From fc6ee67cf23c2b8212c802777b339395260f3bee Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Sat, 31 Dec 2022 14:46:11 -0500 Subject: [PATCH] app_containers: Optionally support user namespaces using the env variable CONTAINER_USE_USERNS --- app_containers/.local/bin/run_app_container | 29 +++++++++++++++++---- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/app_containers/.local/bin/run_app_container b/app_containers/.local/bin/run_app_container index 9bd1a27..003021a 100755 --- a/app_containers/.local/bin/run_app_container +++ b/app_containers/.local/bin/run_app_container @@ -5,6 +5,14 @@ die() { exit 1 } +exit() { + rm -rf "$container_xdg_runtime" + if [ "$CONTAINER_USE_USERNS" = true ]; then + setfacl -x u:$((private_users + 1000)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY + xhost -si:localuser:\#$((private_users + 1000)) + fi +} + [ -z "$CONTAINER_NAME" ] && die "\$CONTAINER_NAME not set" [ -z "$DISPLAY" ] && die "\$DISPLAY not set (you must run the script in a desktop environment" @@ -15,8 +23,8 @@ if [ -f "$config" ]; then fi # Create a XDG_RUNTIME_DIR for guest on host -container_xdg_runtime="$(mktemp -d)" -trap 'rm -rf -- "$container_xdg_runtime"' EXIT +container_xdg_runtime="$(mktemp -d -p /var/tmp)" +trap exit EXIT # Link the current wayland session to the container's xdg runtime # Note that the session itself must be bind-mounted first @@ -45,9 +53,20 @@ if [ "$CONTAINER_RUN_AS_ROOT" = true ]; then homedir=/root fi +# Userns-related config +# Default to identity mapping, which does not provide uid isolation but does for capabilities +private_users=identity +bind_opts="" +if [ "$CONTAINER_USE_USERNS" = true ]; then + private_users=$(shuf -i 65536-$((2147483647 - 65536)) -n1) # Pick a random starting offset + bind_opts="idmap" # Note: custom mounts specified by the user are expected to incldue the idmap option as well + # Grant the user inside the namespace access to the Wayland / Xorg display + setfacl -m u:$((private_users + 1000)):rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY + xhost +si:localuser:\#$((private_users + 1000)) +fi + SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINER_NAME \ - `# This doesn't provide userns isolation, but it does provide capability isolation` \ - --private-users=identity \ + --private-users=$private_users --private-users-ownership=map \ `# DNS (when containers do not have their own netns)` \ --bind-ro=/run/systemd/resolve/stub-resolv.conf:/etc/resolv.conf \ `# GPU` \ @@ -57,7 +76,7 @@ SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINE --bind-ro=/dev/input \ --property=DeviceAllow='char-input r' \ `# Xdg runtime` \ - --bind=$container_xdg_runtime:/run/xdg \ + --bind=$container_xdg_runtime:/run/xdg:$bind_opts \ --setenv=XDG_RUNTIME_DIR=/run/xdg \ `# Xorg / Xwayland` \ --bind=/tmp/.X11-unix \