dobu-run: Allow more fine-grained input device passthrough control

config-default.sh

@@ -4,5 +4,14 @@ HOMEDIR_STORAGE=$HOME/.local/share/dobu/homedir
 # normal subdirectories
 HOMEDIR_IS_BTRFS=false
 
-# Array of containers that are granted full /dev/input access
-DEV_INPUT_ALLOWLIST=()
+# Array of app containers that are granted full /dev/input access
+DEV_INPUT_APP_ALLOWLIST=()
+# Array of devices that will be passed through to apps with input access
+# If undefined, all input devices will be passed through
+# Note that some devices expose multiple /dev/input interfaces,
+# and all of them have to be in this allowlist to grant access
+#DEV_INPUT_DEVICE_ALLOWLIST=(
+#  js0
+#  # or use device IDs
+#  by-id/usb-XXX-xxx
+#)

dobu-run.sh

@@ -44,9 +44,19 @@ fi
 extra_args=""
 
 # Check if we should allow /dev/input access
-if is_in_array "$1" "${DEV_INPUT_ALLOWLIST[@]}"; then
-  log "Granting full /dev/input access"
-  extra_args="$extra_args -v /dev/input:/dev/input"
+if is_in_array "$1" "${DEV_INPUT_APP_ALLOWLIST[@]}"; then
+  if [ -z "${DEV_INPUT_DEVICE_ALLOWLIST+x}" ]; then
+    log "Granting full /dev/input access"
+    log "Set DEV_INPUT_DEVICE_ALLOWLIST for more fine-grained control"
+    extra_args="$extra_args -v /dev/input:/dev/input"
+  else
+    for device in "${DEV_INPUT_DEVICE_ALLOWLIST[@]}"; do
+      device=$(realpath /dev/input/"$device")
+      [[ ! "$device" =~ ^/dev/input/ ]] && continue
+      log "Granting access to input device $device"
+      extra_args="$extra_args -v $device:$device"
+    done
+  fi
 fi
 
 # The fun part: start the container!