From 34a1ff291a0444b3e56f96e6cc72899ab818a2f7 Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Sat, 17 Feb 2024 13:18:10 +0700
Subject: feat(tvix/castore/fs): make allow_other configurable

Also add a cli argument to the `tvix-store` binary.

Change-Id: Id07d7fedb60d6060543b195f3a810a46137f9ad5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/10945
Tested-by: BuildkiteCI
Autosubmit: flokli <flokli@flokli.de>
Reviewed-by: tazjin <tazjin@tvl.su>
---
 tvix/castore/src/fs/fuse.rs      | 9 +++++++--
 tvix/castore/src/fs/tests.rs     | 2 +-
 tvix/store/src/bin/tvix-store.rs | 9 ++++++++-
 3 files changed, 16 insertions(+), 4 deletions(-)

(limited to 'tvix')

diff --git a/tvix/castore/src/fs/fuse.rs b/tvix/castore/src/fs/fuse.rs
index 1dce43915905..cd50618ff5bc 100644
--- a/tvix/castore/src/fs/fuse.rs
+++ b/tvix/castore/src/fs/fuse.rs
@@ -53,7 +53,12 @@ pub struct FuseDaemon {
 
 impl FuseDaemon {
     #[instrument(skip(fs, mountpoint), fields(mountpoint=?mountpoint), err)]
-    pub fn new<FS, P>(fs: FS, mountpoint: P, threads: usize) -> Result<Self, io::Error>
+    pub fn new<FS, P>(
+        fs: FS,
+        mountpoint: P,
+        threads: usize,
+        allow_other: bool,
+    ) -> Result<Self, io::Error>
     where
         FS: FileSystem + Sync + Send + 'static,
         P: AsRef<Path> + std::fmt::Debug,
@@ -64,7 +69,7 @@ impl FuseDaemon {
             .map_err(|e| io::Error::new(io::ErrorKind::Other, e.to_string()))?;
 
         #[cfg(target_os = "linux")]
-        session.set_allow_other(false);
+        session.set_allow_other(allow_other);
         session
             .mount()
             .map_err(|e| io::Error::new(io::ErrorKind::Other, e.to_string()))?;
diff --git a/tvix/castore/src/fs/tests.rs b/tvix/castore/src/fs/tests.rs
index 2f27c3c1c8e4..924454caa6dd 100644
--- a/tvix/castore/src/fs/tests.rs
+++ b/tvix/castore/src/fs/tests.rs
@@ -51,7 +51,7 @@ where
         Arc::new(root_nodes),
         list_root,
     );
-    FuseDaemon::new(Arc::new(fs), mountpoint.as_ref(), 4)
+    FuseDaemon::new(Arc::new(fs), mountpoint.as_ref(), 4, false)
 }
 
 async fn populate_blob_a(
diff --git a/tvix/store/src/bin/tvix-store.rs b/tvix/store/src/bin/tvix-store.rs
index ecee8d78f3b7..8f023696a4b7 100644
--- a/tvix/store/src/bin/tvix-store.rs
+++ b/tvix/store/src/bin/tvix-store.rs
@@ -111,6 +111,12 @@ enum Commands {
         #[arg(long, env, default_value_t = default_threads())]
         threads: usize,
 
+        #[arg(long, env, default_value_t = false)]
+        /// Whether to configure the mountpoint with allow_other.
+        /// Requires /etc/fuse.conf to contain the `user_allow_other`
+        /// option, configured via `programs.fuse.userAllowOther` on NixOS.
+        allow_other: bool,
+
         /// Whether to list elements at the root of the mount point.
         /// This is useful if your PathInfoService doesn't provide an
         /// (exhaustive) listing.
@@ -334,6 +340,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
             path_info_service_addr,
             list_root,
             threads,
+            allow_other,
         } => {
             let (blob_service, directory_service, path_info_service) =
                 tvix_store::utils::construct_services(
@@ -352,7 +359,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
                 );
                 info!(mount_path=?dest, "mounting");
 
-                FuseDaemon::new(fs, &dest, threads)
+                FuseDaemon::new(fs, &dest, threads, allow_other)
             })
             .await??;
 
-- 
cgit 1.4.1