Implement allowlisting for direct access to Wayland / X11
Some applications do not work well with Sommelier especially under Sway. Rather than having them unusable, I'd rather have something that "almost" works.
This commit is contained in:
parent
fd55053f38
commit
b7b5a61286
3 changed files with 32 additions and 4 deletions
|
@ -12,6 +12,8 @@ application containers. By default, Dobu only allows access to the following:
|
|||
- Wayland / Xorg proxied through [sommelier](https://chromium.googlesource.com/chromiumos/platform2/+/refs/heads/main/vm_tools/sommelier/)
|
||||
- This gives containers effectively a separate Wayland subcompositor with its own Xwayland server,
|
||||
mitigating risks associated with sharing a desktop session
|
||||
- You can *optionally* grant access to raw Wayland / Xorg sockets for specific apps in `config.sh` in case
|
||||
of compatibility issues.
|
||||
- DRI render nodes (for GL acceleration)
|
||||
- PulseAudio server
|
||||
- This should ideally be proxied too like Wayland / Xorg, but currently no ideal implementation is known
|
||||
|
@ -120,6 +122,10 @@ Limitations
|
|||
file sharing easier (otherwise you have to either `sudo` or `podman unshare` all the time),
|
||||
and to share things like the Sommelier socket and PulseAudio without making them
|
||||
world-writable or `setfacl` hacks.
|
||||
- Some applications can show compatibility issues when running with Sommelier under some
|
||||
desktop environments. For example, popup dialogs might be positioned wrong. These cases
|
||||
can currently only be worked around by granting direct access to the raw display server
|
||||
in `config.sh` until Sommelier, the desktop environment, or the app improve.
|
||||
- PulseAudio socket is not isolated but shared directly. This could ideally be solved by
|
||||
a proxy of PulseAudio similar to Sommelier for Wayland / Xorg.
|
||||
- DBus is not shared at all into application containers. This means that input methods such
|
||||
|
|
|
@ -15,3 +15,7 @@ DEV_INPUT_APP_ALLOWLIST=()
|
|||
# # or use device IDs -- in case device paths change across reboots or hotplug
|
||||
# by-id/usb-XXX-xxx
|
||||
#)
|
||||
|
||||
# Array of app containers that are granted direct Wayland / X11 access
|
||||
# apps not in this list will be graphically isolated using Sommelier
|
||||
DISPLAY_SERVER_APP_ALLOWLIST=()
|
||||
|
|
26
dobu-run.sh
26
dobu-run.sh
|
@ -39,8 +39,26 @@ else # default guess
|
|||
host_pulse=$XDG_RUNTIME_DIR/pulse/native
|
||||
fi
|
||||
|
||||
# Make sure we have Sommelier running first
|
||||
ensure_sommelier
|
||||
if is_in_array "$1" "${DISPLAY_SERVER_APP_ALLOWLIST[@]}"; then
|
||||
log "Allowing app $1 full access to Wayland / X11 sockets"
|
||||
|
||||
WAYLAND_SRC="${XDG_RUNTIME_DIR}/${WAYLAND_DISPLAY}"
|
||||
|
||||
if [ -z "$DISPLAY" ]; then
|
||||
# TODO: Maybe we can just ignore Xorg in these cases
|
||||
die "$$DISPLAY must be set for apps granted full Wayland / Xorg access"
|
||||
fi
|
||||
XORG_SRC="/tmp/.X11-unix/X${DISPLAY/:/}"
|
||||
|
||||
if [ ! -S "${XORG_SRC}" ] || [ ! -S "${WAYLAND_SRC}" ]; then
|
||||
die "Wayland / Xorg sockets do not exist"
|
||||
fi
|
||||
else
|
||||
# Make sure we have Sommelier running first
|
||||
ensure_sommelier
|
||||
WAYLAND_SRC="$DOBU_TMP/xdg_runtime/wayland-1"
|
||||
XORG_SRC="$DOBU_TMP/X11-unix/X1"
|
||||
fi
|
||||
|
||||
# Prepare $HOME for the container
|
||||
if [ ! -d "$home_path" ]; then
|
||||
|
@ -84,10 +102,10 @@ podman run --rm "${podman_security_args[@]}" --name "$container_name" \
|
|||
--mount type=tmpfs,destination=/tmp/.X11-unix,chown,tmpfs-mode=0700 \
|
||||
`# Pass through Sommelier Wayland socket` \
|
||||
`# Note that XDG_RUNTIME_DIR is already set in the image` \
|
||||
-v "$DOBU_TMP/xdg_runtime/wayland-1":/xdg_runtime/wayland-0 \
|
||||
-v "${WAYLAND_SRC}":/xdg_runtime/wayland-0 \
|
||||
-e WAYLAND_DISPLAY=wayland-0 \
|
||||
`# Pass through Sommelier X11 socket` \
|
||||
-v "$DOBU_TMP/X11-unix/X1":/tmp/.X11-unix/X0 \
|
||||
-v "${XORG_SRC}":/tmp/.X11-unix/X0 \
|
||||
-e DISPLAY=:0 \
|
||||
`# DRM render nodes` \
|
||||
-v /dev/dri:/dev/dri \
|
||||
|
|
Loading…
Reference in a new issue