|
|
|
@ -8,8 +8,8 @@ die() {
|
|
|
|
|
exit() {
|
|
|
|
|
rm -rf "$container_xdg_runtime"
|
|
|
|
|
if [ "$CONTAINER_USE_USERNS" = true ]; then
|
|
|
|
|
setfacl -x u:$((private_users + 1000)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
|
|
|
|
xhost -si:localuser:\#$((private_users + 1000))
|
|
|
|
|
setfacl -x u:$((private_users + run_as)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
|
|
|
|
xhost -si:localuser:\#$((private_users + run_as))
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -45,11 +45,13 @@ fi
|
|
|
|
|
|
|
|
|
|
[ -S $host_pulse ] || die "PulseAudio UNIX socket not found"
|
|
|
|
|
|
|
|
|
|
# Default username (assume `user` always has the same uid as the host user)
|
|
|
|
|
run_as=user
|
|
|
|
|
# Default user
|
|
|
|
|
run_as=$UID
|
|
|
|
|
# We assume the user named `user` inside the container always has the same UID as
|
|
|
|
|
# the user with uid $run_as on the host; this is currently not yet configurable
|
|
|
|
|
homedir=/home/user
|
|
|
|
|
if [ "$CONTAINER_RUN_AS_ROOT" = true ]; then
|
|
|
|
|
run_as=root
|
|
|
|
|
run_as=0
|
|
|
|
|
homedir=/root
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
@ -61,8 +63,8 @@ if [ "$CONTAINER_USE_USERNS" = true ]; then
|
|
|
|
|
private_users=$(shuf -i 65536-$((2147483647 - 65536)) -n1) # Pick a random starting offset
|
|
|
|
|
bind_opts="idmap" # Note: custom mounts specified by the user are expected to incldue the idmap option as well
|
|
|
|
|
# Grant the user inside the namespace access to the Wayland / Xorg display
|
|
|
|
|
setfacl -m u:$((private_users + 1000)):rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
|
|
|
|
xhost +si:localuser:\#$((private_users + 1000))
|
|
|
|
|
setfacl -m u:$((private_users + run_as)):rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
|
|
|
|
xhost +si:localuser:\#$((private_users + run_as))
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINER_NAME \
|
|
|
|
|