app_containers: Handle pulse native socket properly

app_containers: Enable userns with identity mapping by default
2022-12-31 11:13:53 -05:00 · 2022-12-31 10:58:34 -05:00
1 changed files with 7 additions and 2 deletions
--- a/app_containers/.local/bin/run_app_container
+++ b/app_containers/.local/bin/run_app_container
@ -32,9 +32,12 @@ fi
 if [[ -n $PULSE_SERVER ]]; then # remove prefix
  host_pulse=${PULSE_SERVER#unix:}
 else # default guess
-  host_pulse=$XDG_RUNTIME_DIR/pulse
+  host_pulse=$XDG_RUNTIME_DIR/pulse/native
 fi

+[ -S $host_pulse ] || die "PulseAudio UNIX socket not found"
+mkdir $container_xdg_runtime/pulse
+
 # Default username (assume `user` always has the same uid as the host user)
 run_as=user
 homedir=/home/user
@ -44,6 +47,8 @@ if [ "$CONTAINER_RUN_AS_ROOT" = true ]; then
 fi

 SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINER_NAME \
+    `# This doesn't provide userns isolation, but it does provide capability isolation` \
+    --private-users=identity \
    `# DNS (when containers do not have their own netns)` \
    --bind-ro=/run/systemd/resolve/stub-resolv.conf:/etc/resolv.conf \
    `# GPU` \
@ -62,7 +67,7 @@ SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINE
    --bind-ro=$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/run/host/$WAYLAND_DISPLAY \
    --setenv=WAYLAND_DISPLAY=$WAYLAND_DISPLAY \
    `# PulseAudio` \
-    --bind-ro=$host_pulse:/run/host/pulse \
+    --bind-ro=$host_pulse:/run/host/pulse/native \
    --setenv=PULSE_SERVER=unix:/run/host/pulse/native \
    `# DBus` \
    --bind-ro=$host_bus:/run/host/bus \
Author	SHA1	Message	Date
Peter Cai	4c18c58c6d	app_containers: Handle pulse native socket properly	2022-12-31 11:13:53 -05:00
Peter Cai	fad120e4af	app_containers: Enable userns with identity mapping by default	2022-12-31 10:58:34 -05:00