From b567aeadd765c7e508b4623b7e1f08514292fe8f Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Wed, 4 Sep 2024 01:47:55 +0000
Subject: [PATCH] bunpen: namespace: populat /dev/pts

---
 pkgs/additional/bunpen/restrict/namespace.ha | 34 +++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/pkgs/additional/bunpen/restrict/namespace.ha b/pkgs/additional/bunpen/restrict/namespace.ha
index 60c78bf7b..532974633 100644
--- a/pkgs/additional/bunpen/restrict/namespace.ha
+++ b/pkgs/additional/bunpen/restrict/namespace.ha
@@ -148,9 +148,41 @@ fn isolate_paths(what: *resources) void = {
   errors::ext::swallow("[namespace] mount -t tmpfs tmpfs new/tmp", rt::ext::mount("tmpfs", "new/tmp", "tmpfs", 0, null));
 
   // some apps (e.g. signal-desktop) require /dev/shm.
-  // /dev/shm is an ordinary tmpfs. we can get that just by `mkdir`ing it.
+  // /dev/shm is an ordinary tmpfs.
+  // bwrap has `/dev` be a tmpfs.
+  // however, it seems we can just `mkdir` these and not explicitly mount `tmpfs` on them.
+  log::println("[namespace] setting up /dev");
   errors::ext::swallow("[namespace] mkdir new/dev", rt::mkdir("new/dev", 0o755));
+  // errors::ext::swallow("[namespace] mount -t tmpfs tmpfs new/dev", rt::ext::mount("tmpfs", "new/dev", "tmpfs", 0, null));
   errors::ext::swallow("[namespace] mkdir new/dev/shm", rt::mkdir("new/dev/shm", 0o777));
+  // errors::ext::swallow("[namespace] mount -t tmpfs tmpfs new/dev/shm", rt::ext::mount("tmpfs", "new/dev/shm", "tmpfs", 0, null));
+
+  // some apps (e.g. aerc) require /dev/pts.
+  log::println("[namespace] setting up /dev/pts");
+  errors::ext::swallow("[namespace] mkdir new/dev/pts", rt::mkdir("new/dev/pts", 0o755));
+  errors::ext::swallow("[namespace] mount -t devpts devpts new/dev/pts", rt::ext::mount(
+    "devpts",
+    "new/dev/pts",
+    "devpts",
+    rt::ext::mount_flag::NOSUID | rt::ext::mount_flag::NOEXEC,
+    // "newinstance" is borrowed from bwrap, and google turns up: <https://bugzilla.redhat.com/show_bug.cgi?id=501718>
+    // it works with or without this flag, idk enough about the pty system to say.
+    "newinstance,ptmxmode=0666,mode=620",
+  ));
+  // /dev/ptmx and /dev/pts/ptmx are supposed to be one and the same?
+  // bwrap symlinks /dev/ptms -> /dev/pts/ptmx.
+  // bind-mounting ought to be the same, but i suppose symlinks are less fragile when recursively namespacing
+  errors::ext::swallow("[namespace] ln -s pts/ptmx new/dev/ptmx", fs::symlink(os::cwd, "pts/ptmx", "new/dev/ptmx"));
+
+  // XXX: bwrap binds /dev/console, but i haven't had a need to yet.
+  // fs::create(os::cwd, "new/dev/console", 0o444)!;
+  // errors::ext::swallow("[namespace] mount old/dev/pts/0 new/dev/console", rt::ext::mount(
+  //   "old/dev/pts/0",  //< TODO: don't hardcode `/dev/pts/0`, but use `ttyname`
+  //   "new/dev/console",
+  //   "",
+  //   rt::ext::mount_flag::BIND | rt::ext::mount_flag::REC,
+  //   null,
+  // ));
 
   // bind all the user-requested paths from `old/$p` into `new/$p`.
   // use the `dirfd` abstraction so that paths meant for `old` can't crawl out