From 3a5e5d487035eb9a0df0e41d1f32dc1f74f09bb9 Mon Sep 17 00:00:00 2001
From: mawalu <web@mawalabs.de>
Date: Mon, 27 Dec 2021 16:39:18 +0100
Subject: [PATCH] Extend device support

---
 configs/wayland         |  7 +++++++
 lib/bwrap.nim           |  2 +-
 lib/config.nim          | 11 +++++++++++
 lib/sandbox.nim         | 20 ++++++++++----------
 lib/utils.nim           | 17 +++++++++++++++--
 scripts/applications.sh |  2 +-
 6 files changed, 45 insertions(+), 14 deletions(-)
 create mode 100644 configs/wayland

diff --git a/configs/wayland b/configs/wayland
new file mode 100644
index 0000000..330e353
--- /dev/null
+++ b/configs/wayland
@@ -0,0 +1,7 @@
+{
+    "extends": "default",
+    "romount": ["/run/user/1000/pulse/native", "/run/user/1000/wayland-1"],
+    "dbus": true,
+    "dbuscall": ["org.freedesktop.Notifications.*=@/org/freedesktop/Notifications", "org.freedesktop.portal.*=*"],
+    "dbusbroadcast": ["org.freedesktop.portal.*=@/org/freedesktop/portal/*"]
+}
diff --git a/lib/bwrap.nim b/lib/bwrap.nim
index 9fe3433..8918ad6 100644
--- a/lib/bwrap.nim
+++ b/lib/bwrap.nim
@@ -2,7 +2,7 @@ import posix
 import sequtils
 
 type BwrapCall* = object
-  args: seq[string]
+  args*: seq[string]
 
 proc addArg*(call: var BwrapCall, args: varargs[string]): var BwrapCall {.discardable.}  =
   for arg in args:
diff --git a/lib/config.nim b/lib/config.nim
index 35f250e..a6106df 100644
--- a/lib/config.nim
+++ b/lib/config.nim
@@ -3,6 +3,7 @@ import options
 import bwrap
 import utils
 import json
+import os
 
 type Link* = object
   src*: string
@@ -23,6 +24,7 @@ type Config* = object
   dbusown*: Option[seq[string]]
   dbuscall*: Option[seq[string]]
   dbusbroadcast*: Option[seq[string]]
+  devmount*: Option[seq[string]]
 
 proc applyConfig*(call: var BwrapCall, config: Config) =
   for mount in config.mount.get(@[]):
@@ -34,6 +36,14 @@ proc applyConfig*(call: var BwrapCall, config: Config) =
   for symlink in config.symlinks.get(@[]):
      call.addArg("--symlink", symlink.src, symlink.dst)
 
+  for device in config.devmount.get(@[]):
+      call.addArg("--dev-bind", device, device)
+
+  if config.mountcwd.get(false):
+      call
+        .addMount("--bind", getCurrentDir())
+        .addArg("--chdir", getCurrentDir())
+
 proc loadConfig*(path: string): Config =
   return readFile(path)
     .parseJson()
@@ -53,6 +63,7 @@ proc extendConfig*(config: var Config): Config {.discardable.} =
   config.mountcwd = some(config.mountcwd.get(eConf.mountcwd.get(false)))
   config.sethostname = some(config.sethostname.get(eConf.sethostname.get(false)))
   config.allowdri = some(config.allowdri.get(eConf.allowdri.get(false)))
+  config.devmount = some(config.devmount.get(eConf.devmount.get(@[])))
 
   config.dbus = some(config.dbus.get(eConf.dbus.get(false)))
   config.dbussee = some(config.dbussee.get(@[]).concat(eConf.dbussee.get(@[])))
diff --git a/lib/sandbox.nim b/lib/sandbox.nim
index d7241f2..8f73d73 100644
--- a/lib/sandbox.nim
+++ b/lib/sandbox.nim
@@ -39,6 +39,11 @@ proc sandboxExec*(args: Args) =
     .addArg("--dev", "/dev")
     .addMount("--dev-bind", "/dev/random")
     .addMount("--dev-bind", "/dev/urandom")
+    .addMount("--ro-bind", "/sys/block")
+    .addMount("--ro-bind", "/sys/bus")
+    .addMount("--ro-bind", "/sys/class")
+    .addMount("--ro-bind", "/sys/dev")
+    .addMount("--ro-bind", "/sys/devices")
     .addArg("--tmpfs", "/tmp")
     .addArg("--tmpfs", "/dev/shm")
     .addArg("--proc", "/proc")
@@ -48,6 +53,10 @@ proc sandboxExec*(args: Args) =
     .addArg("--setenv", "BWSANDBOX", "1")
     .applyConfig(config)
 
+  if config.sethostname.get(false):
+    call
+      .addArg("--hostname", hostname)
+
   if config.dbus.get(false):
     # todo: handle process and cleanup later
     let proxy = startDBusProxy(config, hostname)
@@ -60,13 +69,4 @@ proc sandboxExec*(args: Args) =
   if config.allowdri.get(false):
     enableDri(call)
 
-  if config.mountcwd.get(false):
-    call
-      .addMount("--bind", getCurrentDir())
-      .addArg("--chdir", getCurrentDir())
-
-  if config.sethostname.get(false):
-    call
-      .addArg("--hostname", hostname)
-
-  call.addArg(args.getCmd).exec()
+  call.addArg(args.getCmd).exec()
\ No newline at end of file
diff --git a/lib/utils.nim b/lib/utils.nim
index 75b70a1..0633f7c 100644
--- a/lib/utils.nim
+++ b/lib/utils.nim
@@ -41,17 +41,30 @@ proc deviceExists(path: string): bool =
   var res: Stat
   return stat(path, res) >= 0 and S_ISCHR(res.st_mode)
 
+proc mountDriFolder(call: var BwrapCall, path: string) =
+  for file in walkPattern(&"{path}/*"):
+    if dirExists(file):
+      mountDriFolder(call, file)
+    elif deviceExists(file):
+      call.addMount("--dev-bind", file)
+    #else:
+    #  call.addMount("--ro-bin", file)
+
 # https://github.com/flatpak/flatpak/blob/1bdbb80ac57df437e46fce2cdd63e4ff7704718b/common/flatpak-run.c#L1496
 proc enableDri*(call: var BwrapCall) =
+  const folder = "/dev/dri"
   const mounts = [
-    "/dev/dri",                                # general
+    folder,                                    # general
     "/dev/mali", "/dev/mali0", "/dev/umplock", # mali
     "/dev/nvidiactl", "/dev/nvidia-modeset",   # nvidia
     "/dev/nvidia-uvm", "/dev/nvidia-uvm-tools" # nvidia OpenCl/CUDA
   ]
 
+  if dirExists(folder):
+    mountDriFolder(call, folder)
+
   for mount in mounts:
-    if deviceExists(mount):
+    if deviceExists(mount) or dirExists(mount):
       call.addMount("--dev-bind", mount)
 
   for i in 0..20:
diff --git a/scripts/applications.sh b/scripts/applications.sh
index 4990660..cb5a65d 100755
--- a/scripts/applications.sh
+++ b/scripts/applications.sh
@@ -12,7 +12,7 @@ check_dir() {
   for application in "$dir/"*; do
     file="$(basename "$application")"
 
-    sed "s/Exec=/Exec=bwshell --name '$file' --profile gui /gi" "$application" > "$target/$file"
+    sed "s/^Exec=/Exec=bwshell --name '$file' --profile gui /gi" "$application" > "$target/$file"
   done
 }