_platform_x11.cc(240)] Missing X server or $DISPLAY # Dec 03 13:46:23 moby signal-desktop[4097]: [4097:1203/134623.909667:ERROR:env.cc(255)] The platform failed to initialize. Exiting. +# +# TODO(2024-12-16): electron writes 60+MB to /tmp (`.org.chromium.Chromium.*`): consider persisting Signal's tmpdir to ephemeral storage { config, lib, pkgs, ... }: let cfg = config.sane.programs.signal-desktop; diff --git a/pkgs/by-name/bunpen/restrict/ns/mount_ns.ha b/pkgs/by-name/bunpen/restrict/ns/mount_ns.ha index 8e38a32c6..1c4a6fad7 100644 --- a/pkgs/by-name/bunpen/restrict/ns/mount_ns.ha +++ b/pkgs/by-name/bunpen/restrict/ns/mount_ns.ha @@ -30,6 +30,7 @@ fn isolate_paths(what: *restrict::resources) void = { // 2. create a new rootfs at `new` and bind stuff into it. // 3. then pivot a 2nd time, into `new` (and drop `old` altogether) + // errors::ext::check("[namespace] mount /tmp /tmp", rt::ext::mount("/tmp", "/tmp", "", rt::ext::mount_flag::BIND)); errors::ext::check("[namespace] mount -t tmpfs tmpfs /tmp", rt::ext::mount("tmpfs", "/tmp", "tmpfs", rt::ext::mount_flag::NODEV | rt::ext::mount_flag::NOSUID, null)); pivot_into("/tmp", "old"); @@ -77,7 +78,9 @@ fn isolate_paths(what: *restrict::resources) void = { // provide a new `/tmp` too. errors::ext::swallow("[namespace] mkdir new/tmp", rt::mkdir("new/tmp", 0o777)); - errors::ext::swallow("[namespace] mount -t tmpfs tmpfs new/tmp", rt::ext::mount("tmpfs", "new/tmp", "tmpfs", 0, null)); + // it doesn't actually *need* to be its own fs, since `/` is already a tmpfs. + // actually, keeping /tmp on the rootfs makes ram-usage debugging easier. + // errors::ext::swallow("[namespace] mount -t tmpfs tmpfs new/tmp", rt::ext::mount("tmpfs", "new/tmp", "tmpfs", 0, null)); // some apps (e.g. signal-desktop) require /dev/shm. // /dev/shm is an ordinary tmpfs.