app_containers: Properly support different UID on host / in container

We simply use the same logic as the user namespaced case.

app_containers/.local/bin/run_app_container

@@ -7,10 +7,9 @@ die() {
 
 exit() {
   rm -rf "$container_xdg_runtime"
-  if [ "$CONTAINER_USE_USERNS" = true ]; then
+  # Remove the temporary facl-based permissions
-    setfacl -x u:$((private_users + run_as)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
+  setfacl -x u:$((user_on_host)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
-    xhost -si:localuser:\#$((private_users + run_as))
+  xhost -si:localuser:\#$((user_on_host))
-  fi
 }
 
 [ -z "$CONTAINER_NAME" ] && die "\$CONTAINER_NAME not set"
@@ -67,14 +66,19 @@ done
 # Default to identity mapping, which does not provide uid isolation but does for capabilities
 private_users=identity
 bind_opts=""
+user_on_host=$run_as
 if [ "$CONTAINER_USE_USERNS" = true ]; then
   private_users=$(shuf -i 65536-$((2147483647 - 65536)) -n1) # Pick a random starting offset
   bind_opts="idmap" # Note: custom mounts specified by the user are expected to incldue the idmap option as well
-  # Grant the user inside the namespace access to the Wayland / Xorg display
+  user_on_host=$((private_users + run_as))
-  setfacl -m u:$((private_users + run_as)):rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
-  xhost +si:localuser:\#$((private_users + run_as))
 fi
 
+# Grant the user inside the container access to the Wayland / Xorg display
+# For the Wayland socket, a simple facl rule would suffice
+# For Xorg, we need to use the `xhost` facilities
+setfacl -m u:$user_on_host:rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
+xhost +si:localuser:\#$user_on_host
+
 sudo -A systemd-nspawn -M $CONTAINER_NAME \
     --private-users=$private_users --private-users-ownership=map \
     `# DNS (when containers do not have their own netns)` \