From 0d9d4b363e7e2cedeedc492d16df1d4ffea10e0b Mon Sep 17 00:00:00 2001
From: Peter Cai <peter@typeblog.net>
Date: Sun, 25 Dec 2022 23:01:15 -0500
Subject: [PATCH 1/4] app_containers: Bind Xorg sockets as rw

---
 app_containers/.local/bin/run_app_container | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app_containers/.local/bin/run_app_container b/app_containers/.local/bin/run_app_container
index 3c8f5c6..b4daf91 100755
--- a/app_containers/.local/bin/run_app_container
+++ b/app_containers/.local/bin/run_app_container
@@ -58,7 +58,7 @@ SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINE
     --bind=$container_xdg_runtime:/run/xdg \
     --setenv=XDG_RUNTIME_DIR=/run/xdg \
     `# Xorg / Xwayland` \
-    --bind-ro=/tmp/.X11-unix \
+    --bind=/tmp/.X11-unix \
     --setenv=DISPLAY=$DISPLAY \
     `# Wayland (note the symlink created before in xdg runtime)` \
     --bind-ro=$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/run/host/$WAYLAND_DISPLAY \

From c64e51a2447363f8cc85932114b81ad15a2bd78c Mon Sep 17 00:00:00 2001
From: Peter Cai <peter@typeblog.net>
Date: Mon, 26 Dec 2022 08:31:33 -0500
Subject: [PATCH 2/4] sway/bashrc: Disable MIT-SHM extension for Xwayland

MIT-SHM does not work well inside containers like systemd-nspawn
---
 bash/.bashrc                   | 1 +
 sway/.local/bin/Xwayland-noshm | 3 +++
 2 files changed, 4 insertions(+)
 create mode 100755 sway/.local/bin/Xwayland-noshm

diff --git a/bash/.bashrc b/bash/.bashrc
index 951875f..1a5afff 100644
--- a/bash/.bashrc
+++ b/bash/.bashrc
@@ -122,4 +122,5 @@ export GTK_THEME=Gruvbox-Material-Dark-HIDPI
 export GTK_IM_MODULE=fcitx
 export QT_IM_MODULE=fcitx
 export SDL_IM_MODULE=fcitx
+export WLR_XWAYLAND=$HOME/.local/bin/Xwayland-noshm
 $MACHINE_START_SWAY && [[ -z "$DISPLAY" && $(tty) == /dev/tty1 ]] && exec sway
diff --git a/sway/.local/bin/Xwayland-noshm b/sway/.local/bin/Xwayland-noshm
new file mode 100755
index 0000000..a588b44
--- /dev/null
+++ b/sway/.local/bin/Xwayland-noshm
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+exec /usr/bin/Xwayland -extension MIT-SHM $@

From 2e6e29ed34b33a6df8566a9dcc70088f3c3478c4 Mon Sep 17 00:00:00 2001
From: Peter Cai <peter@typeblog.net>
Date: Mon, 26 Dec 2022 08:32:01 -0500
Subject: [PATCH 3/4] app_containers: Set DeviceAllow properly

/dev/dri and /dev/shm are NOT devices.
---
 app_containers/.local/bin/run_app_container | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/app_containers/.local/bin/run_app_container b/app_containers/.local/bin/run_app_container
index b4daf91..95b0f0a 100755
--- a/app_containers/.local/bin/run_app_container
+++ b/app_containers/.local/bin/run_app_container
@@ -49,8 +49,7 @@ SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINE
     `# GPU` \
     --bind=/dev/dri \
     --bind=/dev/shm \
-    --property=DeviceAllow='/dev/dri rw' \
-    --property=DeviceAllow='/dev/shm rw' \
+    --property=DeviceAllow='char-drm rw' \
     `# Input devices` \
     --bind-ro=/dev/input \
     --property=DeviceAllow='char-input r' \

From d8d634e45c10a82d7d7c36a767b376098d4535bc Mon Sep 17 00:00:00 2001
From: Peter Cai <peter@typeblog.net>
Date: Mon, 26 Dec 2022 08:34:12 -0500
Subject: [PATCH 4/4] app_containers: Disable /dev/shm mount

We have disabled the MIT-SHM extension entirely.
---
 app_containers/.local/bin/run_app_container | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app_containers/.local/bin/run_app_container b/app_containers/.local/bin/run_app_container
index 95b0f0a..85f6755 100755
--- a/app_containers/.local/bin/run_app_container
+++ b/app_containers/.local/bin/run_app_container
@@ -48,7 +48,6 @@ SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINE
     --bind-ro=/run/systemd/resolve/stub-resolv.conf:/etc/resolv.conf \
     `# GPU` \
     --bind=/dev/dri \
-    --bind=/dev/shm \
     --property=DeviceAllow='char-drm rw' \
     `# Input devices` \
     --bind-ro=/dev/input \