From ded481634344c605eb8fd9a39040697c009af54e Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Sat, 10 Jun 2023 14:14:47 -0400 Subject: [PATCH 1/2] Migrate desktop file declaration to container labels --- apps/prismlauncher/Containerfile | 2 ++ apps/shattered-pixel-dungeon/Containerfile | 2 ++ apps/shattered-pixel-dungeon/control | 1 - apps/steam/Containerfile | 2 ++ apps/steam/control | 1 - create-shortcut.sh | 8 ++++---- functions.sh | 5 +++++ 7 files changed, 15 insertions(+), 6 deletions(-) diff --git a/apps/prismlauncher/Containerfile b/apps/prismlauncher/Containerfile index 63855cc..08c86e9 100644 --- a/apps/prismlauncher/Containerfile +++ b/apps/prismlauncher/Containerfile @@ -12,5 +12,7 @@ RUN apt-get -y update && apt-get -y install prismlauncher qtwayland5 openjdk-17- USER user +LABEL net.typeblog.dobu.desktop_file_path="/usr/share/applications/org.prismlauncher.PrismLauncher.desktop" + ENTRYPOINT [ "/usr/bin/prismlauncher" ] diff --git a/apps/shattered-pixel-dungeon/Containerfile b/apps/shattered-pixel-dungeon/Containerfile index 033e2bb..16d6b5f 100644 --- a/apps/shattered-pixel-dungeon/Containerfile +++ b/apps/shattered-pixel-dungeon/Containerfile @@ -9,4 +9,6 @@ RUN pacman -Syu --noconfirm \ USER user +LABEL net.typeblog.dobu.desktop_file_path="/usr/share/applications/shattered-pixel-dungeon.desktop" + ENTRYPOINT [ "/usr/bin/shattered-pixel-dungeon" ] diff --git a/apps/shattered-pixel-dungeon/control b/apps/shattered-pixel-dungeon/control index 690aa9b..65705b4 100644 --- a/apps/shattered-pixel-dungeon/control +++ b/apps/shattered-pixel-dungeon/control @@ -1,3 +1,2 @@ #!/usr/bin/env bash INVALIDATE_CACHE_UPSTREAM_ARCHLINUX="extra/any/shattered-pixel-dungeon" -DESKTOP_FILE_PATH="/usr/share/applications/shattered-pixel-dungeon.desktop" diff --git a/apps/steam/Containerfile b/apps/steam/Containerfile index 814a29c..bc8fba5 100644 --- a/apps/steam/Containerfile +++ b/apps/steam/Containerfile @@ -8,4 +8,6 @@ USER user ENV PROTON_NO_FSYNC=1 +LABEL net.typeblog.dobu.desktop_file_path="/usr/share/applications/steam.desktop" + ENTRYPOINT [ "/usr/games/steam" ] diff --git a/apps/steam/control b/apps/steam/control index eedff9f..1d0c74c 100644 --- a/apps/steam/control +++ b/apps/steam/control @@ -1,6 +1,5 @@ #!/usr/bin/env bash INVALIDATE_CACHE_UPSTREAM_UBUNTU="steam" -DESKTOP_FILE_PATH="/usr/share/applications/steam.desktop" # Steam Runtime requires its own namespaces # so we have to allow them in our seccomp filter. # Don't use it if you don't trust their sandboxing (pressure-vessel). diff --git a/create-shortcut.sh b/create-shortcut.sh index df2a8e9..5ef25ab 100755 --- a/create-shortcut.sh +++ b/create-shortcut.sh @@ -12,9 +12,9 @@ assert_image_exists "$image_name" [ -f "$script_path/apps/$1/control" ] || \ die "App $1 does not have a control file that defines how to generate a shortcut" -. "$script_path/apps/$1/control" +desktop_file_path="$(get_image_label "$image_name" "net.typeblog.dobu.desktop_file_path")" -[ -z "${DESKTOP_FILE_PATH+x}" ] && die "App $1 did not specify DESKTOP_FILE_PATH in its control file" +[ -z "$desktop_file_path" ] && die "App $1 did not specify desktop_file_path in its labels" # Create a temporary working directory # Because we will have to extract files from the container image @@ -36,8 +36,8 @@ log "Creating temporary container $tmp_container_name from $image_name" podman create --name "$tmp_container_name" "$image_name" -log "Extracting $DESKTOP_FILE_PATH from $tmp_container_name" -podman cp "$tmp_container_name:$DESKTOP_FILE_PATH" ./$1.desktop +log "Extracting $desktop_file_path from $tmp_container_name" +podman cp "$tmp_container_name:$desktop_file_path" ./$1.desktop log "Extracting /usr/share/icons from $tmp_container_name" podman cp "$tmp_container_name:/usr/share/icons" ./icons diff --git a/functions.sh b/functions.sh index b79c105..da697d3 100644 --- a/functions.sh +++ b/functions.sh @@ -72,6 +72,11 @@ container_exists() { podman container exists $1 > /dev/null 2>&1 } +get_image_label() { + assert_image_exists "$1" + podman inspect "$1" | jq -r ".[0].Labels.\"$2\"" +} + remove_stale_container() { container_exists "$1" || return 0 local is_running="$(podman inspect "$1" | jq -r '.[0].State.Running')" From 52faa6c6d7692dd5d22cd33568d6fbb70ec44ad6 Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Sat, 10 Jun 2023 14:45:44 -0400 Subject: [PATCH 2/2] Migrate allowing sub-namespaces to labels as well --- apps/steam/Containerfile | 5 +++++ dobu-run.sh | 6 +----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/apps/steam/Containerfile b/apps/steam/Containerfile index bc8fba5..1763985 100644 --- a/apps/steam/Containerfile +++ b/apps/steam/Containerfile @@ -10,4 +10,9 @@ ENV PROTON_NO_FSYNC=1 LABEL net.typeblog.dobu.desktop_file_path="/usr/share/applications/steam.desktop" +# Steam Runtime requires its own namespaces +# so we have to allow them in our seccomp filter. +# Don't use it if you don't trust their sandboxing (pressure-vessel). +LABEL net.typeblog.dobu.unsafe_i_know_what_i_am_doing_allow_namespaces="true" + ENTRYPOINT [ "/usr/games/steam" ] diff --git a/dobu-run.sh b/dobu-run.sh index 5e79c49..09745a9 100755 --- a/dobu-run.sh +++ b/dobu-run.sh @@ -26,11 +26,7 @@ if container_exists "$container_name"; then exit 0 fi -# Load app control file because some apps require run-time customization -# TODO: Maybe these things should really be container labels? -[ -f "$script_path/apps/$1/control" ] && . "$script_path/apps/$1/control" - -if [ "$UNSAFE_I_KNOW_WHAT_I_AM_DOING_ALLOW_NAMESPACES" == "true" ]; then +if [ "$(get_image_label "$image_name" net.typeblog.dobu.unsafe_i_know_what_i_am_doing_allow_namespaces)" == "true" ]; then log "Enabling sub-namespaces support inside this container" log "This is considered UNSAFE; DO NOT USE if the app inside container does not do its own sandboxing" log "DO NOT USE if you don't trust sandboxing done by the app inside"