diff --git a/pkgs/by-name/bunpen/integration_test b/pkgs/by-name/bunpen/integration_test index 43c31f6a6..f99a5084d 100755 --- a/pkgs/by-name/bunpen/integration_test +++ b/pkgs/by-name/bunpen/integration_test @@ -372,15 +372,12 @@ test_11_dbus_08_proxy_partial_sandbox() { bunpen --bunpen-path /nix/store --bunpen-cap all --bunpen-dbus-talk 'com.example.Echo1' busctl --user call com.example.Echo1 / com.example.Echo1 echo s "hello" bunpen --bunpen-path /nix/store --bunpen-keep-ipc --bunpen-dbus-talk 'com.example.Echo1' busctl --user call com.example.Echo1 / com.example.Echo1 echo s "hello" bunpen --bunpen-path /nix/store --bunpen-keep-net --bunpen-dbus-talk 'com.example.Echo1' busctl --user call com.example.Echo1 / com.example.Echo1 echo s "hello" + bunpen --bunpen-path /nix/store --bunpen-keep-pid --bunpen-path /proc --bunpen-dbus-talk 'com.example.Echo1' busctl --user call com.example.Echo1 / com.example.Echo1 echo s "hello" + bunpen --bunpen-path /nix/store --bunpen-keep-pid --bunpen-dbus-talk 'com.example.Echo1' busctl --user call com.example.Echo1 / com.example.Echo1 echo s "hello" bunpen --bunpen-path /nix/store --bunpen-try-keep-users --bunpen-dbus-talk 'com.example.Echo1' busctl --user call com.example.Echo1 / com.example.Echo1 echo s "hello" mkdir file-for-test ; bunpen --bunpen-path /nix/store --bunpen-path file-for-test --bunpen-dbus-talk 'com.example.Echo1' busctl --user call com.example.Echo1 / com.example.Echo1 echo s "hello" bunpen --bunpen-path /nix/store --bunpen-path /proc --bunpen-dbus-talk 'com.example.Echo1' busctl --user call com.example.Echo1 / com.example.Echo1 echo s "hello" - - # TODO: fix dbus proxying with --bunpen-keep-pid! - # i think this fails because i'm using `xdg-dbus-proxy --fd=...` to signal readiness, but that flag also causes xdg-dbus-proxy to exit when the fd is closed - # (e.g. when we `exec`!) - # bunpen --bunpen-path /nix/store --bunpen-keep-pid --bunpen-path /proc --bunpen-dbus-talk 'com.example.Echo1' busctl --user call com.example.Echo1 / com.example.Echo1 echo s "hello" } runTests() { diff --git a/pkgs/by-name/bunpen/restrict/dbus_proxy.ha b/pkgs/by-name/bunpen/restrict/dbus_proxy.ha index 67b50ae70..31f378ed5 100644 --- a/pkgs/by-name/bunpen/restrict/dbus_proxy.ha +++ b/pkgs/by-name/bunpen/restrict/dbus_proxy.ha @@ -93,8 +93,16 @@ fn dbus_restrict(dbus: resources::dbus_subset, upstream_parent_fd: io::file, dow log::printfln("[dbus]: forking: child will launch xdg-dbus-proxy while parent will exec user code"); match (ps::fork_and_die_with_parent()) { case void => - // close the pipe ends which aren't ours - io::close(pipe_parent_rd)!; + // ~~close the pipe ends which aren't ours~~ + // actually DON'T: the xdg-dbus-proxy `--fd=FOO` notification option + // causes xdg-dbus-proxy to exit when the fd is closed. + // we COULD keep the fd open in the parent, but that only works so long as + // it stays around as a PID-0 manager, and not in the cases where it + // directly exec's the user code. + // + // so, keep the `--fd=pipe_parent_rd` fd open here, and intentionally let + // the xdg-dbus-proxy process inherit that. it'll never be closed so long as the proxy is alive + // io::close(pipe_parent_rd)!; let ns_paths: []path::buffer = []; append(ns_paths, path::init("/nix/store")!); @@ -151,16 +159,7 @@ fn dbus_restrict(dbus: resources::dbus_subset, upstream_parent_fd: io::file, dow log::println("[dbus] child signaled readiness: continuing"); - // XXX: DON'T close the pipe: xdg-dbus-proxy docs say it will exit when - // the fd is closed. - // TODO: make sure this implementation is compatible with non-pid - // namespaced invocations! if it isn't, consider alternative synchronizations: - // - `write` a HELLO message and block until it's read. - // - invoke with `--log` and parse the output. - // - pre-create the unix socket _before_ forking here, and somehow pass - // that into xdg-dbus-proxy instead of letting it create its own socket. - // - // io::close(pipe_parent_rd)!; + io::close(pipe_parent_rd)!; case let e: (os::exec::error | rt::errno) => errors::ext::check("dbus_restrict: fork", e);