From edddafda266229c96fa93d28bf255a094b6147bb Mon Sep 17 00:00:00 2001
From: Peter Cai <peter@typeblog.net>
Date: Sat, 31 Dec 2022 15:20:03 -0500
Subject: [PATCH] app_containers: Grant input devices access to inside the
 container

---
 app_containers/.local/bin/run_app_container | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/app_containers/.local/bin/run_app_container b/app_containers/.local/bin/run_app_container
index fba06b2..147b1a8 100755
--- a/app_containers/.local/bin/run_app_container
+++ b/app_containers/.local/bin/run_app_container
@@ -10,6 +10,10 @@ exit() {
   # Remove the temporary facl-based permissions
   setfacl -x u:$((user_on_host)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
   xhost -si:localuser:\#$((user_on_host))
+
+  for input in $(find /dev/input -type c); do
+    sudo setfacl -x u:$user_on_host $input
+  done
 }
 
 [ -z "$CONTAINER_NAME" ] && die "\$CONTAINER_NAME not set"
@@ -79,6 +83,13 @@ fi
 setfacl -m u:$user_on_host:rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
 xhost +si:localuser:\#$user_on_host
 
+# Grant the user inside the container access to input devices
+# Note: any new device plugged in when the container is running would not
+# be added properly here.
+for input in $(find /dev/input -type c); do
+  sudo setfacl -m u:$user_on_host:rw- $input
+done
+
 sudo -A systemd-nspawn -M $CONTAINER_NAME \
     --private-users=$private_users --private-users-ownership=map \
     `# DNS (when containers do not have their own netns)` \