Kiosk TUI

build_files/base/01-base-system.sh

@@ -12,11 +12,13 @@ dnf5 -y clean all
 ### Enable Hypercube COPR for custom packages
 dnf5 -y copr enable binarypie/hypercube
 
-### Display Manager: greetd + hypercube-utils
-# hypercube-utils provides hypercube-greeter and hypercube-onboard (run directly on TTY)
+### Display Manager: greetd + cage + hypercube-utils
+# cage: minimal Wayland compositor for kiosk/greeter mode
+# hypercube-utils provides hypercube-greeter and hypercube-onboard
 dnf5 -y install \
     greetd \
     greetd-selinux \
+    cage \
     hypercube-utils
 
 ### Desktop Portals & Integration
@@ -95,7 +97,22 @@ if ! id -u greeter &>/dev/null; then
     useradd -r -M -s /usr/bin/nologin greeter
 fi
 
+### SELinux Policy: Allow greeter to allocate PTYs and use io_uring
+# Install policy development tools (will be removed by cleanup)
+dnf5 -y install selinux-policy-devel
+
+# Compile and install the greeter policy module
+SELINUX_DIR="/usr/share/hypercube/selinux"
+pushd "$SELINUX_DIR"
+make -f /usr/share/selinux/devel/Makefile hypercube-greeter.pp
+semodule -i hypercube-greeter.pp
+popd
+
+# Clean up build artifacts (keep .te for reference)
+rm -f "$SELINUX_DIR"/*.pp "$SELINUX_DIR"/*.if "$SELINUX_DIR"/*.fc
+
 ### Enable services
+systemctl enable devpts-ptmxmode.service
 systemctl enable greetd.service
 systemctl enable NetworkManager.service
 systemctl enable bluetooth.service

build_files/hypercube/99-tests.sh

@@ -10,6 +10,7 @@ echo "Running Hypercube validation tests..."
 REQUIRED_PACKAGES=(
   # Display manager
   "greetd"
+  "cage"
   "hypercube-utils"
   # Hyprland stack
   "hyprland"

system_files/shared/etc/greetd/config.toml

@@ -2,9 +2,9 @@
 vt = 1
 
 [default_session]
-command = "hypercube-greeter"
+command = "cage -s -- ghostty-kiosk hypercube-greeter"
 user = "greeter"
 
 [initial_session]
-command = "hypercube-onboard --config /usr/share/hypercube/config/hypercube-onboard/onboard.toml"
+command = "cage -s -- ghostty-kiosk 'hypercube-onboard --config /usr/share/hypercube/config/hypercube-onboard/onboard.toml'"
 user = "root"

system_files/shared/usr/lib/systemd/system/devpts-ptmxmode.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Fix devpts mount options for PTY allocation
+DefaultDependencies=no
+After=systemd-remount-fs.service
+Before=greetd.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/mount -o remount,mode=620,gid=5,ptmxmode=0666 devpts /dev/pts
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target

system_files/shared/usr/share/hypercube/migrations/001-greetd-cage-greeter.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# Migration: Update greetd to use cage + ghostty for greeter
+
+set -euo pipefail
+
+CONFIG="/etc/greetd/config.toml"
+
+# Skip if file doesn't exist
+[[ -f "$CONFIG" ]] || exit 0
+
+# Skip if already using cage greeter
+grep -q 'cage -s -- ghostty-kiosk hypercube-greeter' "$CONFIG" && exit 0
+
+echo "Updating greetd default_session to use cage + ghostty-kiosk..."
+
+# Only update the default_session command line
+sed -i '/^\[default_session\]/,/^\[/ s|^command = .*|command = "cage -s -- ghostty-kiosk hypercube-greeter"|' "$CONFIG"
+
+echo "greetd config updated"

system_files/shared/usr/share/hypercube/selinux/hypercube-greeter.te

@@ -0,0 +1,15 @@
+policy_module(hypercube-greeter, 1.0)
+
+require {
+    type xdm_t;
+    type ptmx_t;
+    type io_uring_t;
+    class chr_file { read write open getattr ioctl };
+    class anon_inode { create };
+}
+
+# Allow display manager (greetd/greeter) to allocate PTYs
+allow xdm_t ptmx_t:chr_file { read write open getattr ioctl };
+
+# Allow display manager to use io_uring (used by ghostty)
+allow xdm_t io_uring_t:anon_inode { create };