diff --git a/pkgs/by-name/bunpen/resources/resources.ha b/pkgs/by-name/bunpen/resources/resources.ha index 5b508a60f..b68cab173 100644 --- a/pkgs/by-name/bunpen/resources/resources.ha +++ b/pkgs/by-name/bunpen/resources/resources.ha @@ -7,6 +7,7 @@ export type resources = struct { // user has naturally. paths: []path::buffer, caps: rt::ext::caps, + dbus: dbus_resources, // true to allow speaking to other processes in the same IPC namespace ipc: bool, net: net_resources, @@ -18,6 +19,13 @@ export type resources = struct { try_users: bool, }; +export type dbus_resources = struct { + // list of bus names to allow talking to + talk: []str, + // list of bus names to allow owning + own: []str, +}; + export type net_subset = struct { // name of the network device through which traffic should be routed dev: str, diff --git a/pkgs/by-name/bunpen/restrict/dbus_proxy.ha b/pkgs/by-name/bunpen/restrict/dbus_proxy.ha index ea54436c7..01a817141 100644 --- a/pkgs/by-name/bunpen/restrict/dbus_proxy.ha +++ b/pkgs/by-name/bunpen/restrict/dbus_proxy.ha @@ -65,18 +65,14 @@ use strings; use os; use os::exec; use ps; +use resources; use rt::ext; -export type dbus_resources = struct { - talk: []str, - own: []str, -}; - // given an existing, unfiltered bus at the fs path `upstream`, // proxy the bus into the fs path indicated by `downstream`. // clients attaching to the `downstream` path are provided access only to the // resources indicated by `dbus`. -fn dbus_restrict(dbus: dbus_resources, upstream: str, downstream: str) void = { +fn dbus_restrict(dbus: resources::dbus_resources, upstream: str, downstream: str) void = { match (ps::fork_and_die_with_parent()) { case let child_pid: os::exec::process => let proxy_args: []str = [