Fix help output

configs/box

@@ -0,0 +1 @@
+{"extends": "shell", "mountcwd": true}

configs/default

@@ -1,6 +1,6 @@
 {
   "mount": [],
-  "romount": ["/etc", "/var", "/usr", "/opt", ".oh-my-zsh", ".zsh", ".zshrc"],
+  "romount": ["/etc", "/var", "/usr", "/opt"],
   "symlinks": [
     {"src": "usr/lib", "dst": "/lib"},
     {"src": "usr/lib64", "dst": "/lib64"},

configs/dev

@@ -0,0 +1 @@
+{"extends": "shell", "romount": [".gitconfig", ".gnupg", "/run/user/1000/gnupg", ".ssh/config"], "mountcwd": true, "mount": [".ssh/known_hosts"]}

configs/gui

@@ -0,0 +1 @@
+{"extends": "default", "romount": [".Xauthority", "/tmp/.X11-unix", "/run/user/1000/pulse/native"], "dbus": true, "dbuscall": ["org.freedesktop.Notifications.*=@/org/freedesktop/Notifications", "org.freedesktop.portal.*=*"], "dbusbroadcast": ["org.freedesktop.portal.*=@/org/freedesktop/portal/*"]}

configs/shell

@@ -0,0 +1 @@
+{"extends": "default", "romount": [".oh-my-zsh", ".zsh", ".zshrc", ".zshrc-local"], "sethostname": true}

lib/args.nim

@@ -1,14 +1,13 @@
-import parseopt
 import options
 import os
 
 type Args* = object
   name*: Option[string]
-  cmd*: Option[string]
+  cmd*: Option[seq[string]]
   profile*: Option[string]
 
-proc getCmd*(args: Args): string =
+proc getCmd*(args: Args): seq[string] =
-  return args.cmd.get(getEnv("SHELL", "/bin/bash"))
+  return args.cmd.get(@[getEnv("SHELL", "/bin/bash")])
 
 proc getProfile*(args: Args): string =
   if args.profile.isSome:
@@ -16,30 +15,30 @@ proc getProfile*(args: Args): string =
 
   return "default"
 
-proc parseOpt(args: var Args, key: string, value: string): bool =
-  case key
-  of "command", "c":
-    args.cmd = some(value)
-  of "profile", "p":
-    args.profile = some(value)
-  else:
-    return false
-
-  return true
-
 proc parseArgs*(): Option[Args] =
-  var p = initOptParser()
   var args = Args()
 
-  while true:
+  var command = newSeq[string]()
-    p.next()
+  var i = 1
-    case p.kind
-    of cmdEnd: break
-    of cmdShortOption, cmdLongOption:
-      if p.val == "" or args.parseOpt(p.key, p.val) == false:
-        echo "Invalid argument ", p.val
-        return
-    of cmdArgument:
-      args.name = some(p.key.string)
 
+  while i <= paramCount():
+    var arg = paramStr(i)
+
+    if arg == "--name":
+      args.name = some(paramStr(i + 1))
+      i += 2
+    elif arg == "--profile":
+      args.profile = some(paramStr(i + 1))
+      i += 2
+    else:
+      echo arg
+      command.add(arg)
+      i += 1
+
+  if command.len > 0:
+    args.cmd = some(command)
+
+  if args.name.isSome or args.cmd.isSome or args.profile.isSome:
     return some(args)
+  else:
+    return none(Args)

lib/config.nim

@@ -16,6 +16,13 @@ type Config* = object
   mountcwd*: Option[bool]
   privileged*: Option[bool]
   sethostname*: Option[bool]
+  allowdri*: Option[bool]
+  dbus*: Option[bool]
+  dbussee*: Option[seq[string]]
+  dbustalk*: Option[seq[string]]
+  dbusown*: Option[seq[string]]
+  dbuscall*: Option[seq[string]]
+  dbusbroadcast*: Option[seq[string]]
 
 proc applyConfig*(call: var BwrapCall, config: Config) =
   for mount in config.mount.get(@[]):
@@ -39,10 +46,19 @@ proc extendConfig*(config: var Config): Config {.discardable.} =
   var eConf = loadConfig(getProfilePath(config.extends.unsafeGet))
   eConf.extendConfig()
 
+  # todo: replace using macro / templates
   config.mount = some(config.mount.get(@[]).concat(eConf.mount.get(@[])))
   config.romount = some(config.romount.get(@[]).concat(eConf.romount.get(@[])))
   config.symlinks = some(config.symlinks.get(@[]).concat(eConf.symlinks.get(@[])))
   config.mountcwd = some(config.mountcwd.get(eConf.mountcwd.get(false)))
   config.sethostname = some(config.sethostname.get(eConf.sethostname.get(false)))
+  config.allowdri = some(config.allowdri.get(eConf.allowdri.get(false)))
+
+  config.dbus = some(config.dbus.get(eConf.dbus.get(false)))
+  config.dbussee = some(config.dbussee.get(@[]).concat(eConf.dbussee.get(@[])))
+  config.dbustalk = some(config.dbustalk.get(@[]).concat(eConf.dbustalk.get(@[])))
+  config.dbusown = some(config.dbusown.get(@[]).concat(eConf.dbusown.get(@[])))
+  config.dbuscall = some(config.dbuscall.get(@[]).concat(eConf.dbuscall.get(@[])))
+  config.dbusbroadcast = some(config.dbusbroadcast.get(@[]).concat(eConf.dbusbroadcast.get(@[])))
 
   return config

lib/dbus.nim

@@ -0,0 +1,54 @@
+import strformat
+import options
+import config
+import osproc
+import random
+import os
+
+type DbusProxy* = object
+  process*: Process
+  socket*: string
+  args: seq[string]
+
+proc exec*(proxy: DbusProxy): Process =
+  # todo: start dbus proxy in bwrap
+  # todo: pass arguments as fd
+  startProcess("xdg-dbus-proxy", args = proxy.args,
+    options = {poEchoCmd, poParentStreams, poUsePath})
+
+proc startDBusProxy*(config: Config, hostname: string): DbusProxy =
+  let busPath = getEnv("DBUS_SESSION_BUS_ADDRESS")
+  let runtimeDir = getEnv("XDG_RUNTIME_DIR")
+
+  if busPath == "" or runtimeDir == "":
+    raise newException(IOError, "DBUS_SESSION_BUS_ADDRESS and XDG_RUNTIME_DIR are required")
+
+  let id = rand(1000)
+  let filterName = &"dbus-proxy-{hostname}-{id}"
+
+  var proxy = DbusProxy()
+  proxy.socket = &"{runtimeDir}/{filterName}"
+
+  proxy.args.add(busPath)
+  proxy.args.add(proxy.socket)
+
+  for name in config.dbussee.get(@[]):
+    proxy.args.add(&"--see={name}")
+
+  for name in config.dbustalk.get(@[]):
+    proxy.args.add(&"--talk={name}")
+
+  for name in config.dbuscall.get(@[]):
+    proxy.args.add(&"--call={name}")
+
+  for name in config.dbusown.get(@[]):
+    proxy.args.add(&"--own={name}")
+
+  for name in config.dbusbroadcast.get(@[]):
+    proxy.args.add(&"--broadcast={name}")
+
+  proxy.args.add("--filter")
+  proxy.args.add("--log")
+  proxy.process = proxy.exec()
+
+  proxy

lib/sandbox.nim

@@ -1,16 +1,18 @@
-import os
+import strutils
-import args
+import options
-import json
+import config
 import utils
 import bwrap
-import config
+import args
-import options
+import json
+import dbus
+import os
 
 proc sandboxExec*(args: Args) =
   var call = BwrapCall()
   var configPath = none(string)
 
-  let hostname = args.name.get(getProfile(argst ))
+  let hostname = args.name.get(getProfile(args))
 
   if args.name.isSome:
     let name = args.name.unsafeGet
@@ -18,7 +20,6 @@ proc sandboxExec*(args: Args) =
     let sandboxFiles = sandboxPath.joinPath("files")
     let userConfig = sandboxPath.joinPath("config.json")
 
-
     createDir(sandboxFiles)
     call.addArg("--bind", sandboxFiles, getHomeDir())
 
@@ -35,10 +36,11 @@ proc sandboxExec*(args: Args) =
   config.extendConfig()
 
   call
-    .addMount("--dev-bind", "/dev/null")
+    .addArg("--dev", "/dev")
     .addMount("--dev-bind", "/dev/random")
     .addMount("--dev-bind", "/dev/urandom")
     .addArg("--tmpfs", "/tmp")
+    .addArg("--tmpfs", "/dev/shm")
     .addArg("--proc", "/proc")
     .addArg("--unshare-all")
     .addArg("--share-net")
@@ -46,6 +48,18 @@ proc sandboxExec*(args: Args) =
     .addArg("--setenv", "BWSANDBOX", "1")
     .applyConfig(config)
 
+  if config.dbus.get(false):
+    # todo: handle process and cleanup later
+    let proxy = startDBusProxy(config, hostname)
+    call.addArg("--ro-bind", proxy.socket,
+      getEnv("DBUS_SESSION_BUS_ADDRESS").split('=')[1])
+
+    # todo: use fd signaling instead of this
+    sleep(100)
+
+  if config.allowdri.get(false):
+    enableDri(call)
+
   if config.mountcwd.get(false):
     call
       .addMount("--bind", getCurrentDir())

lib/utils.nim

@@ -1,5 +1,8 @@
-import os
+import strformat
+import posix
+import bwrap
 import args
+import os
 
 const APP_NAME = "bwsandbox"
 
@@ -12,9 +15,19 @@ proc checkRelativePath*(p: string): string =
   getHomeDir().joinPath(p)
 
 proc getProfilePath*(profile: string): string =
-  getConfigDir()
+  let pid = getCurrentProcessId()
-        .joinPath(APP_NAME)
+
-        .joinPath(profile)
+  for path in [
+    getConfigDir().joinPath(APP_NAME),
+    &"/usr/share/{APP_NAME}",
+    parentDir(expandSymlink(&"/proc/{pid}/exe")).joinPath("configs")
+  ]:
+    let file = path.joinPath(profile)
+
+    if fileExists(file):
+      return file
+
+  raise newException(IOError, "Profile not found")
 
 proc getProfilePath*(args: Args): string =
   getProfilePath(args.getProfile())
@@ -23,3 +36,26 @@ proc getSandboxPath*(name: string): string =
   getDataDir()
     .joinPath(APP_NAME)
     .joinPath(name)
+
+proc deviceExists(path: string): bool =
+  var res: Stat
+  return stat(path, res) >= 0 and S_ISCHR(res.st_mode)
+
+# https://github.com/flatpak/flatpak/blob/1bdbb80ac57df437e46fce2cdd63e4ff7704718b/common/flatpak-run.c#L1496
+proc enableDri*(call: var BwrapCall) =
+  const mounts = [
+    "/dev/dri",                                # general
+    "/dev/mali", "/dev/mali0", "/dev/umplock", # mali
+    "/dev/nvidiactl", "/dev/nvidia-modeset",   # nvidia
+    "/dev/nvidia-uvm", "/dev/nvidia-uvm-tools" # nvidia OpenCl/CUDA
+  ]
+
+  for mount in mounts:
+    if deviceExists(mount):
+      call.addMount("--dev-bind", mount)
+
+  for i in 0..20:
+    let device = &"/dev/nvidia{i}"
+
+    if deviceExists(device):
+      call.addMount("--dev-bind", device)

main.nim

@@ -1,14 +1,16 @@
 import lib/sandbox
 import lib/args
 import options
+import random
 
 proc main(): int =
   let args = parseArgs()
 
   if args.isNone:
-    echo "Usage: bwshell --command=cmd --profile=profile <sandbox_name>"
+    echo "Usage: bwshell --name=sandbox_name --profile=profile <sandbox_cmd>"
     return 1
   else:
+    randomize()
     sandboxExec(args.unsafeGet)
 
 quit(main())

scripts/applications.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+if [ $# -ne 1 ]; then
+  echo "Usage: $0 <target_dir>"
+  exit 1
+fi
+
+check_dir() {
+  local dir=$1
+  local file
+
+  for application in "$dir/"*; do
+    file="$(basename "$application")"
+
+    sed "s/Exec=/Exec=bwshell --name '$file' --profile gui /gi" "$application" > "$target/$file"
+  done
+}
+
+dirs=("/usr/share/applications" "$HOME/.local/share/applications")
+target="$1"
+
+mkdir -p "$target"
+
+for dir in "${dirs[@]}"; do
+  check_dir "$dir"
+done