|
|
|
@ -10,6 +10,10 @@ exit() {
|
|
|
|
|
# Remove the temporary facl-based permissions
|
|
|
|
|
setfacl -x u:$((user_on_host)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
|
|
|
|
xhost -si:localuser:\#$((user_on_host))
|
|
|
|
|
|
|
|
|
|
for input in $(find /dev/input -type c); do
|
|
|
|
|
sudo setfacl -x u:$user_on_host $input
|
|
|
|
|
done
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[ -z "$CONTAINER_NAME" ] && die "\$CONTAINER_NAME not set"
|
|
|
|
@ -79,6 +83,13 @@ fi
|
|
|
|
|
setfacl -m u:$user_on_host:rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
|
|
|
|
xhost +si:localuser:\#$user_on_host
|
|
|
|
|
|
|
|
|
|
# Grant the user inside the container access to input devices
|
|
|
|
|
# Note: any new device plugged in when the container is running would not
|
|
|
|
|
# be added properly here.
|
|
|
|
|
for input in $(find /dev/input -type c); do
|
|
|
|
|
sudo setfacl -m u:$user_on_host:rw- $input
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
sudo -A systemd-nspawn -M $CONTAINER_NAME \
|
|
|
|
|
--private-users=$private_users --private-users-ownership=map \
|
|
|
|
|
`# DNS (when containers do not have their own netns)` \
|
|
|
|
|