mawalu/bwbox
1
0
Fork 0
Code Issues 3 Pull Requests Projects Releases Wiki Activity

Compare commits

base: mawalu:configs
Branches Tags
mawalu:main mawalu:configs mawalu:launcher mawalu:dbus
..
compare: mawalu:2cb658c723f36afc98bdca0ed87ace88c3ea48b6
Branches Tags
mawalu:main mawalu:configs mawalu:launcher mawalu:dbus

1 Commits
configs ... 2cb658c723

Author SHA1 Message Date
mawalu
2cb658c723 add dbus and dri 2021-06-27 16:46:29 +02:00
13 changed files with 87 additions and 174 deletions
Expand all files Collapse all files

0
configs/config.json → config.json
View File

1
configs/box
View File

@@ -1 +0,0 @@
{"extends": "shell", "mountcwd": true}

10
configs/default
View File

@@ -1,10 +0,0 @@
{
"mount": [],
"romount": ["/etc", "/var", "/usr", "/opt"],
"symlinks": [
{"src": "usr/lib", "dst": "/lib"},
{"src": "usr/lib64", "dst": "/lib64"},
{"src": "usr/bin", "dst": "/bin"},
{"src": "usr/sbin", "dst": "/sbin"}
]
}

1
configs/dev
View File

@@ -1 +0,0 @@
{"extends": "shell", "romount": [".gitconfig", ".gnupg", "/run/user/1000/gnupg", ".ssh/config"], "mountcwd": true, "mount": [".ssh/known_hosts"]}

1
configs/gui
View File

@@ -1 +0,0 @@
{"extends": "default", "romount": [".Xauthority", "/tmp/.X11-unix", "/run/user/1000/pulse/native"], "dbus": true, "dbuscall": ["org.freedesktop.Notifications.*=@/org/freedesktop/Notifications", "org.freedesktop.portal.*=*"], "dbusbroadcast": ["org.freedesktop.portal.*=@/org/freedesktop/portal/*"]}

1
configs/shell
View File

@@ -1 +0,0 @@
{"extends": "default", "romount": [".oh-my-zsh", ".zsh", ".zshrc", ".zshrc-local"], "sethostname": true}

48
lib/args.nim
View File

@@ -1,13 +1,14 @@
import parseopt
import options import options
import os import os
type Args* = object type Args* = object
name*: Option[string] name*: Option[string]
cmd*: Option[seq[string]] cmd*: Option[string]
profile*: Option[string] profile*: Option[string]
proc getCmd*(args: Args): seq[string] = proc getCmd*(args: Args): string =
return args.cmd.get(@[getEnv("SHELL", "/bin/bash")]) return args.cmd.get(getEnv("SHELL", "/bin/bash"))
proc getProfile*(args: Args): string = proc getProfile*(args: Args): string =
if args.profile.isSome: if args.profile.isSome:
@@ -15,27 +16,30 @@ proc getProfile*(args: Args): string =
return "default" return "default"
proc parseOpt(args: var Args, key: string, value: string): bool =
case key
of "command", "c":
args.cmd = some(value)
of "profile", "p":
args.profile = some(value)
else:
return false
return true
proc parseArgs*(): Option[Args] = proc parseArgs*(): Option[Args] =
var p = initOptParser()
var args = Args() var args = Args()
var command = newSeq[string]() while true:
var i = 1 p.next()
case p.kind
while i <= paramCount(): of cmdEnd: break
var arg = paramStr(i) of cmdShortOption, cmdLongOption:
if p.val == "" or args.parseOpt(p.key, p.val) == false:
if arg == "--name": echo "Invalid argument ", p.val
args.name = some(paramStr(i + 1)) return
i += 2 of cmdArgument:
elif arg == "--profile": args.name = some(p.key.string)
args.profile = some(paramStr(i + 1))
i += 2
else:
echo arg
command.add(arg)
i += 1
if command.len > 0:
args.cmd = some(command)
return some(args) return some(args)

16
lib/config.nim
View File

@@ -16,13 +16,6 @@ type Config* = object
mountcwd*: Option[bool] mountcwd*: Option[bool]
privileged*: Option[bool] privileged*: Option[bool]
sethostname*: Option[bool] sethostname*: Option[bool]
allowdri*: Option[bool]
dbus*: Option[bool]
dbussee*: Option[seq[string]]
dbustalk*: Option[seq[string]]
dbusown*: Option[seq[string]]
dbuscall*: Option[seq[string]]
dbusbroadcast*: Option[seq[string]]
proc applyConfig*(call: var BwrapCall, config: Config) = proc applyConfig*(call: var BwrapCall, config: Config) =
for mount in config.mount.get(@[]): for mount in config.mount.get(@[]):
@@ -46,19 +39,10 @@ proc extendConfig*(config: var Config): Config {.discardable.} =
var eConf = loadConfig(getProfilePath(config.extends.unsafeGet)) var eConf = loadConfig(getProfilePath(config.extends.unsafeGet))
eConf.extendConfig() eConf.extendConfig()
# todo: replace using macro / templates
config.mount = some(config.mount.get(@[]).concat(eConf.mount.get(@[]))) config.mount = some(config.mount.get(@[]).concat(eConf.mount.get(@[])))
config.romount = some(config.romount.get(@[]).concat(eConf.romount.get(@[]))) config.romount = some(config.romount.get(@[]).concat(eConf.romount.get(@[])))
config.symlinks = some(config.symlinks.get(@[]).concat(eConf.symlinks.get(@[]))) config.symlinks = some(config.symlinks.get(@[]).concat(eConf.symlinks.get(@[])))
config.mountcwd = some(config.mountcwd.get(eConf.mountcwd.get(false))) config.mountcwd = some(config.mountcwd.get(eConf.mountcwd.get(false)))
config.sethostname = some(config.sethostname.get(eConf.sethostname.get(false))) config.sethostname = some(config.sethostname.get(eConf.sethostname.get(false)))
config.allowdri = some(config.allowdri.get(eConf.allowdri.get(false)))
config.dbus = some(config.dbus.get(eConf.dbus.get(false)))
config.dbussee = some(config.dbussee.get(@[]).concat(eConf.dbussee.get(@[])))
config.dbustalk = some(config.dbustalk.get(@[]).concat(eConf.dbustalk.get(@[])))
config.dbusown = some(config.dbusown.get(@[]).concat(eConf.dbusown.get(@[])))
config.dbuscall = some(config.dbuscall.get(@[]).concat(eConf.dbuscall.get(@[])))
config.dbusbroadcast = some(config.dbusbroadcast.get(@[]).concat(eConf.dbusbroadcast.get(@[])))
return config return config

81
lib/dbus.nim
View File

@@ -1,54 +1,43 @@
import strformat import strformat
import options
import config
import osproc import osproc
import random
import os
type DbusProxy* = object type DbusProxy* = object
process*: Process
socket*: string
args: seq[string] args: seq[string]
proc exec*(proxy: DbusProxy): Process = proc addSee*(proxy: var DbusProxy, name: string): var DbusProxy {.discardable.} =
proxy.args.add(&"--see={name}")
proxy
proc addTalk*(proxy: var DbusProxy, name: string): var DbusProxy {.discardable.} =
proxy.args.add(&"--talk={name}")
proxy
proc addOwn*(proxy: var DbusProxy, name: string): var DbusProxy {.discardable.} =
proxy.args.add(&"--own={name}")
proxy
proc addCall*(proxy: var DbusProxy, name: string): var DbusProxy {.discardable.} =
proxy.args.add(&"--call={name}")
proxy
proc addBroadcast*(proxy: var DbusProxy, name: string): var DbusProxy {.discardable.} =
proxy.args.add(&"--broadcast={name}")
proxy
proc paths*(proxy: var DbusProxy, systembus: string, filterbus: string): var DbusProxy {.discardable.} =
proxy.args.add(&"unix:path={systembus}")
proxy.args.add(filterbus)
proxy
proc log*(proxy: var DbusProxy): var DbusProxy {.discardable.} =
proxy.args.add("--log")
proxy
proc filter*(proxy: var DbusProxy): var DbusProxy {.discardable.} =
proxy.args.add("--filter")
proxy
proc exec*(proxy: DbusProxy): Process {.discardable.} =
# todo: start dbus proxy in bwrap # todo: start dbus proxy in bwrap
# todo: pass arguments as fd # todo: pass arguments as fd
startProcess("xdg-dbus-proxy", args = proxy.args, startProcess("xdg-dbus-proxy", args = proxy.args, options = {poEchoCmd, poParentStreams, poUsePath})
options = {poEchoCmd, poParentStreams, poUsePath})
proc startDBusProxy*(config: Config, hostname: string): DbusProxy =
let busPath = getEnv("DBUS_SESSION_BUS_ADDRESS")
let runtimeDir = getEnv("XDG_RUNTIME_DIR")
if busPath == "" or runtimeDir == "":
raise newException(IOError, "DBUS_SESSION_BUS_ADDRESS and XDG_RUNTIME_DIR are required")
let id = rand(1000)
let filterName = &"dbus-proxy-{hostname}-{id}"
var proxy = DbusProxy()
proxy.socket = &"{runtimeDir}/{filterName}"
proxy.args.add(busPath)
proxy.args.add(proxy.socket)
for name in config.dbussee.get(@[]):
proxy.args.add(&"--see={name}")
for name in config.dbustalk.get(@[]):
proxy.args.add(&"--talk={name}")
for name in config.dbuscall.get(@[]):
proxy.args.add(&"--call={name}")
for name in config.dbusown.get(@[]):
proxy.args.add(&"--own={name}")
for name in config.dbusbroadcast.get(@[]):
proxy.args.add(&"--broadcast={name}")
proxy.args.add("--filter")
proxy.args.add("--log")
proxy.process = proxy.exec()
proxy

41
lib/sandbox.nim
View File

@@ -1,12 +1,11 @@
import strutils import os
import options
import config
import utils
import bwrap
import args import args
import json import json
import dbus import dbus
import os import utils
import bwrap
import config
import options
proc sandboxExec*(args: Args) = proc sandboxExec*(args: Args) =
var call = BwrapCall() var call = BwrapCall()
@@ -35,10 +34,28 @@ proc sandboxExec*(args: Args) =
var config = loadConfig(configPath.unsafeGet) var config = loadConfig(configPath.unsafeGet)
config.extendConfig() config.extendConfig()
var proxy = DbusProxy()
proxy
.paths("/run/user/1000/bus", "/run/user/1000/.bus-sandboxed/test2")
.addCall("org.freedesktop.Notifications.*=@/org/freedesktop/Notifications")
.addCall("org.freedesktop.portal.*=*")
.addBroadcast("org.freedesktop.portal.*=@/org/freedesktop/portal/*")
.addOwn("org.mpris.MediaPlayer2.spotify")
.filter()
.log()
.exec()
call call
.addArg("--dev", "/dev") .addArg("--dev", "/dev")
# https://github.com/flatpak/flatpak/blob/1bdbb80ac57df437e46fce2cdd63e4ff7704718b/common/flatpak-run.c#L1496
.addMount("--dev-bind", "/dev/dri")
.addMount("--dev-bind", "/dev/nvidiactl")
.addMount("--dev-bind", "/dev/nvidia-modeset")
.addMount("--dev-bind", "/dev/nvidia0")
.addMount("--dev-bind", "/dev/random") .addMount("--dev-bind", "/dev/random")
.addMount("--dev-bind", "/dev/urandom") .addMount("--dev-bind", "/dev/urandom")
.addArg("--ro-bind", "/run/user/1000/.bus-sandboxed/test2", "/run/user/1000/bus")
.addArg("--tmpfs", "/tmp") .addArg("--tmpfs", "/tmp")
.addArg("--tmpfs", "/dev/shm") .addArg("--tmpfs", "/dev/shm")
.addArg("--proc", "/proc") .addArg("--proc", "/proc")
@@ -48,18 +65,6 @@ proc sandboxExec*(args: Args) =
.addArg("--setenv", "BWSANDBOX", "1") .addArg("--setenv", "BWSANDBOX", "1")
.applyConfig(config) .applyConfig(config)
if config.dbus.get(false):
# todo: handle process and cleanup later
let proxy = startDBusProxy(config, hostname)
call.addArg("--ro-bind", proxy.socket,
getEnv("DBUS_SESSION_BUS_ADDRESS").split('=')[1])
# todo: use fd signaling instead of this
sleep(100)
if config.allowdri.get(false):
enableDri(call)
if config.mountcwd.get(false): if config.mountcwd.get(false):
call call
.addMount("--bind", getCurrentDir()) .addMount("--bind", getCurrentDir())

28
lib/utils.nim
View File

@@ -1,8 +1,5 @@
import strformat
import posix
import bwrap
import args
import os import os
import args
const APP_NAME = "bwsandbox" const APP_NAME = "bwsandbox"
@@ -26,26 +23,3 @@ proc getSandboxPath*(name: string): string =
getDataDir() getDataDir()
.joinPath(APP_NAME) .joinPath(APP_NAME)
.joinPath(name) .joinPath(name)
proc deviceExists(path: string): bool =
var res: Stat
return stat(path, res) >= 0 and S_ISCHR(res.st_mode)
# https://github.com/flatpak/flatpak/blob/1bdbb80ac57df437e46fce2cdd63e4ff7704718b/common/flatpak-run.c#L1496
proc enableDri*(call: var BwrapCall) =
const mounts = [
"/dev/dri", # general
"/dev/mali", "/dev/mali0", "/dev/umplock", # mali
"/dev/nvidiactl", "/dev/nvidia-modeset", # nvidia
"/dev/nvidia-uvm", "/dev/nvidia-uvm-tools" # nvidia OpenCl/CUDA
]
for mount in mounts:
if deviceExists(mount):
call.addMount("--dev-bind", mount)
for i in 0..20:
let device = &"/dev/nvidia{i}"
if deviceExists(device):
call.addMount("--dev-bind", device)

5
main.nim
View File

@@ -1,17 +1,14 @@
import lib/sandbox import lib/sandbox
import lib/args import lib/args
import options import options
import random
proc main(): int = proc main(): int =
let args = parseArgs() let args = parseArgs()
echo args
if args.isNone: if args.isNone:
echo "Usage: bwshell --name=sandbox_name --profile=profile <sandbox_cmd>" echo "Usage: bwshell --command=cmd --profile=profile <sandbox_name>"
return 1 return 1
else: else:
randomize()
sandboxExec(args.unsafeGet) sandboxExec(args.unsafeGet)
quit(main()) quit(main())

26
scripts/applications.sh
View File

@@ -1,26 +0,0 @@
#!/bin/bash
if [ $# -ne 1 ]; then
echo "Usage: $0 <target_dir>"
exit 1
fi
check_dir() {
local dir=$1
local file
for application in "$dir/"*; do
file="$(basename "$application")"
sed "s/Exec=/Exec=bwshell --name '$file' --profile gui /gi" "$application" > "$target/$file"
done
}
dirs=("/usr/share/applications" "$HOME/.local/share/applications")
target="$1"
mkdir -p "$target"
for dir in "${dirs[@]}"; do
check_dir "$dir"
done