app_containers: Optionally support user namespaces
using the env variable CONTAINER_USE_USERNS
This commit is contained in:
parent
062d08778e
commit
fc6ee67cf2
1 changed files with 24 additions and 5 deletions
|
@ -5,6 +5,14 @@ die() {
|
|||
exit 1
|
||||
}
|
||||
|
||||
exit() {
|
||||
rm -rf "$container_xdg_runtime"
|
||||
if [ "$CONTAINER_USE_USERNS" = true ]; then
|
||||
setfacl -x u:$((private_users + 1000)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
||||
xhost -si:localuser:\#$((private_users + 1000))
|
||||
fi
|
||||
}
|
||||
|
||||
[ -z "$CONTAINER_NAME" ] && die "\$CONTAINER_NAME not set"
|
||||
[ -z "$DISPLAY" ] && die "\$DISPLAY not set (you must run the script in a desktop environment"
|
||||
|
||||
|
@ -15,8 +23,8 @@ if [ -f "$config" ]; then
|
|||
fi
|
||||
|
||||
# Create a XDG_RUNTIME_DIR for guest on host
|
||||
container_xdg_runtime="$(mktemp -d)"
|
||||
trap 'rm -rf -- "$container_xdg_runtime"' EXIT
|
||||
container_xdg_runtime="$(mktemp -d -p /var/tmp)"
|
||||
trap exit EXIT
|
||||
|
||||
# Link the current wayland session to the container's xdg runtime
|
||||
# Note that the session itself must be bind-mounted first
|
||||
|
@ -45,9 +53,20 @@ if [ "$CONTAINER_RUN_AS_ROOT" = true ]; then
|
|||
homedir=/root
|
||||
fi
|
||||
|
||||
# Userns-related config
|
||||
# Default to identity mapping, which does not provide uid isolation but does for capabilities
|
||||
private_users=identity
|
||||
bind_opts=""
|
||||
if [ "$CONTAINER_USE_USERNS" = true ]; then
|
||||
private_users=$(shuf -i 65536-$((2147483647 - 65536)) -n1) # Pick a random starting offset
|
||||
bind_opts="idmap" # Note: custom mounts specified by the user are expected to incldue the idmap option as well
|
||||
# Grant the user inside the namespace access to the Wayland / Xorg display
|
||||
setfacl -m u:$((private_users + 1000)):rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
||||
xhost +si:localuser:\#$((private_users + 1000))
|
||||
fi
|
||||
|
||||
SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINER_NAME \
|
||||
`# This doesn't provide userns isolation, but it does provide capability isolation` \
|
||||
--private-users=identity \
|
||||
--private-users=$private_users --private-users-ownership=map \
|
||||
`# DNS (when containers do not have their own netns)` \
|
||||
--bind-ro=/run/systemd/resolve/stub-resolv.conf:/etc/resolv.conf \
|
||||
`# GPU` \
|
||||
|
@ -57,7 +76,7 @@ SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINE
|
|||
--bind-ro=/dev/input \
|
||||
--property=DeviceAllow='char-input r' \
|
||||
`# Xdg runtime` \
|
||||
--bind=$container_xdg_runtime:/run/xdg \
|
||||
--bind=$container_xdg_runtime:/run/xdg:$bind_opts \
|
||||
--setenv=XDG_RUNTIME_DIR=/run/xdg \
|
||||
`# Xorg / Xwayland` \
|
||||
--bind=/tmp/.X11-unix \
|
||||
|
|
Loading…
Reference in a new issue