Implement allowlisting for direct access to Wayland / X11

Some applications do not work well with Sommelier especially under Sway.
Rather than having them unusable, I'd rather have something that
"almost" works.

README.md

@@ -12,6 +12,8 @@ application containers. By default, Dobu only allows access to the following:
 - Wayland / Xorg proxied through [sommelier](https://chromium.googlesource.com/chromiumos/platform2/+/refs/heads/main/vm_tools/sommelier/)
   - This gives containers effectively a separate Wayland subcompositor with its own Xwayland server,
     mitigating risks associated with sharing a desktop session
+  - You can *optionally* grant access to raw Wayland / Xorg sockets for specific apps in `config.sh` in case
+    of compatibility issues.
 - DRI render nodes (for GL acceleration)
 - PulseAudio server
   - This should ideally be proxied too like Wayland / Xorg, but currently no ideal implementation is known
@@ -120,6 +122,10 @@ Limitations
   file sharing easier (otherwise you have to either `sudo` or `podman unshare` all the time),
   and to share things like the Sommelier socket and PulseAudio without making them
   world-writable or `setfacl` hacks.
+- Some applications can show compatibility issues when running with Sommelier under some
+  desktop environments. For example, popup dialogs might be positioned wrong. These cases
+  can currently only be worked around by granting direct access to the raw display server
+  in `config.sh` until Sommelier, the desktop environment, or the app improve.
 - PulseAudio socket is not isolated but shared directly. This could ideally be solved by
   a proxy of PulseAudio similar to Sommelier for Wayland / Xorg.
 - DBus is not shared at all into application containers. This means that input methods such

config-default.sh

@@ -15,3 +15,7 @@ DEV_INPUT_APP_ALLOWLIST=()
 #  # or use device IDs -- in case device paths change across reboots or hotplug
 #  by-id/usb-XXX-xxx
 #)
+
+# Array of app containers that are granted direct Wayland / X11 access
+# apps not in this list will be graphically isolated using Sommelier
+DISPLAY_SERVER_APP_ALLOWLIST=()

dobu-run.sh

@@ -39,8 +39,26 @@ else # default guess
   host_pulse=$XDG_RUNTIME_DIR/pulse/native
 fi
 
-# Make sure we have Sommelier running first
-ensure_sommelier
+if is_in_array "$1" "${DISPLAY_SERVER_APP_ALLOWLIST[@]}"; then
+  log "Allowing app $1 full access to Wayland / X11 sockets"
+
+  WAYLAND_SRC="${XDG_RUNTIME_DIR}/${WAYLAND_DISPLAY}"
+  
+  if [ -z "$DISPLAY" ]; then
+    # TODO: Maybe we can just ignore Xorg in these cases
+    die "$$DISPLAY must be set for apps granted full Wayland / Xorg access"
+  fi
+  XORG_SRC="/tmp/.X11-unix/X${DISPLAY/:/}"
+
+  if [ ! -S "${XORG_SRC}" ] || [ ! -S "${WAYLAND_SRC}" ]; then
+    die "Wayland / Xorg sockets do not exist"
+  fi
+else
+  # Make sure we have Sommelier running first
+  ensure_sommelier
+  WAYLAND_SRC="$DOBU_TMP/xdg_runtime/wayland-1"
+  XORG_SRC="$DOBU_TMP/X11-unix/X1"
+fi
 
 # Prepare $HOME for the container
 if [ ! -d "$home_path" ]; then
@@ -84,10 +102,10 @@ podman run --rm "${podman_security_args[@]}" --name "$container_name" \
     --mount type=tmpfs,destination=/tmp/.X11-unix,chown,tmpfs-mode=0700 \
     `# Pass through Sommelier Wayland socket` \
     `# Note that XDG_RUNTIME_DIR is already set in the image` \
-    -v "$DOBU_TMP/xdg_runtime/wayland-1":/xdg_runtime/wayland-0 \
+    -v "${WAYLAND_SRC}":/xdg_runtime/wayland-0 \
     -e WAYLAND_DISPLAY=wayland-0 \
     `# Pass through Sommelier X11 socket` \
-    -v "$DOBU_TMP/X11-unix/X1":/tmp/.X11-unix/X0 \
+    -v "${XORG_SRC}":/tmp/.X11-unix/X0 \
     -e DISPLAY=:0 \
     `# DRM render nodes` \
     -v /dev/dri:/dev/dri \