From da9414d4a8607b6f3a2b179010ac3ef5243ac280 Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Sat, 31 Dec 2022 15:14:32 -0500 Subject: [PATCH] app_containers: Properly support different UID on host / in container We simply use the same logic as the user namespaced case. --- app_containers/.local/bin/run_app_container | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/app_containers/.local/bin/run_app_container b/app_containers/.local/bin/run_app_container index c59a061..fba06b2 100755 --- a/app_containers/.local/bin/run_app_container +++ b/app_containers/.local/bin/run_app_container @@ -7,10 +7,9 @@ die() { exit() { rm -rf "$container_xdg_runtime" - if [ "$CONTAINER_USE_USERNS" = true ]; then - setfacl -x u:$((private_users + run_as)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY - xhost -si:localuser:\#$((private_users + run_as)) - fi + # Remove the temporary facl-based permissions + setfacl -x u:$((user_on_host)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY + xhost -si:localuser:\#$((user_on_host)) } [ -z "$CONTAINER_NAME" ] && die "\$CONTAINER_NAME not set" @@ -67,14 +66,19 @@ done # Default to identity mapping, which does not provide uid isolation but does for capabilities private_users=identity bind_opts="" +user_on_host=$run_as if [ "$CONTAINER_USE_USERNS" = true ]; then private_users=$(shuf -i 65536-$((2147483647 - 65536)) -n1) # Pick a random starting offset bind_opts="idmap" # Note: custom mounts specified by the user are expected to incldue the idmap option as well - # Grant the user inside the namespace access to the Wayland / Xorg display - setfacl -m u:$((private_users + run_as)):rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY - xhost +si:localuser:\#$((private_users + run_as)) + user_on_host=$((private_users + run_as)) fi +# Grant the user inside the container access to the Wayland / Xorg display +# For the Wayland socket, a simple facl rule would suffice +# For Xorg, we need to use the `xhost` facilities +setfacl -m u:$user_on_host:rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY +xhost +si:localuser:\#$user_on_host + sudo -A systemd-nspawn -M $CONTAINER_NAME \ --private-users=$private_users --private-users-ownership=map \ `# DNS (when containers do not have their own netns)` \