Share podman security-related args between app and sommelier

apps/shattered-pixel-dungeon/Containerfile

@@ -1,5 +1,9 @@
 FROM dobu/deps-base-archlinux:latest
 
+# This is used to invalidate cache as needed by build-image;
+# depends on TRACK_PACKAGE_ARCHLINUX set in control
+ARG UPSTREAM_VERSION
+
 RUN pacman -Syu --noconfirm \
       && pacman -S --noconfirm shattered-pixel-dungeon
 

apps/shattered-pixel-dungeon/control

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+TRACK_PACKAGE_ARCHLINUX="extra/any/shattered-pixel-dungeon"

build-image.sh

@@ -6,4 +6,16 @@ assert_prerequisites
 
 image_name="$(path_to_image_name "$1")"
 
-podman build -t "$image_name" "$1"
+# Load config if we have it
+[ -f "$script_path/$1/control" ] && . "$script_path/$1/control"
+
+extra_args=""
+
+if [ ! -z "${TRACK_PACKAGE_ARCHLINUX+x}" ]; then
+  log "Fetching upstream package version from Arch Linux"
+  upstream_ver="$(get_archlinux_pkg_ver "$TRACK_PACKAGE_ARCHLINUX")"
+  log "Latest upstream version: $upstream_ver"
+  extra_args="$extra_args --build-arg UPSTREAM_VERSION=$upstream_ver"
+fi
+
+podman build -t "$image_name" "$script_path/$1" $extra_args

dobu-run.sh

@@ -61,9 +61,7 @@ fi
 
 # The fun part: start the container!
 # Don't detach like we did with Sommelier, though
-podman run --rm --userns=keep-id:uid=1100,gid=1100 \
+podman run --rm "${podman_security_args[@]}" --name "$container_name" \
-    `# Use seccomp.json from Docker which blocks sub-namespaces (including sub-userns)` \
-    --security-opt seccomp="$script_path/assets/seccomp.json" --name "$container_name" \
     `# Create tmpfs mountpoints for runtime directories` \
     --mount type=tmpfs,destination=/xdg_runtime \
     --mount type=tmpfs,destination=/tmp/.X11-unix \

functions.sh

@@ -9,8 +9,20 @@ DOBU_TMP=/tmp/dobu
 . "$script_path/config-default.sh"
 [ -f "$script_path/config.sh" ] && . "$script_path/config.sh"
 
+# Default security-related arguments ALWAYS passed to podman
+# Install a seccomp filter that disallows sub-namespaces which could lead to exploits
+# and use the keep-id mode of userns, such that the user 1100 is mapped to the
+# current host user, and the root user inside the namespace is mapped to an unrelated
+# large uid on the host.
+podman_security_args=(
+  --security-opt
+  seccomp="$script_path/assets/seccomp.json"
+  --userns=keep-id:uid=1100,gid=1100
+)
+
 assert_prerequisites() {
   command -v podman >/dev/null 2>&1 || die "Podman is required"
+  command -v jq >/dev/null 2>&1 || die "jq is required"
   [ -S "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" ] || die "Dobu must be run under a compliant Wayland compositor"
 }
 
@@ -31,7 +43,7 @@ is_in_array() {
 }
 
 path_to_image_name() {
-  local context_path="$1"
+  local context_path="$script_path/$1"
 
   [ -d "$context_path" ] || die "$context_path does not exist"
 
@@ -64,7 +76,7 @@ ensure_sommelier() {
 
   log "Starting Sommelier as a nested compositor..."
 
-  podman run --rm -d --userns=keep-id:uid=1100,gid=1100 --name dobu-deps-sommelier \
+  podman run --rm -d "${podman_security_args[@]}" --name dobu-deps-sommelier \
     -v "$DOBU_TMP/xdg_runtime":/xdg_runtime \
     `# Pass through host wayland display for Sommelier always as wayland-0` \
     -v "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY":/xdg_runtime/wayland-0 \
@@ -73,8 +85,12 @@ ensure_sommelier() {
     `# DRM render nodes` \
     -v /dev/dri:/dev/dri \
     dobu/deps-sommelier
-
   while [ ! -S "$DOBU_TMP/xdg_runtime/wayland-1" ] || [ ! -S "$DOBU_TMP/X11-unix/X1" ]; do
+ 
     sleep 0.5
   done
 }
+
+get_archlinux_pkg_ver() {
+  curl https://archlinux.org/packages/$1/json/ 2>/dev/null | jq -r '. | .pkgver + "-" + .pkgrel'
+}