colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bunpen: namespace: populat /dev/pts

Browse Source
This commit is contained in:
Colin
2024-09-04 01:47:55 +00:00
parent 04ac2ada05
commit b567aeadd7
1 changed files with 33 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
pkgs/additional/bunpen/restrict/namespace.ha
View File

@@ -148,9 +148,41 @@ fn isolate_paths(what: *resources) void = {
errors::ext::swallow("[namespace] mount -t tmpfs tmpfs new/tmp", rt::ext::mount("tmpfs", "new/tmp", "tmpfs", 0, null));
// some apps (e.g. signal-desktop) require /dev/shm.
// /dev/shm is an ordinary tmpfs. we can get that just by `mkdir`ing it.
// /dev/shm is an ordinary tmpfs.
// bwrap has `/dev` be a tmpfs.
// however, it seems we can just `mkdir` these and not explicitly mount `tmpfs` on them.
log::println("[namespace] setting up /dev");
errors::ext::swallow("[namespace] mkdir new/dev", rt::mkdir("new/dev", 0o755));
// errors::ext::swallow("[namespace] mount -t tmpfs tmpfs new/dev", rt::ext::mount("tmpfs", "new/dev", "tmpfs", 0, null));
errors::ext::swallow("[namespace] mkdir new/dev/shm", rt::mkdir("new/dev/shm", 0o777));
// errors::ext::swallow("[namespace] mount -t tmpfs tmpfs new/dev/shm", rt::ext::mount("tmpfs", "new/dev/shm", "tmpfs", 0, null));
// some apps (e.g. aerc) require /dev/pts.
log::println("[namespace] setting up /dev/pts");
errors::ext::swallow("[namespace] mkdir new/dev/pts", rt::mkdir("new/dev/pts", 0o755));
errors::ext::swallow("[namespace] mount -t devpts devpts new/dev/pts", rt::ext::mount(
"devpts",
"new/dev/pts",
"devpts",
rt::ext::mount_flag::NOSUID | rt::ext::mount_flag::NOEXEC,
// "newinstance" is borrowed from bwrap, and google turns up: <https://bugzilla.redhat.com/show_bug.cgi?id=501718>
// it works with or without this flag, idk enough about the pty system to say.
"newinstance,ptmxmode=0666,mode=620",
));
// /dev/ptmx and /dev/pts/ptmx are supposed to be one and the same?
// bwrap symlinks /dev/ptms -> /dev/pts/ptmx.
// bind-mounting ought to be the same, but i suppose symlinks are less fragile when recursively namespacing
errors::ext::swallow("[namespace] ln -s pts/ptmx new/dev/ptmx", fs::symlink(os::cwd, "pts/ptmx", "new/dev/ptmx"));
// XXX: bwrap binds /dev/console, but i haven't had a need to yet.
// fs::create(os::cwd, "new/dev/console", 0o444)!;
// errors::ext::swallow("[namespace] mount old/dev/pts/0 new/dev/console", rt::ext::mount(
// "old/dev/pts/0", //< TODO: don't hardcode `/dev/pts/0`, but use `ttyname`
// "new/dev/console",
// "",
// rt::ext::mount_flag::BIND | rt::ext::mount_flag::REC,
// null,
// ));
// bind all the user-requested paths from `old/$p` into `new/$p`.
// use the `dirfd` abstraction so that paths meant for `old` can't crawl out