app_containers: Use UID instead of username for $run_as

Note that we still assume the user name inside the container is `user`.
This commit is contained in:
Peter Cai 2022-12-31 15:01:54 -05:00
parent fc6ee67cf2
commit fab54bfafa

View file

@ -8,8 +8,8 @@ die() {
exit() {
rm -rf "$container_xdg_runtime"
if [ "$CONTAINER_USE_USERNS" = true ]; then
setfacl -x u:$((private_users + 1000)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
xhost -si:localuser:\#$((private_users + 1000))
setfacl -x u:$((private_users + run_as)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
xhost -si:localuser:\#$((private_users + run_as))
fi
}
@ -45,11 +45,13 @@ fi
[ -S $host_pulse ] || die "PulseAudio UNIX socket not found"
# Default username (assume `user` always has the same uid as the host user)
run_as=user
# Default user
run_as=$UID
# We assume the user named `user` inside the container always has the same UID as
# the user with uid $run_as on the host; this is currently not yet configurable
homedir=/home/user
if [ "$CONTAINER_RUN_AS_ROOT" = true ]; then
run_as=root
run_as=0
homedir=/root
fi
@ -61,8 +63,8 @@ if [ "$CONTAINER_USE_USERNS" = true ]; then
private_users=$(shuf -i 65536-$((2147483647 - 65536)) -n1) # Pick a random starting offset
bind_opts="idmap" # Note: custom mounts specified by the user are expected to incldue the idmap option as well
# Grant the user inside the namespace access to the Wayland / Xorg display
setfacl -m u:$((private_users + 1000)):rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
xhost +si:localuser:\#$((private_users + 1000))
setfacl -m u:$((private_users + run_as)):rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
xhost +si:localuser:\#$((private_users + run_as))
fi
SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINER_NAME \