From 84819d9845bea157c0894c90802aed27ff7b9f52 Mon Sep 17 00:00:00 2001
From: Jakob Probst <jakob.probst@h-da.de>
Date: Tue, 11 Mar 2025 16:21:34 +0100
Subject: [PATCH] wip: use tmpfiles.d for a volatile home directory
---
assets/pam.d/kiosk | 3 +++
.../systemd/system/de.h-da.fbi.kiosk.service | 12 ----------
assets/tmpfiles.d/kiosk.conf | 2 ++
bootc/Containerfile | 22 +++++++++++++------
crates/compositor/src/main.rs | 15 +++++++++++++
rust-toolchain.toml | 3 +++
6 files changed, 38 insertions(+), 19 deletions(-)
create mode 100644 assets/tmpfiles.d/kiosk.conf
create mode 100644 rust-toolchain.toml
diff --git a/assets/pam.d/kiosk b/assets/pam.d/kiosk
index 535cf6c..995e2aa 100644
--- a/assets/pam.d/kiosk
+++ b/assets/pam.d/kiosk
@@ -1,4 +1,7 @@
auth required pam_unix.so nullok
+
account required pam_unix.so
+
session required pam_unix.so
+session required pam_loginuid.so
session required pam_systemd.so class=user type=wayland
diff --git a/assets/systemd/system/de.h-da.fbi.kiosk.service b/assets/systemd/system/de.h-da.fbi.kiosk.service
index bf6c20b..24b12ad 100644
--- a/assets/systemd/system/de.h-da.fbi.kiosk.service
+++ b/assets/systemd/system/de.h-da.fbi.kiosk.service
@@ -24,20 +24,8 @@ PAMName=kiosk
User=kiosk
Group=kiosk
-RemoveIPC=yes
-PrivateTmp=yes
NoNewPrivileges=yes
RestrictSUIDSGID=yes
-ProtectSystem=strict
-ProtectHome=no
-
-RuntimeDirectory=kiosk
-StateDirectory=kiosk
-CacheDirectory=kiosk
-LogsDirectory=kisok
-ConfigurationDirectory=kiosk
-TemporaryFileSystem=/tmp/.X11-unix/:mode=1777
-TemporaryFileSystem=/run/kiosk/home/:mode=0700
[Install]
Alias=display-manager.service
diff --git a/assets/tmpfiles.d/kiosk.conf b/assets/tmpfiles.d/kiosk.conf
new file mode 100644
index 0000000..58952df
--- /dev/null
+++ b/assets/tmpfiles.d/kiosk.conf
@@ -0,0 +1,2 @@
+#Type | Path | Mode | User | Group | Age | Argument...
+d /run/kiosk 0700 kiosk kiosk 0 -
diff --git a/bootc/Containerfile b/bootc/Containerfile
index 252ac27..fa7f355 100644
--- a/bootc/Containerfile
+++ b/bootc/Containerfile
@@ -3,28 +3,34 @@ ARG FEDORA_VERSION=42
FROM quay.io/fedora/fedora-minimal:$FEDORA_VERSION AS compositor_builder
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-RUN dnf install -y rust cargo \
- 'pkgconfig(wayland-server)' 'pkgconfig(xkbcommon)' 'pkgconfig(libudev)' 'pkgconfig(libinput)' 'pkgconfig(gbm)' 'pkgconfig(libseat)' 'pkgconfig(glib-2.0)' 'pkgconfig(libdisplay-info)'
+RUN dnf install -y gcc \
+ 'pkgconfig(wayland-server)' 'pkgconfig(xkbcommon)' 'pkgconfig(libudev)' 'pkgconfig(libinput)' 'pkgconfig(gbm)' 'pkgconfig(libseat)' 'pkgconfig(glib-2.0)' 'pkgconfig(libdisplay-info)'
WORKDIR /opt/build
COPY crates/ /opt/build/crates/
-COPY Cargo.lock Cargo.toml /opt/build/
+COPY Cargo.lock Cargo.toml rust-toolchain.toml /opt/build/
-RUN cargo build --release --package kiosk-compositor --bin kiosk-compositor
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --no-modify-path --default-toolchain none -y >/dev/null \
+ && export PATH="$HOME/.cargo/bin:$PATH" \
+ && rustup toolchain install \
+ && cargo build --release --package kiosk-compositor --bin kiosk-compositor
FROM quay.io/fedora/fedora-minimal:$FEDORA_VERSION AS launcher_builder
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-RUN dnf install -y rust cargo blueprint-compiler clang \
+RUN dnf install -y blueprint-compiler clang \
'pkgconfig(gtk4)' 'pkgconfig(libadwaita-1)' 'pkgconfig(libpipewire-0.3)' 'pkgconfig(gtk4-layer-shell-0)' 'pkgconfig(openssl)' 'pkgconfig(webkitgtk-6.0)'
WORKDIR /opt/build
COPY crates/ /opt/build/crates/
-COPY Cargo.lock Cargo.toml /opt/build/
+COPY Cargo.lock Cargo.toml rust-toolchain.toml /opt/build/
-RUN cargo build --release --package kiosk-launcher --bin kiosk-launcher
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --no-modify-path --default-toolchain none -y >/dev/null \
+ && export PATH="$HOME/.cargo/bin:$PATH" \
+ && rustup toolchain install \
+ && cargo build --release --package kiosk-launcher --bin kiosk-launcher
FROM quay.io/fedora/fedora-bootc:$FEDORA_VERSION
@@ -59,6 +65,8 @@ COPY --chmod=0644 assets/pam.d/kiosk /usr/lib/pam.d/kiosk
COPY --chmod=0644 assets/sysusers.d/kiosk.conf /usr/lib/sysusers.d/kiosk.conf
+COPY --chmod=0644 assets/tmpfiles.d/kiosk.conf /usr/lib/tmpfiles.d/kiosk.conf
+
COPY --chmod=0644 \
assets/plymouth/h-da/h-da.plymouth \
assets/plymouth/h-da/h-da.script \
diff --git a/crates/compositor/src/main.rs b/crates/compositor/src/main.rs
index b930dec..4115a9f 100644
--- a/crates/compositor/src/main.rs
+++ b/crates/compositor/src/main.rs
@@ -1,3 +1,6 @@
+use std::env::home_dir;
+use std::fs::{create_dir, OpenOptions};
+use std::io::ErrorKind;
use calloop::signals::Signal::{SIGINT, SIGQUIT, SIGTERM};
use calloop::signals::Signals;
use clap::{Args, Parser};
@@ -53,6 +56,18 @@ struct Cli {
}
fn main() {
+ let home_dir_path = home_dir().expect("Home directory unknown");
+ if let Err(error) = create_dir(&home_dir_path) {
+ if error.kind() != ErrorKind::AlreadyExists {
+ Err::<(),_>(error).expect("Could not create home directory");
+ }
+ }
+ let home_dir = OpenOptions::new()
+ .read(true)
+ .open(home_dir_path)
+ .expect("Home directory not found");
+ home_dir.lock().expect("Failed to lock home directory");
+
// Initialize the signals at the very beginning so that every thread will inherit the same
// signal mask.
let signal_source = Signals::new(&[SIGINT, SIGTERM, SIGQUIT]).expect("Failed to create signal source.");
diff --git a/rust-toolchain.toml b/rust-toolchain.toml
new file mode 100644
index 0000000..0a39546
--- /dev/null
+++ b/rust-toolchain.toml
@@ -0,0 +1,3 @@
+[toolchain]
+# TODO: Change to stable as soon as 1.87.0 has been released.
+channel = "nightly"
--
GitLab