Compare commits
2 Commits
67ea99cd38
...
9cad6fc050
Author | SHA1 | Date |
---|---|---|
Martin | 9cad6fc050 | |
Martin | 354ba05faa |
16
lib/args.nim
16
lib/args.nim
|
@ -4,11 +4,11 @@ import os
|
|||
|
||||
type Args* = object
|
||||
name*: Option[string]
|
||||
cmd*: Option[string]
|
||||
cmd*: Option[seq[string]]
|
||||
profile*: Option[string]
|
||||
|
||||
proc getCmd*(args: Args): string =
|
||||
return args.cmd.get(getEnv("SHELL", "/bin/bash"))
|
||||
proc getCmd*(args: Args): seq[string] =
|
||||
return args.cmd.get(@[getEnv("SHELL", "/bin/bash")])
|
||||
|
||||
proc getProfile*(args: Args): string =
|
||||
if args.profile.isSome:
|
||||
|
@ -18,8 +18,8 @@ proc getProfile*(args: Args): string =
|
|||
|
||||
proc parseOpt(args: var Args, key: string, value: string): bool =
|
||||
case key
|
||||
of "command", "c":
|
||||
args.cmd = some(value)
|
||||
of "name", "n":
|
||||
args.name = some(value)
|
||||
of "profile", "p":
|
||||
args.profile = some(value)
|
||||
else:
|
||||
|
@ -30,6 +30,7 @@ proc parseOpt(args: var Args, key: string, value: string): bool =
|
|||
proc parseArgs*(): Option[Args] =
|
||||
var p = initOptParser()
|
||||
var args = Args()
|
||||
var command = newSeq[string]()
|
||||
|
||||
while true:
|
||||
p.next()
|
||||
|
@ -40,6 +41,9 @@ proc parseArgs*(): Option[Args] =
|
|||
echo "Invalid argument ", p.val
|
||||
return
|
||||
of cmdArgument:
|
||||
args.name = some(p.key.string)
|
||||
command.add(p.key.string)
|
||||
|
||||
if command.len > 0:
|
||||
args.cmd = some(command)
|
||||
|
||||
return some(args)
|
|
@ -16,6 +16,13 @@ type Config* = object
|
|||
mountcwd*: Option[bool]
|
||||
privileged*: Option[bool]
|
||||
sethostname*: Option[bool]
|
||||
allowdri*: Option[bool]
|
||||
dbus*: Option[bool]
|
||||
dbussee*: Option[seq[string]]
|
||||
dbustalk*: Option[seq[string]]
|
||||
dbusown*: Option[seq[string]]
|
||||
dbuscall*: Option[seq[string]]
|
||||
dbusbroadcast*: Option[seq[string]]
|
||||
|
||||
proc applyConfig*(call: var BwrapCall, config: Config) =
|
||||
for mount in config.mount.get(@[]):
|
||||
|
@ -39,10 +46,19 @@ proc extendConfig*(config: var Config): Config {.discardable.} =
|
|||
var eConf = loadConfig(getProfilePath(config.extends.unsafeGet))
|
||||
eConf.extendConfig()
|
||||
|
||||
# todo: replace using macro / templates
|
||||
config.mount = some(config.mount.get(@[]).concat(eConf.mount.get(@[])))
|
||||
config.romount = some(config.romount.get(@[]).concat(eConf.romount.get(@[])))
|
||||
config.symlinks = some(config.symlinks.get(@[]).concat(eConf.symlinks.get(@[])))
|
||||
config.mountcwd = some(config.mountcwd.get(eConf.mountcwd.get(false)))
|
||||
config.sethostname = some(config.sethostname.get(eConf.sethostname.get(false)))
|
||||
config.allowdri = some(config.allowdri.get(eConf.allowdri.get(false)))
|
||||
|
||||
config.dbus = some(config.dbus.get(eConf.dbus.get(false)))
|
||||
config.dbussee = some(config.dbussee.get(@[]).concat(eConf.dbussee.get(@[])))
|
||||
config.dbustalk = some(config.dbustalk.get(@[]).concat(eConf.dbustalk.get(@[])))
|
||||
config.dbusown = some(config.dbusown.get(@[]).concat(eConf.dbusown.get(@[])))
|
||||
config.dbuscall = some(config.dbuscall.get(@[]).concat(eConf.dbuscall.get(@[])))
|
||||
config.dbusbroadcast = some(config.dbusbroadcast.get(@[]).concat(eConf.dbusbroadcast.get(@[])))
|
||||
|
||||
return config
|
||||
|
|
|
@ -0,0 +1,54 @@
|
|||
import strformat
|
||||
import options
|
||||
import config
|
||||
import osproc
|
||||
import random
|
||||
import os
|
||||
|
||||
type DbusProxy* = object
|
||||
process*: Process
|
||||
socket*: string
|
||||
args: seq[string]
|
||||
|
||||
proc exec*(proxy: DbusProxy): Process =
|
||||
# todo: start dbus proxy in bwrap
|
||||
# todo: pass arguments as fd
|
||||
startProcess("xdg-dbus-proxy", args = proxy.args,
|
||||
options = {poEchoCmd, poParentStreams, poUsePath})
|
||||
|
||||
proc startDBusProxy*(config: Config, hostname: string): DbusProxy =
|
||||
let busPath = getEnv("DBUS_SESSION_BUS_ADDRESS")
|
||||
let runtimeDir = getEnv("XDG_RUNTIME_DIR")
|
||||
|
||||
if busPath == "" or runtimeDir == "":
|
||||
raise newException(IOError, "DBUS_SESSION_BUS_ADDRESS and XDG_RUNTIME_DIR are required")
|
||||
|
||||
let id = rand(1000)
|
||||
let filterName = &"dbus-proxy-{hostname}-{id}"
|
||||
|
||||
var proxy = DbusProxy()
|
||||
proxy.socket = &"{runtimeDir}/{filterName}"
|
||||
|
||||
proxy.args.add(busPath)
|
||||
proxy.args.add(proxy.socket)
|
||||
|
||||
for name in config.dbussee.get(@[]):
|
||||
proxy.args.add(&"--see={name}")
|
||||
|
||||
for name in config.dbustalk.get(@[]):
|
||||
proxy.args.add(&"--talk={name}")
|
||||
|
||||
for name in config.dbuscall.get(@[]):
|
||||
proxy.args.add(&"--call={name}")
|
||||
|
||||
for name in config.dbusown.get(@[]):
|
||||
proxy.args.add(&"--own={name}")
|
||||
|
||||
for name in config.dbusbroadcast.get(@[]):
|
||||
proxy.args.add(&"--broadcast={name}")
|
||||
|
||||
proxy.args.add("--filter")
|
||||
proxy.args.add("--log")
|
||||
proxy.process = proxy.exec()
|
||||
|
||||
proxy
|
|
@ -1,16 +1,18 @@
|
|||
import os
|
||||
import args
|
||||
import json
|
||||
import strutils
|
||||
import options
|
||||
import config
|
||||
import utils
|
||||
import bwrap
|
||||
import config
|
||||
import options
|
||||
import args
|
||||
import json
|
||||
import dbus
|
||||
import os
|
||||
|
||||
proc sandboxExec*(args: Args) =
|
||||
var call = BwrapCall()
|
||||
var configPath = none(string)
|
||||
|
||||
let hostname = args.name.get(getProfile(argst ))
|
||||
let hostname = args.name.get(getProfile(args))
|
||||
|
||||
if args.name.isSome:
|
||||
let name = args.name.unsafeGet
|
||||
|
@ -18,7 +20,6 @@ proc sandboxExec*(args: Args) =
|
|||
let sandboxFiles = sandboxPath.joinPath("files")
|
||||
let userConfig = sandboxPath.joinPath("config.json")
|
||||
|
||||
|
||||
createDir(sandboxFiles)
|
||||
call.addArg("--bind", sandboxFiles, getHomeDir())
|
||||
|
||||
|
@ -35,10 +36,11 @@ proc sandboxExec*(args: Args) =
|
|||
config.extendConfig()
|
||||
|
||||
call
|
||||
.addMount("--dev-bind", "/dev/null")
|
||||
.addArg("--dev", "/dev")
|
||||
.addMount("--dev-bind", "/dev/random")
|
||||
.addMount("--dev-bind", "/dev/urandom")
|
||||
.addArg("--tmpfs", "/tmp")
|
||||
.addArg("--tmpfs", "/dev/shm")
|
||||
.addArg("--proc", "/proc")
|
||||
.addArg("--unshare-all")
|
||||
.addArg("--share-net")
|
||||
|
@ -46,6 +48,18 @@ proc sandboxExec*(args: Args) =
|
|||
.addArg("--setenv", "BWSANDBOX", "1")
|
||||
.applyConfig(config)
|
||||
|
||||
if config.dbus.get(false):
|
||||
# todo: handle process and cleanup later
|
||||
let proxy = startDBusProxy(config, hostname)
|
||||
call.addArg("--ro-bind", proxy.socket,
|
||||
getEnv("DBUS_SESSION_BUS_ADDRESS").split('=')[1])
|
||||
|
||||
# todo: use fd signaling instead of this
|
||||
sleep(100)
|
||||
|
||||
if config.allowdri.get(false):
|
||||
enableDri(call)
|
||||
|
||||
if config.mountcwd.get(false):
|
||||
call
|
||||
.addMount("--bind", getCurrentDir())
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
import os
|
||||
import strformat
|
||||
import posix
|
||||
import bwrap
|
||||
import args
|
||||
import os
|
||||
|
||||
const APP_NAME = "bwsandbox"
|
||||
|
||||
|
@ -22,4 +25,27 @@ proc getProfilePath*(args: Args): string =
|
|||
proc getSandboxPath*(name: string): string =
|
||||
getDataDir()
|
||||
.joinPath(APP_NAME)
|
||||
.joinPath(name)
|
||||
.joinPath(name)
|
||||
|
||||
proc deviceExists(path: string): bool =
|
||||
var res: Stat
|
||||
return stat(path, res) >= 0 and S_ISCHR(res.st_mode)
|
||||
|
||||
# https://github.com/flatpak/flatpak/blob/1bdbb80ac57df437e46fce2cdd63e4ff7704718b/common/flatpak-run.c#L1496
|
||||
proc enableDri*(call: var BwrapCall) =
|
||||
const mounts = [
|
||||
"/dev/dri", # general
|
||||
"/dev/mali", "/dev/mali0", "/dev/umplock", # mali
|
||||
"/dev/nvidiactl", "/dev/nvidia-modeset", # nvidia
|
||||
"/dev/nvidia-uvm", "/dev/nvidia-uvm-tools" # nvidia OpenCl/CUDA
|
||||
]
|
||||
|
||||
for mount in mounts:
|
||||
if deviceExists(mount):
|
||||
call.addMount("--dev-bind", mount)
|
||||
|
||||
for i in 0..20:
|
||||
let device = &"/dev/nvidia{i}"
|
||||
|
||||
if deviceExists(device):
|
||||
call.addMount("--dev-bind", device)
|
5
main.nim
5
main.nim
|
@ -1,14 +1,17 @@
|
|||
import lib/sandbox
|
||||
import lib/args
|
||||
import options
|
||||
import random
|
||||
|
||||
proc main(): int =
|
||||
let args = parseArgs()
|
||||
echo args
|
||||
|
||||
if args.isNone:
|
||||
echo "Usage: bwshell --command=cmd --profile=profile <sandbox_name>"
|
||||
echo "Usage: bwshell --name=sandbox_name --profile=profile <sandbox_cmd>"
|
||||
return 1
|
||||
else:
|
||||
randomize()
|
||||
sandboxExec(args.unsafeGet)
|
||||
|
||||
quit(main())
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ $# -ne 1 ]; then
|
||||
echo "Usage: $0 <target_dir>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
check_dir() {
|
||||
local dir=$1
|
||||
local file
|
||||
|
||||
for application in "$dir/"*; do
|
||||
file="$(basename "$application")"
|
||||
|
||||
sed "s/Exec=/Exec=bwrap --name='$file' --profile=gui /gi" "$application" > "$target/$file"
|
||||
done
|
||||
}
|
||||
|
||||
dirs=("/usr/share/applications" "$HOME/.local/share/applications")
|
||||
target="$1"
|
||||
|
||||
for dir in "${dirs[@]}"; do
|
||||
check_dir "$dir"
|
||||
done
|
Loading…
Reference in New Issue