wip: use tmpfiles.d for a volatile home directory

84819d98 · Jakob Probst · 66a32015 · 84819d98 · 84819d98 · 84819d98
Commit 84819d98 authored 3 months ago by Jakob Probst
--- a/assets/pam.d/kiosk
+++ b/assets/pam.d/kiosk
 auth           required        pam_unix.so nullok
 account        required        pam_unix.so
 session        required        pam_unix.so
+session        required        pam_loginuid.so
 session        required        pam_systemd.so class=user type=wayland
--- a/assets/systemd/system/de.h-da.fbi.kiosk.service
+++ b/assets/systemd/system/de.h-da.fbi.kiosk.service
@@ -24,20 +24,8 @@ PAMName=kiosk
 User=kiosk
 Group=kiosk
-RemoveIPC=yes
-PrivateTmp=yes
 NoNewPrivileges=yes
 RestrictSUIDSGID=yes
-ProtectSystem=strict
-ProtectHome=no
-RuntimeDirectory=kiosk
-StateDirectory=kiosk
-CacheDirectory=kiosk
-LogsDirectory=kisok
-ConfigurationDirectory=kiosk
-TemporaryFileSystem=/tmp/.X11-unix/:mode=1777
-TemporaryFileSystem=/run/kiosk/home/:mode=0700
 [Install]
 Alias=display-manager.service
--- a/assets/tmpfiles.d/kiosk.conf
+++ b/assets/tmpfiles.d/kiosk.conf
+#Type | Path       | Mode | User  | Group | Age | Argument...
+d       /run/kiosk   0700   kiosk   kiosk   0     -
--- a/bootc/Containerfile
+++ b/bootc/Containerfile
@@ -3,28 +3,34 @@ ARG FEDORA_VERSION=42
 FROM quay.io/fedora/fedora-minimal:$FEDORA_VERSION AS compositor_builder
 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-RUN dnf install -y rust cargo \
+RUN dnf install -y gcc \
-      'pkgconfig(wayland-server)' 'pkgconfig(xkbcommon)' 'pkgconfig(libudev)' 'pkgconfig(libinput)' 'pkgconfig(gbm)' 'pkgconfig(libseat)' 'pkgconfig(glib-2.0)' 'pkgconfig(libdisplay-info)'
+    'pkgconfig(wayland-server)' 'pkgconfig(xkbcommon)' 'pkgconfig(libudev)' 'pkgconfig(libinput)' 'pkgconfig(gbm)' 'pkgconfig(libseat)' 'pkgconfig(glib-2.0)' 'pkgconfig(libdisplay-info)'
 WORKDIR /opt/build
 COPY crates/ /opt/build/crates/
-COPY Cargo.lock Cargo.toml /opt/build/
+COPY Cargo.lock Cargo.toml rust-toolchain.toml /opt/build/
-RUN cargo build --release --package kiosk-compositor --bin kiosk-compositor
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --no-modify-path --default-toolchain none -y >/dev/null \
+    && export PATH="$HOME/.cargo/bin:$PATH" \
+    && rustup toolchain install \
+    && cargo build --release --package kiosk-compositor --bin kiosk-compositor
 FROM quay.io/fedora/fedora-minimal:$FEDORA_VERSION AS launcher_builder
 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-RUN dnf install -y rust cargo blueprint-compiler clang \
+RUN dnf install -y blueprint-compiler clang \
      'pkgconfig(gtk4)' 'pkgconfig(libadwaita-1)' 'pkgconfig(libpipewire-0.3)' 'pkgconfig(gtk4-layer-shell-0)' 'pkgconfig(openssl)' 'pkgconfig(webkitgtk-6.0)'
 WORKDIR /opt/build
 COPY crates/ /opt/build/crates/
-COPY Cargo.lock Cargo.toml /opt/build/
+COPY Cargo.lock Cargo.toml rust-toolchain.toml /opt/build/
-RUN cargo build --release --package kiosk-launcher --bin kiosk-launcher
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --no-modify-path --default-toolchain none -y >/dev/null \
+    && export PATH="$HOME/.cargo/bin:$PATH" \
+    && rustup toolchain install \
+    && cargo build --release --package kiosk-launcher --bin kiosk-launcher
 FROM quay.io/fedora/fedora-bootc:$FEDORA_VERSION
@@ -59,6 +65,8 @@ COPY --chmod=0644 assets/pam.d/kiosk /usr/lib/pam.d/kiosk
 COPY --chmod=0644 assets/sysusers.d/kiosk.conf /usr/lib/sysusers.d/kiosk.conf
+COPY --chmod=0644 assets/tmpfiles.d/kiosk.conf /usr/lib/tmpfiles.d/kiosk.conf
 COPY --chmod=0644 \
 assets/plymouth/h-da/h-da.plymouth \
 assets/plymouth/h-da/h-da.script \

--- a/crates/compositor/src/main.rs
+++ b/crates/compositor/src/main.rs
+use std::env::home_dir;
+use std::fs::{create_dir, OpenOptions};
+use std::io::ErrorKind;
 use calloop::signals::Signal::{SIGINT, SIGQUIT, SIGTERM};
 use calloop::signals::Signals;
 use clap::{Args, Parser};
@@ -53,6 +56,18 @@ struct Cli {
 }
 fn main() {
+    let home_dir_path = home_dir().expect("Home directory unknown"); 
+    if let Err(error) = create_dir(&home_dir_path) {
+        if error.kind() != ErrorKind::AlreadyExists {
+            Err::<(),_>(error).expect("Could not create home directory");
+        }
+    }
+    let home_dir = OpenOptions::new()
+        .read(true)
+        .open(home_dir_path)
+        .expect("Home directory not found");
+    home_dir.lock().expect("Failed to lock home directory");
    // Initialize the signals at the very beginning so that every thread will inherit the same
    // signal mask.
    let signal_source = Signals::new(&[SIGINT, SIGTERM, SIGQUIT]).expect("Failed to create signal source.");

--- a/rust-toolchain.toml
+++ b/rust-toolchain.toml
+[toolchain]
+# TODO: Change to stable as soon as 1.87.0 has been released.
+channel = "nightly"