From 47363c37b121143f49dd964e5b18f9437d4f507d Mon Sep 17 00:00:00 2001
From: Jakob Probst <jakob.probst@h-da.de>
Date: Tue, 11 Mar 2025 16:21:34 +0100
Subject: [PATCH] wip: use tmpfiles.d for a volatile home directory
---
assets/pam.d/kiosk | 3 +++
assets/systemd/system/de.h-da.fbi.kiosk.service | 12 ------------
assets/tmpfiles.d/kiosk.conf | 2 ++
bootc/Containerfile | 2 ++
crates/compositor/src/main.rs | 15 +++++++++++++++
rust-toolchain.toml | 3 ++-
6 files changed, 24 insertions(+), 13 deletions(-)
create mode 100644 assets/tmpfiles.d/kiosk.conf
diff --git a/assets/pam.d/kiosk b/assets/pam.d/kiosk
index 535cf6c..995e2aa 100644
--- a/assets/pam.d/kiosk
+++ b/assets/pam.d/kiosk
@@ -1,4 +1,7 @@
auth required pam_unix.so nullok
+
account required pam_unix.so
+
session required pam_unix.so
+session required pam_loginuid.so
session required pam_systemd.so class=user type=wayland
diff --git a/assets/systemd/system/de.h-da.fbi.kiosk.service b/assets/systemd/system/de.h-da.fbi.kiosk.service
index bf6c20b..24b12ad 100644
--- a/assets/systemd/system/de.h-da.fbi.kiosk.service
+++ b/assets/systemd/system/de.h-da.fbi.kiosk.service
@@ -24,20 +24,8 @@ PAMName=kiosk
User=kiosk
Group=kiosk
-RemoveIPC=yes
-PrivateTmp=yes
NoNewPrivileges=yes
RestrictSUIDSGID=yes
-ProtectSystem=strict
-ProtectHome=no
-
-RuntimeDirectory=kiosk
-StateDirectory=kiosk
-CacheDirectory=kiosk
-LogsDirectory=kisok
-ConfigurationDirectory=kiosk
-TemporaryFileSystem=/tmp/.X11-unix/:mode=1777
-TemporaryFileSystem=/run/kiosk/home/:mode=0700
[Install]
Alias=display-manager.service
diff --git a/assets/tmpfiles.d/kiosk.conf b/assets/tmpfiles.d/kiosk.conf
new file mode 100644
index 0000000..58952df
--- /dev/null
+++ b/assets/tmpfiles.d/kiosk.conf
@@ -0,0 +1,2 @@
+#Type | Path | Mode | User | Group | Age | Argument...
+d /run/kiosk 0700 kiosk kiosk 0 -
diff --git a/bootc/Containerfile b/bootc/Containerfile
index 26aed9f..e280ede 100644
--- a/bootc/Containerfile
+++ b/bootc/Containerfile
@@ -67,6 +67,8 @@ COPY --chmod=0644 assets/pam.d/kiosk /usr/lib/pam.d/kiosk
COPY --chmod=0644 assets/sysusers.d/kiosk.conf /usr/lib/sysusers.d/kiosk.conf
+COPY --chmod=0644 assets/tmpfiles.d/kiosk.conf /usr/lib/tmpfiles.d/kiosk.conf
+
COPY --chmod=0644 \
assets/plymouth/h-da/h-da.plymouth \
assets/plymouth/h-da/h-da.script \
diff --git a/crates/compositor/src/main.rs b/crates/compositor/src/main.rs
index b930dec..4115a9f 100644
--- a/crates/compositor/src/main.rs
+++ b/crates/compositor/src/main.rs
@@ -1,3 +1,6 @@
+use std::env::home_dir;
+use std::fs::{create_dir, OpenOptions};
+use std::io::ErrorKind;
use calloop::signals::Signal::{SIGINT, SIGQUIT, SIGTERM};
use calloop::signals::Signals;
use clap::{Args, Parser};
@@ -53,6 +56,18 @@ struct Cli {
}
fn main() {
+ let home_dir_path = home_dir().expect("Home directory unknown");
+ if let Err(error) = create_dir(&home_dir_path) {
+ if error.kind() != ErrorKind::AlreadyExists {
+ Err::<(),_>(error).expect("Could not create home directory");
+ }
+ }
+ let home_dir = OpenOptions::new()
+ .read(true)
+ .open(home_dir_path)
+ .expect("Home directory not found");
+ home_dir.lock().expect("Failed to lock home directory");
+
// Initialize the signals at the very beginning so that every thread will inherit the same
// signal mask.
let signal_source = Signals::new(&[SIGINT, SIGTERM, SIGQUIT]).expect("Failed to create signal source.");
diff --git a/rust-toolchain.toml b/rust-toolchain.toml
index 292fe49..0a39546 100644
--- a/rust-toolchain.toml
+++ b/rust-toolchain.toml
@@ -1,2 +1,3 @@
[toolchain]
-channel = "stable"
+# TODO: Change to stable as soon as 1.87.0 has been released.
+channel = "nightly"
--
GitLab