From a821781ae008bfb256890c759f457fd9fe597be6 Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Sun, 9 Mar 2025 15:52:08 -0400 Subject: [PATCH] Per-container compositor sandbox --- dobu-run.sh | 9 +++++---- functions.sh | 35 +++++++++++++++++++---------------- 2 files changed, 24 insertions(+), 20 deletions(-) diff --git a/dobu-run.sh b/dobu-run.sh index 4b36073..90ea61e 100755 --- a/dobu-run.sh +++ b/dobu-run.sh @@ -6,7 +6,8 @@ assert_prerequisites [ -z "$1" ] && die "Expecting 1 argument" -image_name="$(relative_path_to_image_name "apps/$1")" +app_name="$1" +image_name="$(relative_path_to_image_name "apps/$app_name")" # image_name is of the form dobu/xxxx, while for containers we want dobu-xxx container_name="${image_name/\//-}" home_path="$HOMEDIR_STORAGE/$1" @@ -55,9 +56,9 @@ if is_in_array "$1" "${DISPLAY_SERVER_APP_ALLOWLIST[@]}"; then fi else # Make sure we have compositor-sandbox running first - ensure_compositor_sandbox - WAYLAND_SRC="$DOBU_TMP/xdg_runtime/wayland-10" - XORG_SRC="$DOBU_TMP/X11-unix/X1" + ensure_compositor_sandbox "$app_name" + WAYLAND_SRC="$DOBU_TMP/$app_name/xdg_runtime/wayland-10" + XORG_SRC="$DOBU_TMP/$app_name/X11-unix/X1" fi # Prepare $HOME for the container diff --git a/functions.sh b/functions.sh index 3b434f0..74faf5e 100644 --- a/functions.sh +++ b/functions.sh @@ -91,37 +91,40 @@ container_entrypoint() { } ensure_compositor_sandbox() { + local app_name="$1" + local sandbox_name=dobu-deps-compositor-sandbox-$app_name + local sandbox_tmp="$DOBU_TMP/$app_name" assert_image_exists dobu/deps-compositor-sandbox - remove_stale_container dobu-deps-compositor-sandbox - if container_exists dobu-deps-compositor-sandbox; then - existing_config_sha="$(sha1sum "$DOBU_TMP/wl-mitm-config.toml" | awk '{ print $1; }')" + remove_stale_container $sandbox_name + if container_exists $sandbox_name; then + existing_config_sha="$(sha1sum "$sandbox_tmp/wl-mitm-config.toml" | awk '{ print $1; }')" new_config_sha="$(sha1sum "$script_path/assets/wl-mitm-config.toml" | awk '{ print $1; }')" - [ -S "$DOBU_TMP/X11-unix/X1" ] && [ -S "$DOBU_TMP/xdg_runtime/wayland-10" ] && [ "$existing_config_sha" == "$new_config_sha" ] && return + [ -S "$sandbox_tmp/X11-unix/X1" ] && [ -S "$sandbox_tmp/xdg_runtime/wayland-10" ] && [ "$existing_config_sha" == "$new_config_sha" ] && return log "Killing non-functional compositor-sandbox container" - podman kill dobu-deps-compositor-sandbox - podman rm -f dobu-deps-compositor-sandbox + podman kill $sandbox_name + podman rm -f $sandbox_name fi - rm -rf "$DOBU_TMP/xdg_runtime" || true - rm -rf "$DOBU_TMP/X11-unix" || true - mkdir -p "$DOBU_TMP/xdg_runtime" - mkdir -p "$DOBU_TMP/X11-unix" - cp "$script_path/assets/wl-mitm-config.toml" "$DOBU_TMP/wl-mitm-config.toml" + rm -rf "$sandbox_tmp/xdg_runtime" || true + rm -rf "$sandbox_tmp/X11-unix" || true + mkdir -p "$sandbox_tmp/xdg_runtime" + mkdir -p "$sandbox_tmp/X11-unix" + cp "$script_path/assets/wl-mitm-config.toml" "$sandbox_tmp/wl-mitm-config.toml" log "Starting compositor-sandbox (wl-mitm for Wayland and X Sommelier for X11)..." - podman run --rm -d "${podman_security_args[@]}" --name dobu-deps-compositor-sandbox \ - -v "$DOBU_TMP/xdg_runtime":/xdg_runtime \ + podman run --rm -d "${podman_security_args[@]}" --name $sandbox_name \ + -v "$sandbox_tmp/xdg_runtime":/xdg_runtime \ `# wl-mitm config` \ - -v "$DOBU_TMP/wl-mitm-config.toml":/tmp/wl-mitm-config.toml \ + -v "$sandbox_tmp/wl-mitm-config.toml":/tmp/wl-mitm-config.toml \ `# Pass through host wayland display for Sommelier always as wayland-0` \ -v "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY":/xdg_runtime/wayland-0 \ `# X11-unix uses hard-coded path` \ - -v "$DOBU_TMP/X11-unix":/tmp/.X11-unix \ + -v "$sandbox_tmp/X11-unix":/tmp/.X11-unix \ `# DRM render nodes` \ -v /dev/dri:/dev/dri \ dobu/deps-compositor-sandbox - while [ ! -S "$DOBU_TMP/xdg_runtime/wayland-10" ] || [ ! -S "$DOBU_TMP/X11-unix/X1" ]; do + while [ ! -S "$sandbox_tmp/xdg_runtime/wayland-10" ] || [ ! -S "$sandbox_tmp/X11-unix/X1" ]; do sleep 0.5 done }