From 82a0dc47e358edd88c8f5b92442b6cc37196e0c2 Mon Sep 17 00:00:00 2001
From: Peter Cai <peter@typeblog.net>
Date: Sun, 9 Mar 2025 18:10:28 -0400
Subject: [PATCH] Only expose xwayland-satellite when absolutely needed

---
 apps/steam/Containerfile |  3 +++
 dobu-run.sh              | 14 +++++++++++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/apps/steam/Containerfile b/apps/steam/Containerfile
index 1763985..614bf19 100644
--- a/apps/steam/Containerfile
+++ b/apps/steam/Containerfile
@@ -15,4 +15,7 @@ LABEL net.typeblog.dobu.desktop_file_path="/usr/share/applications/steam.desktop
 # Don't use it if you don't trust their sandboxing (pressure-vessel).
 LABEL net.typeblog.dobu.unsafe_i_know_what_i_am_doing_allow_namespaces="true"
 
+# We also need X11
+LABEL net.typeblog.dobu.x11_required="true"
+
 ENTRYPOINT [ "/usr/games/steam" ]
diff --git a/dobu-run.sh b/dobu-run.sh
index 29cee05..5aca253 100755
--- a/dobu-run.sh
+++ b/dobu-run.sh
@@ -34,6 +34,12 @@ if [ "$(get_image_label "$image_name" net.typeblog.dobu.unsafe_i_know_what_i_am_
   update_podman_security_args "seccomp_unsafe.json"
 fi
 
+x11_required=false
+
+if [ "$(get_image_label "$image_name" net.typeblog.dobu.x11_required)" == "true" ]; then
+  x11_required=true
+fi
+
 if [[ -n $PULSE_SERVER ]]; then # remove prefix
   host_pulse=${PULSE_SERVER#unix:}
 else # default guess
@@ -79,6 +85,11 @@ mkdir -p "$home_path/.local/share"
 
 extra_args=""
 
+# If X11 is required, expose XWayland via xwayland-satellite
+if $x11_required; then
+  extra_args="$extra_args -v ${XORG_SRC}:/tmp/.X11-unix/X0 -e DISPLAY=:0"
+fi
+
 # Expose Pipewire socket if it exists
 if [ -S "$XDG_RUNTIME_DIR/pipewire-0" ]; then
   extra_args="$extra_args -v $XDG_RUNTIME_DIR/pipewire-0:/xdg_runtime/pipewire-0"
@@ -118,9 +129,6 @@ podman run --rm "${podman_security_args[@]}" --name "$container_name" \
     `# Note that XDG_RUNTIME_DIR is already set in the image` \
     -v "${WAYLAND_SRC}":/xdg_runtime/wayland-0 \
     -e WAYLAND_DISPLAY=wayland-0 \
-    `# Pass through XWayland Satellite socket` \
-    -v "${XORG_SRC}":/tmp/.X11-unix/X0 \
-    -e DISPLAY=:0 \
     `# DRM render nodes` \
     -v /dev/dri:/dev/dri \
     `# Pass through PulseAudio` \