diff --git a/apps/shattered-pixel-dungeon/Containerfile b/apps/shattered-pixel-dungeon/Containerfile index 10c0488..033e2bb 100644 --- a/apps/shattered-pixel-dungeon/Containerfile +++ b/apps/shattered-pixel-dungeon/Containerfile @@ -1,5 +1,9 @@ FROM dobu/deps-base-archlinux:latest +# This is used to invalidate cache as needed by build-image; +# depends on TRACK_PACKAGE_ARCHLINUX set in control +ARG UPSTREAM_VERSION + RUN pacman -Syu --noconfirm \ && pacman -S --noconfirm shattered-pixel-dungeon diff --git a/apps/shattered-pixel-dungeon/control b/apps/shattered-pixel-dungeon/control new file mode 100644 index 0000000..02574e5 --- /dev/null +++ b/apps/shattered-pixel-dungeon/control @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +TRACK_PACKAGE_ARCHLINUX="extra/any/shattered-pixel-dungeon" diff --git a/build-image.sh b/build-image.sh index 27511d7..60b136d 100755 --- a/build-image.sh +++ b/build-image.sh @@ -6,4 +6,16 @@ assert_prerequisites image_name="$(path_to_image_name "$1")" -podman build -t "$image_name" "$1" +# Load config if we have it +[ -f "$script_path/$1/control" ] && . "$script_path/$1/control" + +extra_args="" + +if [ ! -z "${TRACK_PACKAGE_ARCHLINUX+x}" ]; then + log "Fetching upstream package version from Arch Linux" + upstream_ver="$(get_archlinux_pkg_ver "$TRACK_PACKAGE_ARCHLINUX")" + log "Latest upstream version: $upstream_ver" + extra_args="$extra_args --build-arg UPSTREAM_VERSION=$upstream_ver" +fi + +podman build -t "$image_name" "$script_path/$1" $extra_args diff --git a/dobu-run.sh b/dobu-run.sh index 636aae6..5da5a7b 100755 --- a/dobu-run.sh +++ b/dobu-run.sh @@ -61,9 +61,7 @@ fi # The fun part: start the container! # Don't detach like we did with Sommelier, though -podman run --rm --userns=keep-id:uid=1100,gid=1100 \ - `# Use seccomp.json from Docker which blocks sub-namespaces (including sub-userns)` \ - --security-opt seccomp="$script_path/assets/seccomp.json" --name "$container_name" \ +podman run --rm "${podman_security_args[@]}" --name "$container_name" \ `# Create tmpfs mountpoints for runtime directories` \ --mount type=tmpfs,destination=/xdg_runtime \ --mount type=tmpfs,destination=/tmp/.X11-unix \ diff --git a/functions.sh b/functions.sh index 315239a..bfa4233 100644 --- a/functions.sh +++ b/functions.sh @@ -9,8 +9,20 @@ DOBU_TMP=/tmp/dobu . "$script_path/config-default.sh" [ -f "$script_path/config.sh" ] && . "$script_path/config.sh" +# Default security-related arguments ALWAYS passed to podman +# Install a seccomp filter that disallows sub-namespaces which could lead to exploits +# and use the keep-id mode of userns, such that the user 1100 is mapped to the +# current host user, and the root user inside the namespace is mapped to an unrelated +# large uid on the host. +podman_security_args=( + --security-opt + seccomp="$script_path/assets/seccomp.json" + --userns=keep-id:uid=1100,gid=1100 +) + assert_prerequisites() { command -v podman >/dev/null 2>&1 || die "Podman is required" + command -v jq >/dev/null 2>&1 || die "jq is required" [ -S "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" ] || die "Dobu must be run under a compliant Wayland compositor" } @@ -31,7 +43,7 @@ is_in_array() { } path_to_image_name() { - local context_path="$1" + local context_path="$script_path/$1" [ -d "$context_path" ] || die "$context_path does not exist" @@ -64,7 +76,7 @@ ensure_sommelier() { log "Starting Sommelier as a nested compositor..." - podman run --rm -d --userns=keep-id:uid=1100,gid=1100 --name dobu-deps-sommelier \ + podman run --rm -d "${podman_security_args[@]}" --name dobu-deps-sommelier \ -v "$DOBU_TMP/xdg_runtime":/xdg_runtime \ `# Pass through host wayland display for Sommelier always as wayland-0` \ -v "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY":/xdg_runtime/wayland-0 \ @@ -73,8 +85,12 @@ ensure_sommelier() { `# DRM render nodes` \ -v /dev/dri:/dev/dri \ dobu/deps-sommelier - while [ ! -S "$DOBU_TMP/xdg_runtime/wayland-1" ] || [ ! -S "$DOBU_TMP/X11-unix/X1" ]; do + sleep 0.5 done } + +get_archlinux_pkg_ver() { + curl https://archlinux.org/packages/$1/json/ 2>/dev/null | jq -r '. | .pkgver + "-" + .pkgrel' +}