Compare commits

..

1 Commits

Author SHA1 Message Date
Martin 2cb658c723
add dbus and dri 2021-06-27 16:46:29 +02:00
5 changed files with 60 additions and 110 deletions

View File

@ -16,13 +16,6 @@ type Config* = object
mountcwd*: Option[bool]
privileged*: Option[bool]
sethostname*: Option[bool]
allowdri*: Option[bool]
dbus*: Option[bool]
dbussee*: Option[seq[string]]
dbustalk*: Option[seq[string]]
dbusown*: Option[seq[string]]
dbuscall*: Option[seq[string]]
dbusbroadcast*: Option[seq[string]]
proc applyConfig*(call: var BwrapCall, config: Config) =
for mount in config.mount.get(@[]):
@ -46,19 +39,10 @@ proc extendConfig*(config: var Config): Config {.discardable.} =
var eConf = loadConfig(getProfilePath(config.extends.unsafeGet))
eConf.extendConfig()
# todo: replace using macro / templates
config.mount = some(config.mount.get(@[]).concat(eConf.mount.get(@[])))
config.romount = some(config.romount.get(@[]).concat(eConf.romount.get(@[])))
config.symlinks = some(config.symlinks.get(@[]).concat(eConf.symlinks.get(@[])))
config.mountcwd = some(config.mountcwd.get(eConf.mountcwd.get(false)))
config.sethostname = some(config.sethostname.get(eConf.sethostname.get(false)))
config.allowdri = some(config.allowdri.get(eConf.allowdri.get(false)))
config.dbus = some(config.dbus.get(eConf.dbus.get(false)))
config.dbussee = some(config.dbussee.get(@[]).concat(eConf.dbussee.get(@[])))
config.dbustalk = some(config.dbustalk.get(@[]).concat(eConf.dbustalk.get(@[])))
config.dbusown = some(config.dbusown.get(@[]).concat(eConf.dbusown.get(@[])))
config.dbuscall = some(config.dbuscall.get(@[]).concat(eConf.dbuscall.get(@[])))
config.dbusbroadcast = some(config.dbusbroadcast.get(@[]).concat(eConf.dbusbroadcast.get(@[])))
return config

View File

@ -1,54 +1,43 @@
import strformat
import options
import config
import osproc
import random
import os
type DbusProxy* = object
process*: Process
socket*: string
args: seq[string]
proc exec*(proxy: var DbusProxy) =
proc addSee*(proxy: var DbusProxy, name: string): var DbusProxy {.discardable.} =
proxy.args.add(&"--see={name}")
proxy
proc addTalk*(proxy: var DbusProxy, name: string): var DbusProxy {.discardable.} =
proxy.args.add(&"--talk={name}")
proxy
proc addOwn*(proxy: var DbusProxy, name: string): var DbusProxy {.discardable.} =
proxy.args.add(&"--own={name}")
proxy
proc addCall*(proxy: var DbusProxy, name: string): var DbusProxy {.discardable.} =
proxy.args.add(&"--call={name}")
proxy
proc addBroadcast*(proxy: var DbusProxy, name: string): var DbusProxy {.discardable.} =
proxy.args.add(&"--broadcast={name}")
proxy
proc paths*(proxy: var DbusProxy, systembus: string, filterbus: string): var DbusProxy {.discardable.} =
proxy.args.add(&"unix:path={systembus}")
proxy.args.add(filterbus)
proxy
proc log*(proxy: var DbusProxy): var DbusProxy {.discardable.} =
proxy.args.add("--log")
proxy
proc filter*(proxy: var DbusProxy): var DbusProxy {.discardable.} =
proxy.args.add("--filter")
proxy
proc exec*(proxy: DbusProxy): Process {.discardable.} =
# todo: start dbus proxy in bwrap
# todo: pass arguments as fd
proxy.process = startProcess("xdg-dbus-proxy", args = proxy.args,
options = {poEchoCmd, poParentStreams, poUsePath})
proc startDBusProxy*(config: Config, hostname: string): DbusProxy =
let busPath = getEnv("DBUS_SESSION_BUS_ADDRESS")
let runtimeDir = getEnv("XDG_RUNTIME_DIR")
if busPath == "" or runtimeDir == "":
raise newException(IOError, "DBUS_SESSION_BUS_ADDRESS and XDG_RUNTIME_DIR are required")
let id = rand(1000)
let filterName = &"dbus-proxy-{hostname}-{id}"
var proxy = DbusProxy()
proxy.socket = &"{runtimeDir}/{filterName}"
proxy.args.add(busPath)
proxy.args.add(proxy.socket)
for name in config.dbussee.get(@[]):
proxy.args.add(&"--see={name}")
for name in config.dbustalk.get(@[]):
proxy.args.add(&"--talk={name}")
for name in config.dbuscall.get(@[]):
proxy.args.add(&"--call={name}")
for name in config.dbusown.get(@[]):
proxy.args.add(&"--own={name}")
for name in config.dbusbroadcast.get(@[]):
proxy.args.add(&"--broadcast={name}")
proxy.args.add("--filter")
proxy.args.add("--log")
proxy.exec()
proxy
startProcess("xdg-dbus-proxy", args = proxy.args, options = {poEchoCmd, poParentStreams, poUsePath})

View File

@ -1,12 +1,11 @@
import strutils
import options
import config
import utils
import bwrap
import os
import args
import json
import dbus
import os
import utils
import bwrap
import config
import options
proc sandboxExec*(args: Args) =
var call = BwrapCall()
@ -35,10 +34,28 @@ proc sandboxExec*(args: Args) =
var config = loadConfig(configPath.unsafeGet)
config.extendConfig()
var proxy = DbusProxy()
proxy
.paths("/run/user/1000/bus", "/run/user/1000/.bus-sandboxed/test2")
.addCall("org.freedesktop.Notifications.*=@/org/freedesktop/Notifications")
.addCall("org.freedesktop.portal.*=*")
.addBroadcast("org.freedesktop.portal.*=@/org/freedesktop/portal/*")
.addOwn("org.mpris.MediaPlayer2.spotify")
.filter()
.log()
.exec()
call
.addArg("--dev", "/dev")
# https://github.com/flatpak/flatpak/blob/1bdbb80ac57df437e46fce2cdd63e4ff7704718b/common/flatpak-run.c#L1496
.addMount("--dev-bind", "/dev/dri")
.addMount("--dev-bind", "/dev/nvidiactl")
.addMount("--dev-bind", "/dev/nvidia-modeset")
.addMount("--dev-bind", "/dev/nvidia0")
.addMount("--dev-bind", "/dev/random")
.addMount("--dev-bind", "/dev/urandom")
.addArg("--ro-bind", "/run/user/1000/.bus-sandboxed/test2", "/run/user/1000/bus")
.addArg("--tmpfs", "/tmp")
.addArg("--tmpfs", "/dev/shm")
.addArg("--proc", "/proc")
@ -48,18 +65,6 @@ proc sandboxExec*(args: Args) =
.addArg("--setenv", "BWSANDBOX", "1")
.applyConfig(config)
if config.dbus.get(false):
# todo: handle process and cleanup later
let proxy = startDBusProxy(config, hostname)
call.addArg("--ro-bind", proxy.socket,
getEnv("DBUS_SESSION_BUS_ADDRESS").split('=')[1])
# todo: use fd signaling instead of this
sleep(100)
if config.allowdri.get(false):
enableDri(call)
if config.mountcwd.get(false):
call
.addMount("--bind", getCurrentDir())

View File

@ -1,8 +1,5 @@
import strformat
import posix
import bwrap
import args
import os
import args
const APP_NAME = "bwsandbox"
@ -26,26 +23,3 @@ proc getSandboxPath*(name: string): string =
getDataDir()
.joinPath(APP_NAME)
.joinPath(name)
proc deviceExists(path: string): bool =
var res: Stat
return stat(path, res) >= 0 and S_ISCHR(res.st_mode)
# https://github.com/flatpak/flatpak/blob/1bdbb80ac57df437e46fce2cdd63e4ff7704718b/common/flatpak-run.c#L1496
proc enableDri*(call: var BwrapCall) =
const mounts = [
"/dev/dri", # general
"/dev/mali", "/dev/mali0", "/dev/umplock", # mali
"/dev/nvidiactl", "/dev/nvidia-modeset", # nvidia
"/dev/nvidia-uvm", "/dev/nvidia-uvm-tools" # nvidia OpenCl/CUDA
]
for mount in mounts:
if deviceExists(mount):
call.addMount("--dev-bind", mount)
for i in 0..20:
let device = &"/dev/nvidia{i}"
if deviceExists(device):
call.addMount("--dev-bind", device)

View File

@ -1,7 +1,6 @@
import lib/sandbox
import lib/args
import options
import random
proc main(): int =
let args = parseArgs()
@ -10,7 +9,6 @@ proc main(): int =
echo "Usage: bwshell --command=cmd --profile=profile <sandbox_name>"
return 1
else:
randomize()
sandboxExec(args.unsafeGet)
quit(main())