Start working on launcher mode

lib/args.nim

@@ -4,11 +4,11 @@ import os
 
 type Args* = object
   name*: Option[string]
-  cmd*: Option[string]
+  cmd*: Option[seq[string]]
   profile*: Option[string]
 
-proc getCmd*(args: Args): string =
-  return args.cmd.get(getEnv("SHELL", "/bin/bash"))
+proc getCmd*(args: Args): seq[string] =
+  return args.cmd.get(@[getEnv("SHELL", "/bin/bash")])
 
 proc getProfile*(args: Args): string =
   if args.profile.isSome:
@@ -18,8 +18,8 @@ proc getProfile*(args: Args): string =
 
 proc parseOpt(args: var Args, key: string, value: string): bool =
   case key
-  of "command", "c":
-    args.cmd = some(value)
+  of "name", "n":
+    args.name = some(value)
   of "profile", "p":
     args.profile = some(value)
   else:
@@ -30,6 +30,7 @@ proc parseOpt(args: var Args, key: string, value: string): bool =
 proc parseArgs*(): Option[Args] =
   var p = initOptParser()
   var args = Args()
+  var command = newSeq[string]()
 
   while true:
     p.next()
@@ -40,6 +41,9 @@ proc parseArgs*(): Option[Args] =
         echo "Invalid argument ", p.val
         return
     of cmdArgument:
-      args.name = some(p.key.string)
+      command.add(p.key.string)
+
+  if command.len > 0:
+    args.cmd = some(command)
 
   return some(args)

lib/config.nim

@@ -16,6 +16,13 @@ type Config* = object
   mountcwd*: Option[bool]
   privileged*: Option[bool]
   sethostname*: Option[bool]
+  allowdri*: Option[bool]
+  dbus*: Option[bool]
+  dbussee*: Option[seq[string]]
+  dbustalk*: Option[seq[string]]
+  dbusown*: Option[seq[string]]
+  dbuscall*: Option[seq[string]]
+  dbusbroadcast*: Option[seq[string]]
 
 proc applyConfig*(call: var BwrapCall, config: Config) =
   for mount in config.mount.get(@[]):
@@ -39,10 +46,19 @@ proc extendConfig*(config: var Config): Config {.discardable.} =
   var eConf = loadConfig(getProfilePath(config.extends.unsafeGet))
   eConf.extendConfig()
 
+  # todo: replace using macro / templates
   config.mount = some(config.mount.get(@[]).concat(eConf.mount.get(@[])))
   config.romount = some(config.romount.get(@[]).concat(eConf.romount.get(@[])))
   config.symlinks = some(config.symlinks.get(@[]).concat(eConf.symlinks.get(@[])))
   config.mountcwd = some(config.mountcwd.get(eConf.mountcwd.get(false)))
   config.sethostname = some(config.sethostname.get(eConf.sethostname.get(false)))
+  config.allowdri = some(config.allowdri.get(eConf.allowdri.get(false)))
+
+  config.dbus = some(config.dbus.get(eConf.dbus.get(false)))
+  config.dbussee = some(config.dbussee.get(@[]).concat(eConf.dbussee.get(@[])))
+  config.dbustalk = some(config.dbustalk.get(@[]).concat(eConf.dbustalk.get(@[])))
+  config.dbusown = some(config.dbusown.get(@[]).concat(eConf.dbusown.get(@[])))
+  config.dbuscall = some(config.dbuscall.get(@[]).concat(eConf.dbuscall.get(@[])))
+  config.dbusbroadcast = some(config.dbusbroadcast.get(@[]).concat(eConf.dbusbroadcast.get(@[])))
 
   return config

lib/dbus.nim

@@ -0,0 +1,54 @@
+import strformat
+import options
+import config
+import osproc
+import random
+import os
+
+type DbusProxy* = object
+  process*: Process
+  socket*: string
+  args: seq[string]
+
+proc exec*(proxy: DbusProxy): Process =
+  # todo: start dbus proxy in bwrap
+  # todo: pass arguments as fd
+  startProcess("xdg-dbus-proxy", args = proxy.args,
+    options = {poEchoCmd, poParentStreams, poUsePath})
+
+proc startDBusProxy*(config: Config, hostname: string): DbusProxy =
+  let busPath = getEnv("DBUS_SESSION_BUS_ADDRESS")
+  let runtimeDir = getEnv("XDG_RUNTIME_DIR")
+
+  if busPath == "" or runtimeDir == "":
+    raise newException(IOError, "DBUS_SESSION_BUS_ADDRESS and XDG_RUNTIME_DIR are required")
+
+  let id = rand(1000)
+  let filterName = &"dbus-proxy-{hostname}-{id}"
+
+  var proxy = DbusProxy()
+  proxy.socket = &"{runtimeDir}/{filterName}"
+
+  proxy.args.add(busPath)
+  proxy.args.add(proxy.socket)
+
+  for name in config.dbussee.get(@[]):
+    proxy.args.add(&"--see={name}")
+
+  for name in config.dbustalk.get(@[]):
+    proxy.args.add(&"--talk={name}")
+
+  for name in config.dbuscall.get(@[]):
+    proxy.args.add(&"--call={name}")
+
+  for name in config.dbusown.get(@[]):
+    proxy.args.add(&"--own={name}")
+
+  for name in config.dbusbroadcast.get(@[]):
+    proxy.args.add(&"--broadcast={name}")
+
+  proxy.args.add("--filter")
+  proxy.args.add("--log")
+  proxy.process = proxy.exec()
+
+  proxy

lib/sandbox.nim

@@ -1,16 +1,18 @@
-import os
-import args
-import json
+import strutils
+import options
+import config
 import utils
 import bwrap
-import config
-import options
+import args
+import json
+import dbus
+import os
 
 proc sandboxExec*(args: Args) =
   var call = BwrapCall()
   var configPath = none(string)
 
-  let hostname = args.name.get(getProfile(argst ))
+  let hostname = args.name.get(getProfile(args))
 
   if args.name.isSome:
     let name = args.name.unsafeGet
@@ -18,7 +20,6 @@ proc sandboxExec*(args: Args) =
     let sandboxFiles = sandboxPath.joinPath("files")
     let userConfig = sandboxPath.joinPath("config.json")
 
-
     createDir(sandboxFiles)
     call.addArg("--bind", sandboxFiles, getHomeDir())
 
@@ -35,10 +36,11 @@ proc sandboxExec*(args: Args) =
   config.extendConfig()
 
   call
-    .addMount("--dev-bind", "/dev/null")
+    .addArg("--dev", "/dev")
     .addMount("--dev-bind", "/dev/random")
     .addMount("--dev-bind", "/dev/urandom")
     .addArg("--tmpfs", "/tmp")
+    .addArg("--tmpfs", "/dev/shm")
     .addArg("--proc", "/proc")
     .addArg("--unshare-all")
     .addArg("--share-net")
@@ -46,6 +48,18 @@ proc sandboxExec*(args: Args) =
     .addArg("--setenv", "BWSANDBOX", "1")
     .applyConfig(config)
 
+  if config.dbus.get(false):
+    # todo: handle process and cleanup later
+    let proxy = startDBusProxy(config, hostname)
+    call.addArg("--ro-bind", proxy.socket,
+      getEnv("DBUS_SESSION_BUS_ADDRESS").split('=')[1])
+
+    # todo: use fd signaling instead of this
+    sleep(100)
+
+  if config.allowdri.get(false):
+    enableDri(call)
+
   if config.mountcwd.get(false):
     call
       .addMount("--bind", getCurrentDir())

lib/utils.nim

@@ -1,5 +1,8 @@
-import os
+import strformat
+import posix
+import bwrap
 import args
+import os
 
 const APP_NAME = "bwsandbox"
 
@@ -23,3 +26,26 @@ proc getSandboxPath*(name: string): string =
   getDataDir()
     .joinPath(APP_NAME)
     .joinPath(name)
+
+proc deviceExists(path: string): bool =
+  var res: Stat
+  return stat(path, res) >= 0 and S_ISCHR(res.st_mode)
+
+# https://github.com/flatpak/flatpak/blob/1bdbb80ac57df437e46fce2cdd63e4ff7704718b/common/flatpak-run.c#L1496
+proc enableDri*(call: var BwrapCall) =
+  const mounts = [
+    "/dev/dri",                                # general
+    "/dev/mali", "/dev/mali0", "/dev/umplock", # mali
+    "/dev/nvidiactl", "/dev/nvidia-modeset",   # nvidia
+    "/dev/nvidia-uvm", "/dev/nvidia-uvm-tools" # nvidia OpenCl/CUDA
+  ]
+
+  for mount in mounts:
+    if deviceExists(mount):
+      call.addMount("--dev-bind", mount)
+
+  for i in 0..20:
+    let device = &"/dev/nvidia{i}"
+
+    if deviceExists(device):
+      call.addMount("--dev-bind", device)

main.nim

@@ -1,14 +1,17 @@
 import lib/sandbox
 import lib/args
 import options
+import random
 
 proc main(): int =
   let args = parseArgs()
+  echo args
 
   if args.isNone:
-    echo "Usage: bwshell --command=cmd --profile=profile <sandbox_name>"
+    echo "Usage: bwshell --name=sandbox_name --profile=profile <sandbox_cmd>"
     return 1
   else:
+    randomize()
     sandboxExec(args.unsafeGet)
 
 quit(main())

scripts/applications.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+if [ $# -ne 1 ]; then
+  echo "Usage: $0 <target_dir>"
+  exit 1
+fi
+
+check_dir() {
+  local dir=$1
+  local file
+
+  for application in "$dir/"*; do
+    file="$(basename "$application")"
+
+    sed "s/Exec=/Exec=bwrap --name='$file' --profile=gui /gi" "$application" > "$target/$file"
+  done
+}
+
+dirs=("/usr/share/applications" "$HOME/.local/share/applications")
+target="$1"
+
+for dir in "${dirs[@]}"; do
+  check_dir "$dir"
+done