diff --git a/lib/dbus.nim b/lib/dbus.nim new file mode 100644 index 0000000..1a40f8b --- /dev/null +++ b/lib/dbus.nim @@ -0,0 +1,43 @@ +import strformat +import osproc + +type DbusProxy* = object + args: seq[string] + +proc addSee*(proxy: var DbusProxy, name: string): var DbusProxy {.discardable.} = + proxy.args.add(&"--see={name}") + proxy + +proc addTalk*(proxy: var DbusProxy, name: string): var DbusProxy {.discardable.} = + proxy.args.add(&"--talk={name}") + proxy + +proc addOwn*(proxy: var DbusProxy, name: string): var DbusProxy {.discardable.} = + proxy.args.add(&"--own={name}") + proxy + +proc addCall*(proxy: var DbusProxy, name: string): var DbusProxy {.discardable.} = + proxy.args.add(&"--call={name}") + proxy + +proc addBroadcast*(proxy: var DbusProxy, name: string): var DbusProxy {.discardable.} = + proxy.args.add(&"--broadcast={name}") + proxy + +proc paths*(proxy: var DbusProxy, systembus: string, filterbus: string): var DbusProxy {.discardable.} = + proxy.args.add(&"unix:path={systembus}") + proxy.args.add(filterbus) + proxy + +proc log*(proxy: var DbusProxy): var DbusProxy {.discardable.} = + proxy.args.add("--log") + proxy + +proc filter*(proxy: var DbusProxy): var DbusProxy {.discardable.} = + proxy.args.add("--filter") + proxy + +proc exec*(proxy: DbusProxy): Process {.discardable.} = + # todo: start dbus proxy in bwrap + # todo: pass arguments as fd + startProcess("xdg-dbus-proxy", args = proxy.args, options = {poEchoCmd, poParentStreams, poUsePath}) \ No newline at end of file diff --git a/lib/sandbox.nim b/lib/sandbox.nim index 160a3d9..9a12851 100644 --- a/lib/sandbox.nim +++ b/lib/sandbox.nim @@ -1,6 +1,7 @@ import os import args import json +import dbus import utils import bwrap import config @@ -10,7 +11,7 @@ proc sandboxExec*(args: Args) = var call = BwrapCall() var configPath = none(string) - let hostname = args.name.get(getProfile(argst )) + let hostname = args.name.get(getProfile(args)) if args.name.isSome: let name = args.name.unsafeGet @@ -18,7 +19,6 @@ proc sandboxExec*(args: Args) = let sandboxFiles = sandboxPath.joinPath("files") let userConfig = sandboxPath.joinPath("config.json") - createDir(sandboxFiles) call.addArg("--bind", sandboxFiles, getHomeDir()) @@ -34,11 +34,30 @@ proc sandboxExec*(args: Args) = var config = loadConfig(configPath.unsafeGet) config.extendConfig() + var proxy = DbusProxy() + + proxy + .paths("/run/user/1000/bus", "/run/user/1000/.bus-sandboxed/test2") + .addCall("org.freedesktop.Notifications.*=@/org/freedesktop/Notifications") + .addCall("org.freedesktop.portal.*=*") + .addBroadcast("org.freedesktop.portal.*=@/org/freedesktop/portal/*") + .addOwn("org.mpris.MediaPlayer2.spotify") + .filter() + .log() + .exec() + call - .addMount("--dev-bind", "/dev/null") + .addArg("--dev", "/dev") + # https://github.com/flatpak/flatpak/blob/1bdbb80ac57df437e46fce2cdd63e4ff7704718b/common/flatpak-run.c#L1496 + .addMount("--dev-bind", "/dev/dri") + .addMount("--dev-bind", "/dev/nvidiactl") + .addMount("--dev-bind", "/dev/nvidia-modeset") + .addMount("--dev-bind", "/dev/nvidia0") .addMount("--dev-bind", "/dev/random") .addMount("--dev-bind", "/dev/urandom") + .addArg("--ro-bind", "/run/user/1000/.bus-sandboxed/test2", "/run/user/1000/bus") .addArg("--tmpfs", "/tmp") + .addArg("--tmpfs", "/dev/shm") .addArg("--proc", "/proc") .addArg("--unshare-all") .addArg("--share-net")