From fad120e4aff3ce99c2c150e9f64fbf8eab8b518d Mon Sep 17 00:00:00 2001
From: Peter Cai <peter@typeblog.net>
Date: Sat, 31 Dec 2022 10:58:34 -0500
Subject: [PATCH 1/2] app_containers: Enable userns with identity mapping by
 default

---
 app_containers/.local/bin/run_app_container | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app_containers/.local/bin/run_app_container b/app_containers/.local/bin/run_app_container
index 2c06ea2..5667aa5 100755
--- a/app_containers/.local/bin/run_app_container
+++ b/app_containers/.local/bin/run_app_container
@@ -44,6 +44,8 @@ if [ "$CONTAINER_RUN_AS_ROOT" = true ]; then
 fi
 
 SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINER_NAME \
+    `# This doesn't provide userns isolation, but it does provide capability isolation` \
+    --private-users=identity \
     `# DNS (when containers do not have their own netns)` \
     --bind-ro=/run/systemd/resolve/stub-resolv.conf:/etc/resolv.conf \
     `# GPU` \

From 4c18c58c6d7efa795b30af1d0c34bdbc59955647 Mon Sep 17 00:00:00 2001
From: Peter Cai <peter@typeblog.net>
Date: Sat, 31 Dec 2022 11:13:53 -0500
Subject: [PATCH 2/2] app_containers: Handle pulse native socket properly

---
 app_containers/.local/bin/run_app_container | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/app_containers/.local/bin/run_app_container b/app_containers/.local/bin/run_app_container
index 5667aa5..13f8215 100755
--- a/app_containers/.local/bin/run_app_container
+++ b/app_containers/.local/bin/run_app_container
@@ -32,9 +32,12 @@ fi
 if [[ -n $PULSE_SERVER ]]; then # remove prefix
   host_pulse=${PULSE_SERVER#unix:}
 else # default guess
-  host_pulse=$XDG_RUNTIME_DIR/pulse
+  host_pulse=$XDG_RUNTIME_DIR/pulse/native
 fi
 
+[ -S $host_pulse ] || die "PulseAudio UNIX socket not found"
+mkdir $container_xdg_runtime/pulse
+
 # Default username (assume `user` always has the same uid as the host user)
 run_as=user
 homedir=/home/user
@@ -64,7 +67,7 @@ SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINE
     --bind-ro=$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/run/host/$WAYLAND_DISPLAY \
     --setenv=WAYLAND_DISPLAY=$WAYLAND_DISPLAY \
     `# PulseAudio` \
-    --bind-ro=$host_pulse:/run/host/pulse \
+    --bind-ro=$host_pulse:/run/host/pulse/native \
     --setenv=PULSE_SERVER=unix:/run/host/pulse/native \
     `# DBus` \
     --bind-ro=$host_bus:/run/host/bus \