From 41482e45242c2f2bc7136a2f936ccf657a675f64 Mon Sep 17 00:00:00 2001
From: Peter Cai <peter@typeblog.net>
Date: Sun, 9 Mar 2025 15:26:35 -0400
Subject: [PATCH 1/2] Update wl-mitm

---
 assets/wl-mitm-config.toml            | 2 +-
 deps/compositor-sandbox/Containerfile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/assets/wl-mitm-config.toml b/assets/wl-mitm-config.toml
index 508b574..0c1ddc4 100644
--- a/assets/wl-mitm-config.toml
+++ b/assets/wl-mitm-config.toml
@@ -3,7 +3,7 @@ listen = "/xdg_runtime/wayland-10"
 upstream = "/xdg_runtime/wayland-0"
 
 [exec]
-notify = "/usr/bin/notify-libnotify.sh"
+notify_cmd = "/usr/bin/notify-libnotify.sh"
 
 [filter]
 allowed_globals = [
diff --git a/deps/compositor-sandbox/Containerfile b/deps/compositor-sandbox/Containerfile
index da0407a..19400ca 100644
--- a/deps/compositor-sandbox/Containerfile
+++ b/deps/compositor-sandbox/Containerfile
@@ -1,4 +1,4 @@
-ARG WL_MITM_COMMIT=49ed44763955da1fd227220f52070d72ae61bfdc
+ARG WL_MITM_COMMIT=ea591acb8e1a4926e49011b8b5098ab4a5b37973
 ARG SOMMELIER_COMMIT=984b27ad47ee08178a3128d5c7e96eb109fe09da
 
 FROM docker.io/archlinux:base-devel-20250302.0.316047 AS builder-wl-mitm

From a821781ae008bfb256890c759f457fd9fe597be6 Mon Sep 17 00:00:00 2001
From: Peter Cai <peter@typeblog.net>
Date: Sun, 9 Mar 2025 15:52:08 -0400
Subject: [PATCH 2/2] Per-container compositor sandbox

---
 dobu-run.sh  |  9 +++++----
 functions.sh | 35 +++++++++++++++++++----------------
 2 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/dobu-run.sh b/dobu-run.sh
index 4b36073..90ea61e 100755
--- a/dobu-run.sh
+++ b/dobu-run.sh
@@ -6,7 +6,8 @@ assert_prerequisites
 
 [ -z "$1" ] && die "Expecting 1 argument"
 
-image_name="$(relative_path_to_image_name "apps/$1")"
+app_name="$1"
+image_name="$(relative_path_to_image_name "apps/$app_name")"
 # image_name is of the form dobu/xxxx, while for containers we want dobu-xxx
 container_name="${image_name/\//-}"
 home_path="$HOMEDIR_STORAGE/$1"
@@ -55,9 +56,9 @@ if is_in_array "$1" "${DISPLAY_SERVER_APP_ALLOWLIST[@]}"; then
   fi
 else
   # Make sure we have compositor-sandbox running first
-  ensure_compositor_sandbox
-  WAYLAND_SRC="$DOBU_TMP/xdg_runtime/wayland-10"
-  XORG_SRC="$DOBU_TMP/X11-unix/X1"
+  ensure_compositor_sandbox "$app_name"
+  WAYLAND_SRC="$DOBU_TMP/$app_name/xdg_runtime/wayland-10"
+  XORG_SRC="$DOBU_TMP/$app_name/X11-unix/X1"
 fi
 
 # Prepare $HOME for the container
diff --git a/functions.sh b/functions.sh
index 3b434f0..74faf5e 100644
--- a/functions.sh
+++ b/functions.sh
@@ -91,37 +91,40 @@ container_entrypoint() {
 }
 
 ensure_compositor_sandbox() {
+  local app_name="$1"
+  local sandbox_name=dobu-deps-compositor-sandbox-$app_name
+  local sandbox_tmp="$DOBU_TMP/$app_name"
   assert_image_exists dobu/deps-compositor-sandbox
-  remove_stale_container dobu-deps-compositor-sandbox
-  if container_exists dobu-deps-compositor-sandbox; then
-    existing_config_sha="$(sha1sum "$DOBU_TMP/wl-mitm-config.toml" | awk '{ print $1; }')"
+  remove_stale_container $sandbox_name
+  if container_exists $sandbox_name; then
+    existing_config_sha="$(sha1sum "$sandbox_tmp/wl-mitm-config.toml" | awk '{ print $1; }')"
     new_config_sha="$(sha1sum "$script_path/assets/wl-mitm-config.toml" | awk '{ print $1; }')"
-    [ -S "$DOBU_TMP/X11-unix/X1" ] && [ -S "$DOBU_TMP/xdg_runtime/wayland-10" ] && [ "$existing_config_sha" == "$new_config_sha" ] && return
+    [ -S "$sandbox_tmp/X11-unix/X1" ] && [ -S "$sandbox_tmp/xdg_runtime/wayland-10" ] && [ "$existing_config_sha" == "$new_config_sha" ] && return
     log "Killing non-functional compositor-sandbox container"
-    podman kill dobu-deps-compositor-sandbox
-    podman rm -f dobu-deps-compositor-sandbox
+    podman kill $sandbox_name
+    podman rm -f $sandbox_name
   fi
 
-  rm -rf "$DOBU_TMP/xdg_runtime" || true
-  rm -rf "$DOBU_TMP/X11-unix" || true
-  mkdir -p "$DOBU_TMP/xdg_runtime"
-  mkdir -p "$DOBU_TMP/X11-unix"
-  cp "$script_path/assets/wl-mitm-config.toml" "$DOBU_TMP/wl-mitm-config.toml"
+  rm -rf "$sandbox_tmp/xdg_runtime" || true
+  rm -rf "$sandbox_tmp/X11-unix" || true
+  mkdir -p "$sandbox_tmp/xdg_runtime"
+  mkdir -p "$sandbox_tmp/X11-unix"
+  cp "$script_path/assets/wl-mitm-config.toml" "$sandbox_tmp/wl-mitm-config.toml"
 
   log "Starting compositor-sandbox (wl-mitm for Wayland and X Sommelier for X11)..."
 
-  podman run --rm -d "${podman_security_args[@]}" --name dobu-deps-compositor-sandbox \
-    -v "$DOBU_TMP/xdg_runtime":/xdg_runtime \
+  podman run --rm -d "${podman_security_args[@]}" --name $sandbox_name \
+    -v "$sandbox_tmp/xdg_runtime":/xdg_runtime \
     `# wl-mitm config` \
-    -v "$DOBU_TMP/wl-mitm-config.toml":/tmp/wl-mitm-config.toml \
+    -v "$sandbox_tmp/wl-mitm-config.toml":/tmp/wl-mitm-config.toml \
     `# Pass through host wayland display for Sommelier always as wayland-0` \
     -v "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY":/xdg_runtime/wayland-0 \
     `# X11-unix uses hard-coded path` \
-    -v "$DOBU_TMP/X11-unix":/tmp/.X11-unix \
+    -v "$sandbox_tmp/X11-unix":/tmp/.X11-unix \
     `# DRM render nodes` \
     -v /dev/dri:/dev/dri \
     dobu/deps-compositor-sandbox
-  while [ ! -S "$DOBU_TMP/xdg_runtime/wayland-10" ] || [ ! -S "$DOBU_TMP/X11-unix/X1" ]; do
+  while [ ! -S "$sandbox_tmp/xdg_runtime/wayland-10" ] || [ ! -S "$sandbox_tmp/X11-unix/X1" ]; do
     sleep 0.5
   done
 }