PeterCxy/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Compare commits

base: PeterCxy:f0f41b542f9d6dc37ab997e597c168d904cc3d16
Branches Tags
PeterCxy:master
PeterCxy:uconsole
...
compare: PeterCxy:76a6d32738bc8ca5635f134432ad25e1282f8bea
Branches Tags
PeterCxy:master
PeterCxy:uconsole

2 commits
f0f41b542f ... 76a6d32738

Author SHA1 Message Date
Peter Cai
76a6d32738 Make bwrap bind mounts conditional 2026-04-20 21:34:19 -04:00
Peter Cai
2d035b17f6 Always RW bind PWD 2026-04-20 21:28:41 -04:00
1 changed files with 42 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

75
pi-bwrap/.local/bin/pi-bwrap
View file

@ -15,35 +15,51 @@ BWRAP_ARGS=(
# Hide XDG_RUNTIME_DIR for now
--tmpfs "$XDG_RUNTIME_DIR"
# Always give RW permission to PWD
--bind "$PWD" "$PWD"
# Now ro-bind some directories
--ro-bind "$HOME/.config" "$HOME/.config"
--ro-bind "$HOME/dotfiles" "$HOME/dotfiles"
--ro-bind "$HOME/.bashrc" "$HOME/.bashrc"
--ro-bind "$HOME/.bash_profile" "$HOME/.bash_profile"
# Pi directory
--bind "$HOME/.pi" "$HOME/.pi"
# NVM (Pi is installed by a node version in nvm)
--bind "$HOME/.nvm" "$HOME/.nvm"
# Language / dev stuff
--bind "$HOME/.cargo" "$HOME/.cargo"
--bind "$HOME/.rustup" "$HOME/.rustup"
--bind "$HOME/Android" "$HOME/Android"
--bind "$HOME/.npm" "$HOME/.npm"
--bind "$HOME/.gradle" "$HOME/.gradle"
--bind "$HOME/.cache/go" "$HOME/.cache/go"
--bind "$HOME/go" "$HOME/go"
# Now remount rootfs as ro
--remount-ro /
)
# Dynamically add ro-bind rules only when paths exist
add_ro_bind() {
if [ -e "$1" ]; then
[ "$DEBUG" == "true" ] && echo "Adding RO bind $1"
BWRAP_ARGS+=(--ro-bind "$1" "$1")
else
echo "Skipping RO bind $1"
fi
}
add_bind() {
if [ -e "$1" ]; then
[ "$DEBUG" == "true" ] && echo "Adding RW bind $1"
BWRAP_ARGS+=(--bind "$1" "$1")
else
echo "Skipping RW bind $1"
fi
}
# Ro-bind some directories (only if they exist)
add_ro_bind "$HOME/.config"
add_ro_bind "$HOME/dotfiles"
add_ro_bind "$HOME/.bashrc"
add_ro_bind "$HOME/.bash_profile"
# Pi directory (rw bind, only if it exists)
add_bind "$HOME/.pi"
# NVM (Pi is installed by a node version in nvm)
add_bind "$HOME/.nvm"
# Language / dev stuff
add_bind "$HOME/.cargo"
add_bind "$HOME/.rustup"
add_bind "$HOME/Android"
add_bind "$HOME/.npm"
add_bind "$HOME/.gradle"
add_bind "$HOME/.cache/go"
add_bind "$HOME/go"
# Always give RW permission to PWD
BWRAP_ARGS+=(--bind "$PWD" "$PWD")
PI_ARGS=()
while [ ! -z "$1" ]; do
@ -54,7 +70,7 @@ while [ ! -z "$1" ]; do
exit 1
fi
real_path="$(readlink -f "$2")"
BWRAP_ARGS+=("--bind" "$real_path" "$real_path")
add_bind "$real_path"
shift
shift
;;
@ -65,5 +81,8 @@ while [ ! -z "$1" ]; do
esac
done
# Now remount rootfs as ro
BWRAP_ARGS+=(--remount-ro /)
echo "Launching pi within bwrap jail..."
bwrap "${BWRAP_ARGS[@]}" $scriptpath/pi-wrapper-inner "${PI_ARGS[@]}"