Improve UUID and hostname

Update xwayland-satellite
Support unconfined seccomp profile
2025-07-20 09:04:17 -04:00 · 2025-07-20 09:04:04 -04:00 · 2025-07-14 21:08:41 -04:00
4 changed files with 9 additions and 6 deletions
--- a/apps/bottles/Containerfile
+++ b/apps/bottles/Containerfile
@ -3,7 +3,7 @@ FROM dobu/deps-base-archlinux:latest
 ARG UPSTREAM_VERSION

 RUN pacman --noconfirm -Syu && \
-      pacman --noconfirm -S base-devel git sudo gnupg
+      pacman --noconfirm -S base-devel git sudo gnupg freetype2 lib32-freetype2 gnutls

 RUN mkdir /src && chown user:user /src
 RUN echo "user ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
@ -12,8 +12,6 @@ WORKDIR /src

 WORKDIR /home/user
 RUN sudo rm -rf /src
-# machine-id is required for dconf/gsettings
-RUN sudo dbus-uuidgen --ensure

 RUN git clone https://aur.archlinux.org/icoextract.git && \
      cd icoextract && makepkg --noconfirm -sci
@ -40,6 +38,7 @@ RUN git clone https://aur.archlinux.org/bottles.git && \
      cd bottles && makepkg --noconfirm -sci

 LABEL net.typeblog.dobu.desktop_file_path=/usr/share/applications/com.usebottles.bottles.desktop
+LABEL net.typeblog.dobu.unsafe_i_know_what_i_am_doing_seccomp_unconfined=true
 LABEL net.typeblog.dobu.x11_required=true

 ENTRYPOINT [ "/usr/bin/bash", "-c", "export $(dbus-launch) && /usr/bin/bottles" ]
--- a/deps/compositor-sandbox/Containerfile
+++ b/deps/compositor-sandbox/Containerfile
@ -1,5 +1,5 @@
 ARG WL_MITM_COMMIT=d133a2faa1732f8e3573fa81ef628fcc70a778f9
-ARG XWAYLAND_SATELLITE_COMMIT=10cb041a80bb815cc1789cfa305923f1f9e3713d
+ARG XWAYLAND_SATELLITE_COMMIT=ba78881a68182ce338041846164cbfed0d70935c

 FROM docker.io/archlinux:base-devel-20250302.0.316047 AS builder-rust

--- a/dobu-run.sh
+++ b/dobu-run.sh
@ -32,6 +32,8 @@ if [ "$(get_image_label "$image_name" net.typeblog.dobu.unsafe_i_know_what_i_am_
  log "This is considered UNSAFE; DO NOT USE if the app inside container does not do its own sandboxing"
  log "DO NOT USE if you don't trust sandboxing done by the app inside"
  update_podman_security_args "seccomp_unsafe.json"
+elif [ "$(get_image_label "$image_name" net.typeblog.dobu.unsafe_i_know_what_i_am_doing_seccomp_unconfined)" == "true" ]; then
+  update_podman_security_args "unconfined"
 fi

 x11_required=false
@ -130,7 +132,7 @@ if [[ "$(declare -p ${bind_mount_var_name} 2>&1)" =~ "declare -a" ]]; then
 fi

 # The fun part: start the container!
-podman run --rm "${podman_security_args[@]}" --name "$container_name" \
+podman run --rm "${podman_security_args[@]}" --name "$container_name" -h "$(hostname)" \
    `# Create tmpfs mountpoints for runtime directories` \
    --mount type=tmpfs,destination=/xdg_runtime,chown,tmpfs-mode=0700 \
    --mount type=tmpfs,destination=/tmp/.X11-unix,chown,tmpfs-mode=0700 \
--- a/functions.sh
+++ b/functions.sh
@ -13,6 +13,8 @@ DOBU_TMP=/tmp/dobu
 update_podman_security_args() {
  local seccomp_profile="$1"
  [ -z "$seccomp_profile" ] && seccomp_profile="seccomp.json"
+  local seccomp_profile_path="$script_path/assets/$seccomp_profile"
+  [ "$seccomp_profile" == "unconfined" ] && seccomp_profile_path="$seccomp_profile"
  # Default security-related arguments ALWAYS passed to podman
  # Install a seccomp filter that disallows sub-namespaces which could lead to exploits
  # and use the keep-id mode of userns, such that the user 1100 is mapped to the
@ -20,7 +22,7 @@ update_podman_security_args() {
  # large uid on the host.
  podman_security_args=(
    --security-opt
-    seccomp="$script_path/assets/$seccomp_profile"
+    seccomp="$seccomp_profile_path"
    --userns=keep-id:uid=1100,gid=1100
  )
 }
Author	SHA1	Message	Date
Peter Cai	383f04133c	Improve UUID and hostname	2025-07-20 09:04:17 -04:00
Peter Cai	e63308b01e	Update xwayland-satellite	2025-07-20 09:04:04 -04:00
Peter Cai	c62316a056	Support unconfined seccomp profile	2025-07-14 21:08:41 -04:00