Compare commits
No commits in common. "edcfaef386495f1b9c62e8cce78478fd00ed9ce7" and "062d08778e9be0da4627557736207a4f73405c57" have entirely different histories.
edcfaef386
...
062d08778e
|
@ -5,24 +5,9 @@ die() {
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
|
|
||||||
cleanup() {
|
|
||||||
rm -rf "$container_xdg_runtime"
|
|
||||||
# Remove the temporary facl-based permissions
|
|
||||||
setfacl -x u:$((user_on_host)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
|
||||||
xhost -si:localuser:\#$((user_on_host))
|
|
||||||
|
|
||||||
for input in $(find /dev/input -type c); do
|
|
||||||
sudo setfacl -x u:$user_on_host $input
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
[ -z "$CONTAINER_NAME" ] && die "\$CONTAINER_NAME not set"
|
[ -z "$CONTAINER_NAME" ] && die "\$CONTAINER_NAME not set"
|
||||||
[ -z "$DISPLAY" ] && die "\$DISPLAY not set (you must run the script in a desktop environment"
|
[ -z "$DISPLAY" ] && die "\$DISPLAY not set (you must run the script in a desktop environment"
|
||||||
|
|
||||||
# Use a GUI-available askpass program for sudo
|
|
||||||
# This should be made configurable
|
|
||||||
export SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu
|
|
||||||
|
|
||||||
# Source configuration files if any
|
# Source configuration files if any
|
||||||
config="$HOME/.config/app_containers/$CONTAINER_NAME.sh"
|
config="$HOME/.config/app_containers/$CONTAINER_NAME.sh"
|
||||||
if [ -f "$config" ]; then
|
if [ -f "$config" ]; then
|
||||||
|
@ -30,8 +15,8 @@ if [ -f "$config" ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create a XDG_RUNTIME_DIR for guest on host
|
# Create a XDG_RUNTIME_DIR for guest on host
|
||||||
container_xdg_runtime="$(mktemp -d -p /var/tmp)"
|
container_xdg_runtime="$(mktemp -d)"
|
||||||
trap cleanup EXIT
|
trap 'rm -rf -- "$container_xdg_runtime"' EXIT
|
||||||
|
|
||||||
# Link the current wayland session to the container's xdg runtime
|
# Link the current wayland session to the container's xdg runtime
|
||||||
# Note that the session itself must be bind-mounted first
|
# Note that the session itself must be bind-mounted first
|
||||||
|
@ -52,52 +37,17 @@ fi
|
||||||
|
|
||||||
[ -S $host_pulse ] || die "PulseAudio UNIX socket not found"
|
[ -S $host_pulse ] || die "PulseAudio UNIX socket not found"
|
||||||
|
|
||||||
# Default user
|
# Default username (assume `user` always has the same uid as the host user)
|
||||||
run_as=$UID
|
run_as=user
|
||||||
|
homedir=/home/user
|
||||||
if [ "$CONTAINER_RUN_AS_ROOT" = true ]; then
|
if [ "$CONTAINER_RUN_AS_ROOT" = true ]; then
|
||||||
run_as=0
|
run_as=root
|
||||||
|
homedir=/root
|
||||||
fi
|
fi
|
||||||
|
|
||||||
homedir=/
|
SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINER_NAME \
|
||||||
for line in $(sudo -A cat /var/lib/machines/$CONTAINER_NAME/etc/passwd); do
|
`# This doesn't provide userns isolation, but it does provide capability isolation` \
|
||||||
if [ "$(echo "$line" | cut -d: -f3)" == "$run_as" ]; then
|
--private-users=identity \
|
||||||
homedir="$(echo "$line" | cut -d: -f6)"
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
# Userns-related config
|
|
||||||
# Default to identity mapping, which does not provide uid isolation but does for capabilities
|
|
||||||
private_users=identity
|
|
||||||
bind_opts=""
|
|
||||||
user_on_host=$run_as
|
|
||||||
if [ "$CONTAINER_USE_USERNS" = true ]; then
|
|
||||||
private_users=$(shuf -i 65536-$((2147483647 - 65536)) -n1) # Pick a random starting offset
|
|
||||||
bind_opts="idmap"
|
|
||||||
user_on_host=$((private_users + run_as))
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Grant the user inside the container access to the Wayland / Xorg display
|
|
||||||
# For the Wayland socket, a simple facl rule would suffice
|
|
||||||
# For Xorg, we need to use the `xhost` facilities
|
|
||||||
setfacl -m u:$user_on_host:rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
|
|
||||||
xhost +si:localuser:\#$user_on_host
|
|
||||||
|
|
||||||
# Grant the user inside the container access to input devices
|
|
||||||
# Note: any new device plugged in when the container is running would not
|
|
||||||
# be added properly here.
|
|
||||||
for input in $(find /dev/input -type c); do
|
|
||||||
sudo -A setfacl -m u:$user_on_host:rw- $input
|
|
||||||
done
|
|
||||||
|
|
||||||
# Bind-mounts defined by the user (possibly in the container-specific config file)
|
|
||||||
# Format should be "src:target". target cannot be omitted
|
|
||||||
for mount in ${CONTAINER_BIND_MOUNTS[@]}; do
|
|
||||||
SYSTEMD_NSPAWN_EXTRA_ARGS+=" --bind=$mount:$bind_opts"
|
|
||||||
done
|
|
||||||
|
|
||||||
sudo -A systemd-nspawn -M $CONTAINER_NAME \
|
|
||||||
--private-users=$private_users --private-users-ownership=map \
|
|
||||||
`# DNS (when containers do not have their own netns)` \
|
`# DNS (when containers do not have their own netns)` \
|
||||||
--bind-ro=/run/systemd/resolve/stub-resolv.conf:/etc/resolv.conf \
|
--bind-ro=/run/systemd/resolve/stub-resolv.conf:/etc/resolv.conf \
|
||||||
`# GPU` \
|
`# GPU` \
|
||||||
|
@ -107,7 +57,7 @@ sudo -A systemd-nspawn -M $CONTAINER_NAME \
|
||||||
--bind-ro=/dev/input \
|
--bind-ro=/dev/input \
|
||||||
--property=DeviceAllow='char-input r' \
|
--property=DeviceAllow='char-input r' \
|
||||||
`# Xdg runtime` \
|
`# Xdg runtime` \
|
||||||
--bind=$container_xdg_runtime:/run/xdg:$bind_opts \
|
--bind=$container_xdg_runtime:/run/xdg \
|
||||||
--setenv=XDG_RUNTIME_DIR=/run/xdg \
|
--setenv=XDG_RUNTIME_DIR=/run/xdg \
|
||||||
`# Xorg / Xwayland` \
|
`# Xorg / Xwayland` \
|
||||||
--bind=/tmp/.X11-unix \
|
--bind=/tmp/.X11-unix \
|
||||||
|
|
Loading…
Reference in a new issue