|
|
|
@ -5,6 +5,14 @@ die() {
|
|
|
|
|
exit 1
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
exit() {
|
|
|
|
|
rm -rf "$container_xdg_runtime"
|
|
|
|
|
if [ "$CONTAINER_USE_USERNS" = true ]; then
|
|
|
|
|
setfacl -x u:$((private_users + 1000)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
|
|
|
|
xhost -si:localuser:\#$((private_users + 1000))
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[ -z "$CONTAINER_NAME" ] && die "\$CONTAINER_NAME not set"
|
|
|
|
|
[ -z "$DISPLAY" ] && die "\$DISPLAY not set (you must run the script in a desktop environment"
|
|
|
|
|
|
|
|
|
@ -15,8 +23,8 @@ if [ -f "$config" ]; then
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Create a XDG_RUNTIME_DIR for guest on host
|
|
|
|
|
container_xdg_runtime="$(mktemp -d)"
|
|
|
|
|
trap 'rm -rf -- "$container_xdg_runtime"' EXIT
|
|
|
|
|
container_xdg_runtime="$(mktemp -d -p /var/tmp)"
|
|
|
|
|
trap exit EXIT
|
|
|
|
|
|
|
|
|
|
# Link the current wayland session to the container's xdg runtime
|
|
|
|
|
# Note that the session itself must be bind-mounted first
|
|
|
|
@ -45,9 +53,20 @@ if [ "$CONTAINER_RUN_AS_ROOT" = true ]; then
|
|
|
|
|
homedir=/root
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Userns-related config
|
|
|
|
|
# Default to identity mapping, which does not provide uid isolation but does for capabilities
|
|
|
|
|
private_users=identity
|
|
|
|
|
bind_opts=""
|
|
|
|
|
if [ "$CONTAINER_USE_USERNS" = true ]; then
|
|
|
|
|
private_users=$(shuf -i 65536-$((2147483647 - 65536)) -n1) # Pick a random starting offset
|
|
|
|
|
bind_opts="idmap" # Note: custom mounts specified by the user are expected to incldue the idmap option as well
|
|
|
|
|
# Grant the user inside the namespace access to the Wayland / Xorg display
|
|
|
|
|
setfacl -m u:$((private_users + 1000)):rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
|
|
|
|
xhost +si:localuser:\#$((private_users + 1000))
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINER_NAME \
|
|
|
|
|
`# This doesn't provide userns isolation, but it does provide capability isolation` \
|
|
|
|
|
--private-users=identity \
|
|
|
|
|
--private-users=$private_users --private-users-ownership=map \
|
|
|
|
|
`# DNS (when containers do not have their own netns)` \
|
|
|
|
|
--bind-ro=/run/systemd/resolve/stub-resolv.conf:/etc/resolv.conf \
|
|
|
|
|
`# GPU` \
|
|
|
|
@ -57,7 +76,7 @@ SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINE
|
|
|
|
|
--bind-ro=/dev/input \
|
|
|
|
|
--property=DeviceAllow='char-input r' \
|
|
|
|
|
`# Xdg runtime` \
|
|
|
|
|
--bind=$container_xdg_runtime:/run/xdg \
|
|
|
|
|
--bind=$container_xdg_runtime:/run/xdg:$bind_opts \
|
|
|
|
|
--setenv=XDG_RUNTIME_DIR=/run/xdg \
|
|
|
|
|
`# Xorg / Xwayland` \
|
|
|
|
|
--bind=/tmp/.X11-unix \
|
|
|
|
|