WIP: Switch to wl-mitm as the compositor sandboxing solution

2025-03-09 11:47:42 -04:00 · 2025-03-09 11:47:42 -04:00 · 78c8a5951c
commit 78c8a5951c
parent 61eb28f8dd
6 changed files with 151 additions and 17 deletions
--- a/assets/wl-mitm-config.toml
+++ b/assets/wl-mitm-config.toml
@ -0,0 +1,33 @@
+[socket]
+listen = "/xdg_runtime/wayland-10"
+upstream = "/xdg_runtime/wayland-0"
+
+[exec]
+notify = "/usr/bin/notify-libnotify.sh"
+
+[filter]
+allowed_globals = [
+    "wl_compositor",
+    "wl_shm",
+    "wl_data_device_manager",
+    "wl_output",
+    "wl_seat",
+    "xdg_wm_base",
+    "zxdg_decoration_manager_v1",
+    "wp_presentation",
+    "wp_viewporter",
+    "zwp_linux_dmabuf_v1",
+    "wl_drm",
+    "wp_drm_lease_device_v1",
+    "wp_linux_drm_syncobj_manager_v1",
+    "zxdg_output_manager_v1",
+    "zwp_pointer_constraints_v1",
+    "zwp_xwayland_keyboard_grab_manager_v1",
+    "zwp_relative_pointer_manager_v1",
+]
+
+[[filter.requests]]
+interface = "wl_data_offer"
+requests = [ "receive" ]
+action = "notify"
+desc = "pasted from clipboard or accepted drag and drop"
--- a/deps/base-archlinux/Containerfile
+++ b/deps/base-archlinux/Containerfile
@ -1,4 +1,4 @@
-FROM docker.io/archlinux:base-20250209.0.306557
+FROM docker.io/archlinux:base-20250302.0.316047

 RUN echo -e "[multilib]\nInclude = /etc/pacman.d/mirrorlist" >> /etc/pacman.conf

--- a/deps/compositor-sandbox/Containerfile
+++ b/deps/compositor-sandbox/Containerfile
@ -0,0 +1,61 @@
+ARG WL_MITM_COMMIT=49ed44763955da1fd227220f52070d72ae61bfdc
+ARG SOMMELIER_COMMIT=984b27ad47ee08178a3128d5c7e96eb109fe09da
+
+FROM docker.io/archlinux:base-devel-20250302.0.316047 AS builder-wl-mitm
+ARG WL_MITM_COMMIT
+
+RUN pacman-key --init && pacman -Sy --noconfirm archlinux-keyring
+
+RUN pacman -Syu --noconfirm \
+      && pacman -S --noconfirm git rustup \
+      && rustup default nightly \
+      && rustup update
+
+RUN mkdir /build && cd /build \
+      && git clone https://gitea.angry.im/PeterCxy/wl-mitm \
+      && cd wl-mitm \
+      && git checkout $SOMMELIER_COMMIT
+
+RUN cd /build/wl-mitm && ./generate.sh && cargo build --release
+
+FROM docker.io/archlinux:base-devel-20250302.0.316047 AS builder-sommelier
+ARG SOMMELIER_COMMIT
+
+RUN pacman-key --init && pacman -Sy --noconfirm archlinux-keyring
+
+RUN pacman -Syu --noconfirm \
+      && pacman -S --noconfirm git meson ninja python python-jinja \
+                               xorg-xwayland wayland libdrm pixman mesa \ 
+                               libxcb libxkbcommon-x11
+
+RUN mkdir /build && cd /build \
+      && git clone https://chromium.googlesource.com/chromiumos/platform2 \
+      && cd platform2 \
+      && git checkout $SOMMELIER_COMMIT
+
+RUN cd /build/platform2/vm_tools/sommelier \
+      && sed -i 's/args\[i++\] = "-rootless";/args[i++] = "-rootless"; args[i++] = "-extension"; args[i++] = "MIT-SHM";/' sommelier.cc \
+      && sed -i 's/bool noop_driver = false;/bool noop_driver = true;/' sommelier.cc \
+      && meson build -Dwith_tests=false && ninja -C build
+
+# Build from ../base-archlinux
+FROM dobu/deps-base-archlinux:latest
+
+RUN pacman -Syu --noconfirm \
+      && pacman -S --noconfirm xorg-xwayland pixman libnotify
+
+COPY --from=builder-wl-mitm /build/wl-mitm/target/release/wl-mitm /usr/bin/
+COPY --from=builder-wl-mitm /build/wl-mitm/contrib/notify-libnotify.sh /usr/bin/
+COPY --from=builder-sommelier /build/platform2/vm_tools/sommelier/build/sommelier /usr/bin/
+COPY ./entrypoint.sh /
+
+USER user
+
+ENV WM_RENDER_NODE=/dev/dri/renderD128
+
+# These paths MUST be bind-mounted from host
+VOLUME /xdg_runtime
+VOLUME /tmp/.X11-unix
+VOLUME /tmp/wl-mitm-config.toml
+
+ENTRYPOINT [ "/entrypoint.sh" ]
--- a/deps/compositor-sandbox/entrypoint.sh
+++ b/deps/compositor-sandbox/entrypoint.sh
@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# wl-mitm (config is external but expected to listen on wayland-10)
+echo "Starting wl-mitm"
+wl-mitm /tmp/wl-mitm-config.toml &
+WL_MITM=$!
+
+for i in $(seq 1 5); do
+    [ -S /xdg_runtime/wayland-10 ] && break
+    sleep 1
+done
+
+if [ ! -S /xdg_runtime/wayland-10 ]; then
+  echo "wl-mitm did not start"
+  exit 1
+fi
+
+# X Sommelier (will listen on :1)
+echo "Starting X11 Sommelier"
+sommelier --display=wayland-10 --xwayland-path=/usr/bin/Xwayland \
+  -X --glamor --x-display=1 --xwayland-gl-driver-path=/usr/lib/dri \
+  --force-drm-device=$WM_RENDER_NODE --direct-scale --noop-driver sleep infinity &
+SOMMELIER_X=$!
+
+for i in $(seq 1 5); do
+    [ -S /tmp/.X11-unix/X1 ] && break
+    sleep 1
+done
+
+if [ ! -S /tmp/.X11-unix/X1 ]; then
+  echo "X Sommelier did not start"
+  exit 1
+fi
+
+wait $SOMMELIER_X
+wait $WL_MITM
--- a/dobu-run.sh
+++ b/dobu-run.sh
@ -54,9 +54,9 @@ if is_in_array "$1" "${DISPLAY_SERVER_APP_ALLOWLIST[@]}"; then
    die "Wayland / Xorg sockets do not exist"
  fi
 else
-  # Make sure we have Sommelier running first
-  ensure_sommelier
-  WAYLAND_SRC="$DOBU_TMP/xdg_runtime/wayland-1"
+  # Make sure we have compositor-sandbox running first
+  ensure_compositor_sandbox
+  WAYLAND_SRC="$DOBU_TMP/xdg_runtime/wayland-10"
  XORG_SRC="$DOBU_TMP/X11-unix/X1"
 fi

--- a/functions.sh
+++ b/functions.sh
@ -90,34 +90,38 @@ container_entrypoint() {
  podman inspect $1 | jq -r '.[0].Config.Entrypoint'
 }

-ensure_sommelier() {
-  assert_image_exists dobu/deps-sommelier
-  remove_stale_container dobu-deps-sommelier
-  if container_exists dobu-deps-sommelier; then
-    [ -S "$DOBU_TMP/X11-unix/X1" ] && [ -S "$DOBU_TMP/xdg_runtime/wayland-1" ] && return
-    log "Killing non-functional Sommelier container"
-    podman kill dobu-deps-sommelier
-    podman rm -f dobu-deps-sommelier
+ensure_compositor_sandbox() {
+  assert_image_exists dobu/deps-compositor-sandbox
+  remove_stale_container dobu-deps-compositor-sandbox
+  if container_exists dobu-deps-compositor-sandbox; then
+    existing_config_sha="$(sha1sum "$DOBU_TMP/wl-mitm-config.toml" | awk '{ print $1; }')"
+    new_config_sha="$(sha1sum "$script_path/assets/wl-mitm-config.toml" | awk '{ print $1; }')"
+    [ -S "$DOBU_TMP/X11-unix/X1" ] && [ -S "$DOBU_TMP/xdg_runtime/wayland-10" ] && [ "$existing_config_sha" == "$new_config_sha" ] && return
+    log "Killing non-functional compositor-sandbox container"
+    podman kill dobu-deps-compositor-sandbox
+    podman rm -f dobu-deps-compositor-sandbox
  fi

  rm -rf "$DOBU_TMP/xdg_runtime" || true
  rm -rf "$DOBU_TMP/X11-unix" || true
  mkdir -p "$DOBU_TMP/xdg_runtime"
  mkdir -p "$DOBU_TMP/X11-unix"
+  cp "$script_path/assets/wl-mitm-config.toml" "$DOBU_TMP/wl-mitm-config.toml"

-  log "Starting Sommelier as a nested compositor..."
+  log "Starting compositor-sandbox (wl-mitm for Wayland and X Sommelier for X11)..."

-  podman run --rm -d "${podman_security_args[@]}" --name dobu-deps-sommelier \
+  podman run --rm -d "${podman_security_args[@]}" --name dobu-deps-compositor-sandbox \
    -v "$DOBU_TMP/xdg_runtime":/xdg_runtime \
+    `# wl-mitm config` \
+    -v "$DOBU_TMP/wl-mitm-config.toml":/tmp/wl-mitm-config.toml \
    `# Pass through host wayland display for Sommelier always as wayland-0` \
    -v "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY":/xdg_runtime/wayland-0 \
    `# X11-unix uses hard-coded path` \
    -v "$DOBU_TMP/X11-unix":/tmp/.X11-unix \
    `# DRM render nodes` \
    -v /dev/dri:/dev/dri \
-    dobu/deps-sommelier
-  while [ ! -S "$DOBU_TMP/xdg_runtime/wayland-1" ] || [ ! -S "$DOBU_TMP/X11-unix/X1" ]; do
- 
+    dobu/deps-compositor-sandbox
+  while [ ! -S "$DOBU_TMP/xdg_runtime/wayland-10" ] || [ ! -S "$DOBU_TMP/X11-unix/X1" ]; do
    sleep 0.5
  done
 }