app_containers: Properly support different UID on host / in container
We simply use the same logic as the user namespaced case.
This commit is contained in:
parent
fd3fcf1e36
commit
da9414d4a8
|
@ -7,10 +7,9 @@ die() {
|
||||||
|
|
||||||
exit() {
|
exit() {
|
||||||
rm -rf "$container_xdg_runtime"
|
rm -rf "$container_xdg_runtime"
|
||||||
if [ "$CONTAINER_USE_USERNS" = true ]; then
|
# Remove the temporary facl-based permissions
|
||||||
setfacl -x u:$((private_users + run_as)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
setfacl -x u:$((user_on_host)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
||||||
xhost -si:localuser:\#$((private_users + run_as))
|
xhost -si:localuser:\#$((user_on_host))
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
[ -z "$CONTAINER_NAME" ] && die "\$CONTAINER_NAME not set"
|
[ -z "$CONTAINER_NAME" ] && die "\$CONTAINER_NAME not set"
|
||||||
|
@ -67,14 +66,19 @@ done
|
||||||
# Default to identity mapping, which does not provide uid isolation but does for capabilities
|
# Default to identity mapping, which does not provide uid isolation but does for capabilities
|
||||||
private_users=identity
|
private_users=identity
|
||||||
bind_opts=""
|
bind_opts=""
|
||||||
|
user_on_host=$run_as
|
||||||
if [ "$CONTAINER_USE_USERNS" = true ]; then
|
if [ "$CONTAINER_USE_USERNS" = true ]; then
|
||||||
private_users=$(shuf -i 65536-$((2147483647 - 65536)) -n1) # Pick a random starting offset
|
private_users=$(shuf -i 65536-$((2147483647 - 65536)) -n1) # Pick a random starting offset
|
||||||
bind_opts="idmap" # Note: custom mounts specified by the user are expected to incldue the idmap option as well
|
bind_opts="idmap" # Note: custom mounts specified by the user are expected to incldue the idmap option as well
|
||||||
# Grant the user inside the namespace access to the Wayland / Xorg display
|
user_on_host=$((private_users + run_as))
|
||||||
setfacl -m u:$((private_users + run_as)):rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
|
||||||
xhost +si:localuser:\#$((private_users + run_as))
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Grant the user inside the container access to the Wayland / Xorg display
|
||||||
|
# For the Wayland socket, a simple facl rule would suffice
|
||||||
|
# For Xorg, we need to use the `xhost` facilities
|
||||||
|
setfacl -m u:$user_on_host:rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
||||||
|
xhost +si:localuser:\#$user_on_host
|
||||||
|
|
||||||
sudo -A systemd-nspawn -M $CONTAINER_NAME \
|
sudo -A systemd-nspawn -M $CONTAINER_NAME \
|
||||||
--private-users=$private_users --private-users-ownership=map \
|
--private-users=$private_users --private-users-ownership=map \
|
||||||
`# DNS (when containers do not have their own netns)` \
|
`# DNS (when containers do not have their own netns)` \
|
||||||
|
|
Loading…
Reference in New Issue