fortify/internal/app/share.display.go

package app

import (
	"errors"
	"os"
	"path"

	"git.ophivana.moe/cat/fortify/acl"
	"git.ophivana.moe/cat/fortify/internal/state"
)

const (
	term    = "TERM"
	display = "DISPLAY"

	// https://manpages.debian.org/experimental/libwayland-doc/wl_display_connect.3.en.html
	waylandDisplay = "WAYLAND_DISPLAY"
)

var (
	ErrWayland  = errors.New(waylandDisplay + " unset")
	ErrXDisplay = errors.New(display + " unset")
)

type ErrDisplayEnv BaseError

func (seal *appSeal) shareDisplay() error {
	// pass $TERM to launcher
	if t, ok := os.LookupEnv(term); ok {
		seal.sys.setEnv(term, t)
	}

	// set up wayland
	if seal.et.Has(state.EnableWayland) {
		if wd, ok := os.LookupEnv(waylandDisplay); !ok {
			return (*ErrDisplayEnv)(wrapError(ErrWayland, "WAYLAND_DISPLAY is not set"))
		} else if seal.wlDone == nil {
			// hardlink wayland socket
			wp := path.Join(seal.RuntimePath, wd)
			wpi := path.Join(seal.shareLocal, "wayland")
			w := path.Join(seal.sys.runtime, "wayland-0")
			seal.sys.link(wp, wpi)
			seal.sys.setEnv(waylandDisplay, w)
			seal.sys.bwrap.Bind(wpi, w)

			// ensure Wayland socket ACL (e.g. `/run/user/%d/wayland-%d`)
			seal.sys.updatePermTag(state.EnableWayland, wp, acl.Read, acl.Write, acl.Execute)
		} else {
			// set wayland socket path (e.g. `/run/user/%d/wayland-%d`)
			seal.wl = path.Join(seal.RuntimePath, wd)
		}
	}

	// set up X11
	if seal.et.Has(state.EnableX) {
		// discover X11 and grant user permission via the `ChangeHosts` command
		if d, ok := os.LookupEnv(display); !ok {
			return (*ErrDisplayEnv)(wrapError(ErrXDisplay, "DISPLAY is not set"))
		} else {
			seal.sys.changeHosts(seal.sys.Username)
			seal.sys.setEnv(display, d)
			seal.sys.bwrap.Bind("/tmp/.X11-unix", "/tmp/.X11-unix")
		}
	}

	return nil
}
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-22 00:29:36 +09:00			`package app`

			`import (`
			`"errors"`
			`"os"`
			`"path"`

			`"git.ophivana.moe/cat/fortify/acl"`
			`"git.ophivana.moe/cat/fortify/internal/state"`
			`)`

			`const (`
			`term = "TERM"`
			`display = "DISPLAY"`

			`// https://manpages.debian.org/experimental/libwayland-doc/wl_display_connect.3.en.html`
			`waylandDisplay = "WAYLAND_DISPLAY"`
			`)`

			`var (`
			`ErrWayland = errors.New(waylandDisplay + " unset")`
			`ErrXDisplay = errors.New(display + " unset")`
			`)`

			`type ErrDisplayEnv BaseError`

			`func (seal *appSeal) shareDisplay() error {`
			`// pass $TERM to launcher`
			`if t, ok := os.LookupEnv(term); ok {`
app: integrate bwrap into environment setup Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-11 04:18:15 +09:00			`seal.sys.setEnv(term, t)`
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-22 00:29:36 +09:00			`}`

			`// set up wayland`
			`if seal.et.Has(state.EnableWayland) {`
			`if wd, ok := os.LookupEnv(waylandDisplay); !ok {`
			`return (*ErrDisplayEnv)(wrapError(ErrWayland, "WAYLAND_DISPLAY is not set"))`
app: migrate to new shim implementation Both machinectl and sudo launch methods launch shim as shim is now responsible for setting up the sandbox. Various app structures are adapted to accommodate bwrap configuration and mediated wayland access. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-11 02:01:03 +09:00			`} else if seal.wlDone == nil {`
app: hardlink sockets to process-specific share local to XDG_RUNTIME_DIR This avoids adding ACLs to the PulseAudio directory. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-10 12:44:08 +09:00			`// hardlink wayland socket`
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-22 00:29:36 +09:00			`wp := path.Join(seal.RuntimePath, wd)`
app: hardlink sockets to process-specific share local to XDG_RUNTIME_DIR This avoids adding ACLs to the PulseAudio directory. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-10 12:44:08 +09:00			`wpi := path.Join(seal.shareLocal, "wayland")`
app: integrate bwrap into environment setup Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-11 04:18:15 +09:00			`w := path.Join(seal.sys.runtime, "wayland-0")`
app: hardlink sockets to process-specific share local to XDG_RUNTIME_DIR This avoids adding ACLs to the PulseAudio directory. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-10 12:44:08 +09:00			`seal.sys.link(wp, wpi)`
app: integrate bwrap into environment setup Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-11 04:18:15 +09:00			`seal.sys.setEnv(waylandDisplay, w)`
helper/bwrap: ordered filesystem args The argument builder was written based on the incorrect assumption that bwrap arguments are unordered. The argument builder is replaced in this commit to correct that mistake. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-15 02:15:55 +09:00			`seal.sys.bwrap.Bind(wpi, w)`
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-22 00:29:36 +09:00
			// ensure Wayland socket ACL (e.g. `/run/user/%d/wayland-%d`)
app: tag ACL operations for revert ACL operations are now tagged with the enablement causing them. At the end of child process's life, enablements of all remaining launchers are resolved and inverted. This allows Wait to only revert operations targeting resources no longer required by other launchers. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-10 14:33:58 +09:00			`seal.sys.updatePermTag(state.EnableWayland, wp, acl.Read, acl.Write, acl.Execute)`
app: migrate to new shim implementation Both machinectl and sudo launch methods launch shim as shim is now responsible for setting up the sandbox. Various app structures are adapted to accommodate bwrap configuration and mediated wayland access. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-11 02:01:03 +09:00			`} else {`
			// set wayland socket path (e.g. `/run/user/%d/wayland-%d`)
			`seal.wl = path.Join(seal.RuntimePath, wd)`
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-22 00:29:36 +09:00			`}`
			`}`

			`// set up X11`
			`if seal.et.Has(state.EnableX) {`
			// discover X11 and grant user permission via the `ChangeHosts` command
			`if d, ok := os.LookupEnv(display); !ok {`
			`return (*ErrDisplayEnv)(wrapError(ErrXDisplay, "DISPLAY is not set"))`
			`} else {`
			`seal.sys.changeHosts(seal.sys.Username)`
app: integrate bwrap into environment setup Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-11 04:18:15 +09:00			`seal.sys.setEnv(display, d)`
helper/bwrap: ordered filesystem args The argument builder was written based on the incorrect assumption that bwrap arguments are unordered. The argument builder is replaced in this commit to correct that mistake. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-15 02:15:55 +09:00			`seal.sys.bwrap.Bind("/tmp/.X11-unix", "/tmp/.X11-unix")`
app: clean up interactions and handle all application state and setup/teardown There was an earlier attempt of cleaning up the app package however it ended up creating even more of a mess and the code structure largely still looked like Ego with state setup scattered everywhere and a bunch of ugly hacks had to be implemented to keep track of all of them. In this commit the entire app package is rewritten to track everything that has to do with an app in one thread safe value. In anticipation of the client/server split also made changes: - Console messages are cleaned up to be consistent - State tracking is fully rewritten to be cleaner and usable for multiple process and client/server - Encapsulate errors to easier identify type of action causing the error as well as additional info - System-level setup operations is grouped in a way that can be collectively committed/reverted and gracefully handles errors returned by each operation - Resource sharing is made more fine-grained with PID-scoped resources whenever possible, a few remnants (X11, Wayland, PulseAudio) will be addressed when a generic proxy is available - Application setup takes a JSON-friendly config struct and deterministically generates system setup operations Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-09-22 00:29:36 +09:00			`}`
			`}`

			`return nil`
			`}`