2021-05-18 22:10:35 +02:00
|
|
|
import os
|
2021-06-19 16:33:47 +02:00
|
|
|
import args
|
2021-06-20 14:09:30 +02:00
|
|
|
import json
|
2021-06-27 16:46:29 +02:00
|
|
|
import dbus
|
2021-06-19 16:33:47 +02:00
|
|
|
import utils
|
2021-05-18 22:10:35 +02:00
|
|
|
import bwrap
|
|
|
|
import config
|
|
|
|
import options
|
|
|
|
|
2021-06-20 14:09:30 +02:00
|
|
|
proc sandboxExec*(args: Args) =
|
2021-06-19 16:33:47 +02:00
|
|
|
var call = BwrapCall()
|
2021-06-20 14:09:30 +02:00
|
|
|
var configPath = none(string)
|
2021-05-18 22:10:35 +02:00
|
|
|
|
2021-06-27 16:46:29 +02:00
|
|
|
let hostname = args.name.get(getProfile(args))
|
2021-05-18 22:10:35 +02:00
|
|
|
|
2021-06-19 16:33:47 +02:00
|
|
|
if args.name.isSome:
|
|
|
|
let name = args.name.unsafeGet
|
|
|
|
let sandboxPath = getSandboxPath(name)
|
|
|
|
let sandboxFiles = sandboxPath.joinPath("files")
|
2021-06-20 14:09:30 +02:00
|
|
|
let userConfig = sandboxPath.joinPath("config.json")
|
2021-05-18 22:10:35 +02:00
|
|
|
|
2021-06-19 16:33:47 +02:00
|
|
|
createDir(sandboxFiles)
|
|
|
|
call.addArg("--bind", sandboxFiles, getHomeDir())
|
2021-05-18 22:10:35 +02:00
|
|
|
|
2021-06-20 14:09:30 +02:00
|
|
|
if not fileExists(userConfig):
|
|
|
|
let newConfig = %* {"extends": getProfile(args)}
|
|
|
|
writeFile(userConfig, $newConfig)
|
|
|
|
|
|
|
|
configPath = some(userConfig)
|
|
|
|
|
|
|
|
if configPath.isNone or not fileExists(configPath.unsafeGet):
|
|
|
|
configPath = some(getProfilePath(args))
|
|
|
|
|
|
|
|
var config = loadConfig(configPath.unsafeGet)
|
|
|
|
config.extendConfig()
|
2021-05-18 22:10:35 +02:00
|
|
|
|
2021-06-27 16:46:29 +02:00
|
|
|
var proxy = DbusProxy()
|
|
|
|
|
|
|
|
proxy
|
|
|
|
.paths("/run/user/1000/bus", "/run/user/1000/.bus-sandboxed/test2")
|
|
|
|
.addCall("org.freedesktop.Notifications.*=@/org/freedesktop/Notifications")
|
|
|
|
.addCall("org.freedesktop.portal.*=*")
|
|
|
|
.addBroadcast("org.freedesktop.portal.*=@/org/freedesktop/portal/*")
|
|
|
|
.addOwn("org.mpris.MediaPlayer2.spotify")
|
|
|
|
.filter()
|
|
|
|
.log()
|
|
|
|
.exec()
|
|
|
|
|
2021-05-18 22:10:35 +02:00
|
|
|
call
|
2021-06-27 16:46:29 +02:00
|
|
|
.addArg("--dev", "/dev")
|
|
|
|
# https://github.com/flatpak/flatpak/blob/1bdbb80ac57df437e46fce2cdd63e4ff7704718b/common/flatpak-run.c#L1496
|
|
|
|
.addMount("--dev-bind", "/dev/dri")
|
|
|
|
.addMount("--dev-bind", "/dev/nvidiactl")
|
|
|
|
.addMount("--dev-bind", "/dev/nvidia-modeset")
|
|
|
|
.addMount("--dev-bind", "/dev/nvidia0")
|
2021-06-20 14:09:30 +02:00
|
|
|
.addMount("--dev-bind", "/dev/random")
|
|
|
|
.addMount("--dev-bind", "/dev/urandom")
|
2021-06-27 16:46:29 +02:00
|
|
|
.addArg("--ro-bind", "/run/user/1000/.bus-sandboxed/test2", "/run/user/1000/bus")
|
2021-06-16 19:48:13 +02:00
|
|
|
.addArg("--tmpfs", "/tmp")
|
2021-06-27 16:46:29 +02:00
|
|
|
.addArg("--tmpfs", "/dev/shm")
|
2021-05-18 22:10:35 +02:00
|
|
|
.addArg("--proc", "/proc")
|
|
|
|
.addArg("--unshare-all")
|
|
|
|
.addArg("--share-net")
|
|
|
|
.addArg("--die-with-parent")
|
2021-06-20 14:09:30 +02:00
|
|
|
.addArg("--setenv", "BWSANDBOX", "1")
|
|
|
|
.applyConfig(config)
|
2021-05-18 22:10:35 +02:00
|
|
|
|
2021-06-20 14:09:30 +02:00
|
|
|
if config.mountcwd.get(false):
|
2021-06-16 19:48:13 +02:00
|
|
|
call
|
|
|
|
.addMount("--bind", getCurrentDir())
|
|
|
|
.addArg("--chdir", getCurrentDir())
|
|
|
|
|
2021-06-20 14:09:30 +02:00
|
|
|
if config.sethostname.get(false):
|
|
|
|
call
|
|
|
|
.addArg("--hostname", hostname)
|
2021-05-18 22:10:35 +02:00
|
|
|
|
2021-06-19 16:33:47 +02:00
|
|
|
call.addArg(args.getCmd).exec()
|