Include dependencies

[mpobaschnig]

This PR includes gocryptfs and CryFS into the flatpak.

Draft until these issues are solved:

CryFS:

• Build from source
• init works
• open/mount works
• close/unmount works

gocryptfs:

• Build from source
• init works
• open/mount works (blocked by Include dependencies #22 (comment))
• close/unmount works

Closes: #8

[mpobaschnig]

Currently, big stopper is gocryptfs opening/mounting. It fails with error code 19, which from gocryptfs exit code description is:

// FuseNewServer - this exit code means that the call to fuse.NewServer failed.
// This usually means that there was a problem executing fusermount, or
// fusermount could not attach the mountpoint to the kernel.
FuseNewServer = 19

go-fuse fails at line https://github.com/hanwen/go-fuse/blob/master/fuse/mount_linux.go#L113 with:

fs.Mount failed: fusermount exited with code 256

Not sure if related, but

Can't find bus: Cannot autolaunch D-Bus without X11 $DISPLAY

is also printed right before the fs.Mount error.

[fastrizwaan]

Hi,

Could we allow static binaries download and place it at ~/.var/app/io.github.mpobaschnig.Vaults/data/bin/ (say from https://github.com/rfjakob/gocryptfs/releases) from Vault interface.

and set the $PATH to ~/.var/app/io.github.mpobaschnig.Vaults/data/bin/:/usr/bin in the "*wrapper.sh" files so that users don't have to struggle with installing apt rpm etc.

Thanks.

[fastrizwaan]

or we could allow select gocryptfs and select cryfs static binary from different directory, as ostree based distros do not allow creating symlinks to /usr/bin. perhaps creating a ~/bin

[mpobaschnig]

This branch already uses statically compiled binaries, but gocryptfs' open/mount doesn't work within sandboxed environment and I still have to figure out why. I'm not sure if your suggested approach would actually work for gocryptfs. I could only ship CryFS and leave gocryptfs behind, but I'm not sure if this is a good idea.

Properly including the dependencies is one of the things I'll look into for the next release though.

[fastrizwaan]

or we could allow select gocryptfs and select cryfs static binary from different directory, as ostree based distros do not allow creating symlinks to /usr/bin. perhaps creating a ~/bin

I've modified the go-cryptfs-wrapper.sh to include ~/bin/gocryptfs and now I can use gocryptfs with vaults. This will be esp. useful for silverblue or other immutable distros.

$ cat build-aux/gocryptfs-wrapper.sh 
#!/bin/sh
if [ -f ~/bin/gocryptfs ]; then
   exec flatpak-spawn --host ~/bin/gocryptfs "$@"
else
   exec flatpak-spawn --host gocryptfs "$@"
fi

I've downloaded the static gocrypts from https://github.com/rfjakob/gocryptfs/releases and extracted the gocryptfs binary to ~/bin and compiled vaults with the above wrapper.

Flatpak Manifest

{
    "app-id": "io.github.mpobaschnig.Vaults",
    "runtime": "org.gnome.Platform",
    "runtime-version": "42",
    "sdk": "org.gnome.Sdk",
    "sdk-extensions": [
        "org.freedesktop.Sdk.Extension.rust-stable"
    ],
    "command": "vaults",
    "finish-args": [
        "--socket=fallback-x11",
        "--socket=wayland",
        "--device=dri",
        "--share=ipc",
        "--talk-name=org.freedesktop.Flatpak",
        "--filesystem=host"
    ],
    "cleanup": [
        "/include",
        "/lib/pkgconfig"
    ],
    "build-options": {
        "append-path": "/usr/lib/sdk/rust-stable/bin",
        "env": {
            "RUST_BACKTRACE": "1"
        }
    },
    "modules": [
        {
            "name": "libfuse",
            "config-opts": [
                "MOUNT_FUSE_PATH=/app/bin"
            ],
            "post-install": [
                "install fusermount-wrapper.sh /app/bin/fusermount"
            ],
            "sources": [
                {
                    "type": "archive",
                    "url": "https://github.com/libfuse/libfuse/releases/download/fuse-2.9.9/fuse-2.9.9.tar.gz",
                    "sha256": "d0e69d5d608cc22ff4843791ad097f554dd32540ddc9bed7638cc6fea7c1b4b5"
                },
                {
                    "type": "file",
                    "path": "build-aux/fusermount-wrapper.sh"
                }
            ]
        },
        {
            "name": "cryfs",
            "buildsystem": "simple",
            "build-commands": [
                "install cryfs-wrapper.sh /app/bin/cryfs"
            ],
            "sources": [
                {
                    "type": "file",
                    "path": "build-aux/cryfs-wrapper.sh"
                }
            ]
        },
        {
            "name": "cryfs-unmount",
            "buildsystem": "simple",
            "build-commands": [
                "install cryfs-unmount-wrapper.sh /app/bin/cryfs-unmount"
            ],
            "sources": [
                {
                    "type": "file",
                    "path": "build-aux/cryfs-unmount-wrapper.sh"
                }
            ]
        },
          {
            "name": "gocryptfs",
            "buildsystem": "simple",
            "build-commands": [
                "install gocryptfs-wrapper.sh /app/bin/gocryptfs"
            ],
            "sources": [
                {
                    "type": "file",
                    "path": "build-aux/gocryptfs-wrapper.sh"
                }
            ]
          },
        {
            "name": "vaults",
            "buildsystem": "meson",
            "sources": [
                {
                    "type": "archive",
                    "url": "https://github.com/mpobaschnig/Vaults/releases/download/0.3.0/vaults-0.3.0.tar.xz",
                    "sha256": "576d3dbcf0325643ed0304997e36543d2e1d90e35003c351bd6c0a0ab926471a"
                }
            ]
        }
    ]
}

[teohhanhui]

@fastrizwaan $PATH exists for a reason. Don't try to hardcode binary paths like that, please... 🙏

[fastrizwaan]

@fastrizwaan $PATH exists for a reason. Don't try to hardcode binary paths like that, please... pray

hardcoding helps the user. whereas setting PATH for every flatpak user is painful isn't it?
Also --env=PATH=~/bin and putting PATH in the wrapper script only makes it available to the sandbox. Whereas wrapper is executing the script on the host.

yes, adding

PATH=$PATH:~/bin
export PATH

to ~/.bashrc makes the binary accessible to vaults sandboxed wrapper.

So, either hardcode the path or ask user to add their PATH to .bashrc are presently the ways I can think of.

[teohhanhui]

No, really, it doesn't help the user. Respect of $PATH is not optional. It's how different software can work together. And different distros / people use different paths anyway. Personally I use ~/.local/bin

[mpobaschnig]

flatpak apps should be isolated from the host, and manipulating host stuff (or just something in the sandbox) to circumvent the actual problem is not the way to go. We should rather find out why gocryptfs' mount/open is not working, build both dependencies from source, and then include it into the flatpak.

[Froggy232]

Hi,
First, I wanted to thanks you for your software. I find it perfect except for this point, as I run on silverblue and rely on a copr to get gocryptfs.
Do you have any update on the situation?
Thanks you!

[mpobaschnig]

Hey, unfortunately, no. I might take a look again in near future, but I'd like to address other issues first.

[Froggy232]

Hi,
It's sad, but I understand that you have other priorities.
Thanks for your work!

[mpobaschnig]

Closed in favor of #97