Fix x, wayland and pulse passthrough, use OS user id and display and use env -i
This commit is contained in:
tobias
parent
da3d4820af
commit
c2f605367d
47
sandbox.sh
47
sandbox.sh
|
|
@ -1,6 +1,6 @@
|
|||
#!/bin/bash
|
||||
USERID=1000
|
||||
GROUPID=1000
|
||||
USERID=`id -u`
|
||||
GROUPID=`id -u`
|
||||
NEW_HOME=$HOME
|
||||
NATIVEUSERID=`id -u`
|
||||
|
||||
|
|
@ -12,9 +12,9 @@ NATIVEUSERID=`id -u`
|
|||
# This is actually a nicety for users so they can add custom configs in sandbox/$1/addconf.sh
|
||||
if [ -e $HOME/sandbox/$1/addconf.sh ]
|
||||
then
|
||||
ADDITIONALLINES=`cat $HOME/sandbox/$1/addconf.sh`
|
||||
ADDITIONALLINES=`cat $HOME/sandbox/$1/addconf.sh`
|
||||
else
|
||||
ADDITIONALLINES=""
|
||||
ADDITIONALLINES=""
|
||||
fi
|
||||
|
||||
env=()
|
||||
|
|
@ -35,6 +35,34 @@ done
|
|||
mkdir -p $HOME/sandbox/$1/main/$NEW_HOME
|
||||
mkdir -p $HOME/sandbox/$1/tmp
|
||||
|
||||
#Adding Wayland, Pulse and Xorg sockets to overriden paths in /tmp
|
||||
#where we also set XDG_TEMP_DIR to so XDG clients can interact with it
|
||||
WAYLAND=""
|
||||
if [ "$WAYLAND_DISPLAY" != "" ] && [ -S "$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" ]
|
||||
then
|
||||
WAYLAND="--bind $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY /tmp/$WAYLAND_DISPLAY"
|
||||
WAYLAND="$WAYLAND --setenv WAYLAND_DISPLAY $WAYLAND_DISPLAY"
|
||||
fi
|
||||
|
||||
#Relies on the XDG socket, change this if you want a network based pulse!
|
||||
PULSE=""
|
||||
if [ -S "$XDG_RUNTIME_DIR/pulse/native" ]
|
||||
then
|
||||
PULSE="--bind $XDG_RUNTIME_DIR/pulse/native /tmp/pulse_socket"
|
||||
PULSE="$PULSE --setenv PULSE_SERVER /tmp/pulse_socket"
|
||||
fi
|
||||
|
||||
XORG=""
|
||||
if [ "$DISPLAY" != "" ] && [ -d /tmp/.X11-unix ]
|
||||
then
|
||||
XORG="--bind /tmp/.X11-unix /tmp/.X11-unix"
|
||||
XORG="$XORG --setenv DISPLAY $DISPLAY"
|
||||
#Disable X Shared Memory (Might not be supported by all clients like wine)
|
||||
#either compile wine yourself or disable the ipc namespace in that case
|
||||
XORG="$XORG --setenv QT_X11_NO_MITSHM 1 --setenv _X11_NO_MITSHM 1 --setenv _MITSHM 0"
|
||||
fi
|
||||
|
||||
env -i \
|
||||
bwrap `#The base bwrap` \
|
||||
--bind $HOME/sandbox/$1/main/ / `#this re-binds the virtual / in the users home to the bubblewrapped /` \
|
||||
--bind $HOME/sandbox/$1/tmp/ /tmp `#Allow writing to a virtual /tmp as well` \
|
||||
|
|
@ -51,7 +79,6 @@ bwrap `#The base bwrap` \
|
|||
--tmpfs /run --dir /run/user/$USERID `#same for run, but make sure the virtual user run dir exists` \
|
||||
--bind $HOME/sandbox/$1/main/$NEW_HOME $NEW_HOME `#binding the user home to our wanted directory` \
|
||||
--dev-bind /sys/dev/char /sys/dev/char `#more bindings for gpu accel access` \
|
||||
--dev-bind /run/user/$NATIVEUSERID/pulse /run/user/$USERID/pulse `#allows applications to have sound` \
|
||||
${pci[@]} `#this will add all gpus in the system as dev-bind, so we can access them (gpu accel)` \
|
||||
--unshare-all `#even if in the future more can be unshared, auto-do it` \
|
||||
--unshare-user `#dont just try to unshare the user, enforce doing so!` \
|
||||
|
|
@ -64,18 +91,18 @@ ${pci[@]} `#this will add all gpus in the system as dev-bind, so we can access t
|
|||
--as-pid-1 `#the virtual process will get pid1 and think its the init process, to hide PIDs` \
|
||||
--cap-drop ALL `#drops capabilities even if you run this as root (you likely shouldnt)` \
|
||||
--chdir $NEW_HOME `#change working dir in the virtual env to this` \
|
||||
${env[@]} `#get rid of all env vars, as they can expose host information` \
|
||||
--unsetenv 'BASH_FUNC_module%%' `#bash internal function unset x3` \
|
||||
--unsetenv 'BASH_FUNC__module_raw%%' \
|
||||
--unsetenv 'BASH_FUNC_switchml%%' \
|
||||
`#${env[@]} # alternative way to get rid of all env vars, as they can expose host information. Superseded by env -i` \
|
||||
--setenv HOME "$NEW_HOME" `#tricks some applications to accept the virtual home` \
|
||||
--setenv PWD "$NEW_HOME" `#same` \
|
||||
--setenv LC_ALL "en_US.UTF-8" `#set common lang - likely should get this from main os but no bug reports for it so far. :P` \
|
||||
--setenv DISPLAY ":0" `#let there be display` \
|
||||
--setenv XDG_RUNTIME_DIR "/tmp" `#put desktop app temp files here if they rely on xdg` \
|
||||
--setenv TERM "xterm-256color" `#enforce full color terms` \
|
||||
--setenv COLORTERM "truecolor" `#not setting this can crash some term emulators` \
|
||||
--setenv DEFAULT_USER $USERID `#more user trickery` \
|
||||
--setenv PATH "/usr/local/bin:/usr/share/Modules/bin:/usr/lib64/ccache:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin" `#make tools aware of our modified preferred paths` \
|
||||
--ro-bind /run/systemd/resolve/stub-resolv.conf /run/systemd/resolve/stub-resolv.conf `#Allow Resolving with systemd-resolved` \
|
||||
$PULSE `#add sound` \
|
||||
$WAYLAND `#allow wayland passthrough` \
|
||||
$XORG `#Allow XORG passthrough` \
|
||||
$ADDITIONALLINES `#add user config` \
|
||||
$1 `#run the actual tool`
|
||||
Loading…
Reference in New Issue