apps/shattered-pixel-dungeon/Containerfile

@@ -1,9 +1,5 @@
 FROM dobu/deps-base-archlinux:latest
 
-# This is used to invalidate cache as needed by build-image;
-# depends on TRACK_PACKAGE_ARCHLINUX set in control
-ARG UPSTREAM_VERSION
-
 RUN pacman -Syu --noconfirm \
       && pacman -S --noconfirm shattered-pixel-dungeon
 

apps/shattered-pixel-dungeon/control

@@ -1,2 +0,0 @@
-#!/usr/bin/env bash
-TRACK_PACKAGE_ARCHLINUX="extra/any/shattered-pixel-dungeon"

build-image.sh

@@ -6,16 +6,4 @@ assert_prerequisites
 
 image_name="$(path_to_image_name "$1")"
 
-# Load config if we have it
+podman build -t "$image_name" "$1"
-[ -f "$script_path/$1/control" ] && . "$script_path/$1/control"
-
-extra_args=""
-
-if [ ! -z "${TRACK_PACKAGE_ARCHLINUX+x}" ]; then
-  log "Fetching upstream package version from Arch Linux"
-  upstream_ver="$(get_archlinux_pkg_ver "$TRACK_PACKAGE_ARCHLINUX")"
-  log "Latest upstream version: $upstream_ver"
-  extra_args="$extra_args --build-arg UPSTREAM_VERSION=$upstream_ver"
-fi
-
-podman build -t "$image_name" "$script_path/$1" $extra_args

dobu-run.sh

@@ -61,7 +61,9 @@ fi
 
 # The fun part: start the container!
 # Don't detach like we did with Sommelier, though
-podman run --rm "${podman_security_args[@]}" --name "$container_name" \
+podman run --rm --userns=keep-id:uid=1100,gid=1100 \
+    `# Use seccomp.json from Docker which blocks sub-namespaces (including sub-userns)` \
+    --security-opt seccomp="$script_path/assets/seccomp.json" --name "$container_name" \
     `# Create tmpfs mountpoints for runtime directories` \
     --mount type=tmpfs,destination=/xdg_runtime \
     --mount type=tmpfs,destination=/tmp/.X11-unix \

functions.sh

@@ -9,20 +9,8 @@ DOBU_TMP=/tmp/dobu
 . "$script_path/config-default.sh"
 [ -f "$script_path/config.sh" ] && . "$script_path/config.sh"
 
-# Default security-related arguments ALWAYS passed to podman
-# Install a seccomp filter that disallows sub-namespaces which could lead to exploits
-# and use the keep-id mode of userns, such that the user 1100 is mapped to the
-# current host user, and the root user inside the namespace is mapped to an unrelated
-# large uid on the host.
-podman_security_args=(
-  --security-opt
-  seccomp="$script_path/assets/seccomp.json"
-  --userns=keep-id:uid=1100,gid=1100
-)
-
 assert_prerequisites() {
   command -v podman >/dev/null 2>&1 || die "Podman is required"
-  command -v jq >/dev/null 2>&1 || die "jq is required"
   [ -S "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" ] || die "Dobu must be run under a compliant Wayland compositor"
 }
 
@@ -43,7 +31,7 @@ is_in_array() {
 }
 
 path_to_image_name() {
-  local context_path="$script_path/$1"
+  local context_path="$1"
 
   [ -d "$context_path" ] || die "$context_path does not exist"
 
@@ -76,7 +64,7 @@ ensure_sommelier() {
 
   log "Starting Sommelier as a nested compositor..."
 
-  podman run --rm -d "${podman_security_args[@]}" --name dobu-deps-sommelier \
+  podman run --rm -d --userns=keep-id:uid=1100,gid=1100 --name dobu-deps-sommelier \
     -v "$DOBU_TMP/xdg_runtime":/xdg_runtime \
     `# Pass through host wayland display for Sommelier always as wayland-0` \
     -v "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY":/xdg_runtime/wayland-0 \
@@ -85,12 +73,8 @@ ensure_sommelier() {
     `# DRM render nodes` \
     -v /dev/dri:/dev/dri \
     dobu/deps-sommelier
+
   while [ ! -S "$DOBU_TMP/xdg_runtime/wayland-1" ] || [ ! -S "$DOBU_TMP/X11-unix/X1" ]; do
- 
     sleep 0.5
   done
 }
-
-get_archlinux_pkg_ver() {
-  curl https://archlinux.org/packages/$1/json/ 2>/dev/null | jq -r '. | .pkgver + "-" + .pkgrel'
-}