Compare commits
14 Commits
Author | SHA1 | Date |
---|---|---|
Martin | a7763a3b35 | |
Martin | 5f15f42ffb | |
Martin | b48c4d423b | |
Martin | 8ecfa79ccd | |
Martin | 71eb05c09a | |
Martin | 6ca24383f0 | |
Martin | 3a5e5d4870 | |
Martin | 77b4fedee2 | |
Martin | 93d2163ce9 | |
Martin | 1634321bd2 | |
Martin | 0bffb6ad35 | |
Martin | 9a3e36fcb1 | |
Martin | 9cad6fc050 | |
Martin | 354ba05faa |
|
@ -1,2 +1,4 @@
|
||||||
.idea
|
.idea
|
||||||
main
|
bwbox
|
||||||
|
result
|
||||||
|
scripts/applications
|
||||||
|
|
|
@ -1,14 +1,16 @@
|
||||||
import lib/sandbox
|
import lib/sandbox
|
||||||
import lib/args
|
import lib/args
|
||||||
import options
|
import options
|
||||||
|
import random
|
||||||
|
|
||||||
proc main(): int =
|
proc main(): int =
|
||||||
let args = parseArgs()
|
let args = parseArgs()
|
||||||
|
|
||||||
if args.isNone:
|
if args.isNone:
|
||||||
echo "Usage: bwshell --command=cmd --profile=profile <sandbox_name>"
|
echo "Usage: bwshell --name=sandbox_name --profile=profile <sandbox_cmd>"
|
||||||
return 1
|
return 1
|
||||||
else:
|
else:
|
||||||
|
randomize()
|
||||||
sandboxExec(args.unsafeGet)
|
sandboxExec(args.unsafeGet)
|
||||||
|
|
||||||
quit(main())
|
quit(main())
|
|
@ -0,0 +1,13 @@
|
||||||
|
# Package
|
||||||
|
|
||||||
|
version = "1.0.0"
|
||||||
|
author = "mawalu"
|
||||||
|
description = "An experimental sandbox tool for linux apps"
|
||||||
|
license = "MIT"
|
||||||
|
srcDir = "."
|
||||||
|
bin = @["bwbox"]
|
||||||
|
|
||||||
|
|
||||||
|
# Dependencies
|
||||||
|
|
||||||
|
requires "nim >= 1.6.0"
|
|
@ -0,0 +1,4 @@
|
||||||
|
{
|
||||||
|
"extends": "shell",
|
||||||
|
"mountcwd": true
|
||||||
|
}
|
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
"mount": [],
|
"mount": [],
|
||||||
"romount": ["/etc", "/var", "/usr", "/opt", ".oh-my-zsh", ".zsh", ".zshrc"],
|
"romount": ["/etc", "/var", "/usr", "/opt"],
|
||||||
"symlinks": [
|
"symlinks": [
|
||||||
{"src": "usr/lib", "dst": "/lib"},
|
{"src": "usr/lib", "dst": "/lib"},
|
||||||
{"src": "usr/lib64", "dst": "/lib64"},
|
{"src": "usr/lib64", "dst": "/lib64"},
|
|
@ -0,0 +1,6 @@
|
||||||
|
{
|
||||||
|
"extends": "shell",
|
||||||
|
"romount": [".gitconfig", ".gnupg", "/run/user/1000/gnupg", ".ssh/config"],
|
||||||
|
"mountcwd": true,
|
||||||
|
"mount": [".ssh/known_hosts"]
|
||||||
|
}
|
|
@ -0,0 +1,7 @@
|
||||||
|
{
|
||||||
|
"extends": "default",
|
||||||
|
"romount": [".Xauthority", "/tmp/.X11-unix", "/run/user/1000/pulse/native"],
|
||||||
|
"dbus": true,
|
||||||
|
"dbuscall": ["org.freedesktop.Notifications.*=@/org/freedesktop/Notifications", "org.freedesktop.portal.*=*"],
|
||||||
|
"dbusbroadcast": ["org.freedesktop.portal.*=@/org/freedesktop/portal/*"]
|
||||||
|
}
|
|
@ -0,0 +1,5 @@
|
||||||
|
{
|
||||||
|
"extends": "default",
|
||||||
|
"romount": [".oh-my-zsh", ".zsh", ".zshrc", ".zshrc-local"],
|
||||||
|
"sethostname": true
|
||||||
|
}
|
|
@ -0,0 +1,7 @@
|
||||||
|
{
|
||||||
|
"extends": "default",
|
||||||
|
"romount": ["/run/user/1000/pulse/native", "/run/user/1000/wayland-1"],
|
||||||
|
"dbus": true,
|
||||||
|
"dbuscall": ["org.freedesktop.Notifications.*=@/org/freedesktop/Notifications", "org.freedesktop.portal.*=*"],
|
||||||
|
"dbusbroadcast": ["org.freedesktop.portal.*=@/org/freedesktop/portal/*"]
|
||||||
|
}
|
|
@ -0,0 +1,26 @@
|
||||||
|
{
|
||||||
|
"nodes": {
|
||||||
|
"nixpkgs": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1720893482,
|
||||||
|
"narHash": "sha256-fGQczQ3JuvqSK3rYsJvvbE7j8BENLp8DqJH1B0uXYKg=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "94c843e8f05bac70e905c48c965ba7be79bde613",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": "root",
|
||||||
|
"version": 7
|
||||||
|
}
|
|
@ -0,0 +1,20 @@
|
||||||
|
{
|
||||||
|
description = "An experimental sandboxing tool for linux apps";
|
||||||
|
|
||||||
|
inputs.nixpkgs.url = github:NixOS/nixpkgs;
|
||||||
|
|
||||||
|
outputs = { self, nixpkgs }: {
|
||||||
|
packages.x86_64-linux.default =
|
||||||
|
with import nixpkgs { system = "x86_64-linux"; };
|
||||||
|
buildNimPackage {
|
||||||
|
name = "bwbox";
|
||||||
|
src = self;
|
||||||
|
nativeBuildInputs = [pkgs.makeWrapper];
|
||||||
|
postInstall = ''
|
||||||
|
wrapProgram $out/bin/bwbox \
|
||||||
|
--prefix PATH ':' ${pkgs.bubblewrap}/bin \
|
||||||
|
--prefix PATH ':' ${pkgs.xdg-dbus-proxy}/bin
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
58
lib/args.nim
58
lib/args.nim
|
@ -1,14 +1,14 @@
|
||||||
import parseopt
|
|
||||||
import options
|
import options
|
||||||
import os
|
import os
|
||||||
|
|
||||||
type Args* = object
|
type Args* = object
|
||||||
name*: Option[string]
|
name*: Option[string]
|
||||||
cmd*: Option[string]
|
cmd*: Option[seq[string]]
|
||||||
profile*: Option[string]
|
profile*: Option[string]
|
||||||
|
debug*: bool
|
||||||
|
|
||||||
proc getCmd*(args: Args): string =
|
proc getCmd*(args: Args): seq[string] =
|
||||||
return args.cmd.get(getEnv("SHELL", "/bin/bash"))
|
return args.cmd.get(@[getEnv("SHELL", "/bin/sh")])
|
||||||
|
|
||||||
proc getProfile*(args: Args): string =
|
proc getProfile*(args: Args): string =
|
||||||
if args.profile.isSome:
|
if args.profile.isSome:
|
||||||
|
@ -16,30 +16,34 @@ proc getProfile*(args: Args): string =
|
||||||
|
|
||||||
return "default"
|
return "default"
|
||||||
|
|
||||||
proc parseOpt(args: var Args, key: string, value: string): bool =
|
|
||||||
case key
|
|
||||||
of "command", "c":
|
|
||||||
args.cmd = some(value)
|
|
||||||
of "profile", "p":
|
|
||||||
args.profile = some(value)
|
|
||||||
else:
|
|
||||||
return false
|
|
||||||
|
|
||||||
return true
|
|
||||||
|
|
||||||
proc parseArgs*(): Option[Args] =
|
proc parseArgs*(): Option[Args] =
|
||||||
var p = initOptParser()
|
var args = Args(debug: false)
|
||||||
var args = Args()
|
|
||||||
|
|
||||||
while true:
|
var command = newSeq[string]()
|
||||||
p.next()
|
var parsingSandboxArgs = true
|
||||||
case p.kind
|
var i = 1
|
||||||
of cmdEnd: break
|
|
||||||
of cmdShortOption, cmdLongOption:
|
|
||||||
if p.val == "" or args.parseOpt(p.key, p.val) == false:
|
|
||||||
echo "Invalid argument ", p.val
|
|
||||||
return
|
|
||||||
of cmdArgument:
|
|
||||||
args.name = some(p.key.string)
|
|
||||||
|
|
||||||
|
while i <= paramCount():
|
||||||
|
var arg = paramStr(i)
|
||||||
|
|
||||||
|
if arg == "--name" and parsingSandboxArgs:
|
||||||
|
args.name = some(paramStr(i + 1))
|
||||||
|
i += 2
|
||||||
|
elif arg == "--profile" and parsingSandboxArgs:
|
||||||
|
args.profile = some(paramStr(i + 1))
|
||||||
|
i += 2
|
||||||
|
elif arg == "--debug" and parsingSandboxArgs:
|
||||||
|
args.debug = true
|
||||||
|
i += 1
|
||||||
|
else:
|
||||||
|
parsingSandboxArgs = false
|
||||||
|
command.add(arg)
|
||||||
|
i += 1
|
||||||
|
|
||||||
|
if command.len > 0:
|
||||||
|
args.cmd = some(command)
|
||||||
|
|
||||||
|
if args.name.isSome or args.cmd.isSome or args.profile.isSome:
|
||||||
return some(args)
|
return some(args)
|
||||||
|
else:
|
||||||
|
return none(Args)
|
||||||
|
|
|
@ -1,8 +1,9 @@
|
||||||
|
import os
|
||||||
import posix
|
import posix
|
||||||
import sequtils
|
import sequtils
|
||||||
|
|
||||||
type BwrapCall* = object
|
type BwrapCall* = object
|
||||||
args: seq[string]
|
args*: seq[string]
|
||||||
|
|
||||||
proc addArg*(call: var BwrapCall, args: varargs[string]): var BwrapCall {.discardable.} =
|
proc addArg*(call: var BwrapCall, args: varargs[string]): var BwrapCall {.discardable.} =
|
||||||
for arg in args:
|
for arg in args:
|
||||||
|
@ -14,4 +15,4 @@ proc addMount*(call: var BwrapCall, mType: string, path: string): var BwrapCall
|
||||||
call
|
call
|
||||||
|
|
||||||
proc exec*(call: var BwrapCall) =
|
proc exec*(call: var BwrapCall) =
|
||||||
discard execv("/usr/bin/bwrap", allocCStringArray(@["bwrap"].concat(call.args)))
|
discard execv("/usr/bin/env", allocCStringArray(@["/usr/bin/env", "bwrap"].concat(call.args)))
|
||||||
|
|
|
@ -3,6 +3,7 @@ import options
|
||||||
import bwrap
|
import bwrap
|
||||||
import utils
|
import utils
|
||||||
import json
|
import json
|
||||||
|
import os
|
||||||
|
|
||||||
type Link* = object
|
type Link* = object
|
||||||
src*: string
|
src*: string
|
||||||
|
@ -16,6 +17,14 @@ type Config* = object
|
||||||
mountcwd*: Option[bool]
|
mountcwd*: Option[bool]
|
||||||
privileged*: Option[bool]
|
privileged*: Option[bool]
|
||||||
sethostname*: Option[bool]
|
sethostname*: Option[bool]
|
||||||
|
allowdri*: Option[bool]
|
||||||
|
dbus*: Option[bool]
|
||||||
|
dbussee*: Option[seq[string]]
|
||||||
|
dbustalk*: Option[seq[string]]
|
||||||
|
dbusown*: Option[seq[string]]
|
||||||
|
dbuscall*: Option[seq[string]]
|
||||||
|
dbusbroadcast*: Option[seq[string]]
|
||||||
|
devmount*: Option[seq[string]]
|
||||||
|
|
||||||
proc applyConfig*(call: var BwrapCall, config: Config) =
|
proc applyConfig*(call: var BwrapCall, config: Config) =
|
||||||
for mount in config.mount.get(@[]):
|
for mount in config.mount.get(@[]):
|
||||||
|
@ -27,6 +36,14 @@ proc applyConfig*(call: var BwrapCall, config: Config) =
|
||||||
for symlink in config.symlinks.get(@[]):
|
for symlink in config.symlinks.get(@[]):
|
||||||
call.addArg("--symlink", symlink.src, symlink.dst)
|
call.addArg("--symlink", symlink.src, symlink.dst)
|
||||||
|
|
||||||
|
for device in config.devmount.get(@[]):
|
||||||
|
call.addArg("--dev-bind", device, device)
|
||||||
|
|
||||||
|
if config.mountcwd.get(false):
|
||||||
|
call
|
||||||
|
.addMount("--bind", getCurrentDir())
|
||||||
|
.addArg("--chdir", getCurrentDir())
|
||||||
|
|
||||||
proc loadConfig*(path: string): Config =
|
proc loadConfig*(path: string): Config =
|
||||||
return readFile(path)
|
return readFile(path)
|
||||||
.parseJson()
|
.parseJson()
|
||||||
|
@ -39,10 +56,20 @@ proc extendConfig*(config: var Config): Config {.discardable.} =
|
||||||
var eConf = loadConfig(getProfilePath(config.extends.unsafeGet))
|
var eConf = loadConfig(getProfilePath(config.extends.unsafeGet))
|
||||||
eConf.extendConfig()
|
eConf.extendConfig()
|
||||||
|
|
||||||
|
# todo: replace using macro / templates
|
||||||
config.mount = some(config.mount.get(@[]).concat(eConf.mount.get(@[])))
|
config.mount = some(config.mount.get(@[]).concat(eConf.mount.get(@[])))
|
||||||
config.romount = some(config.romount.get(@[]).concat(eConf.romount.get(@[])))
|
config.romount = some(config.romount.get(@[]).concat(eConf.romount.get(@[])))
|
||||||
config.symlinks = some(config.symlinks.get(@[]).concat(eConf.symlinks.get(@[])))
|
config.symlinks = some(config.symlinks.get(@[]).concat(eConf.symlinks.get(@[])))
|
||||||
config.mountcwd = some(config.mountcwd.get(eConf.mountcwd.get(false)))
|
config.mountcwd = some(config.mountcwd.get(eConf.mountcwd.get(false)))
|
||||||
config.sethostname = some(config.sethostname.get(eConf.sethostname.get(false)))
|
config.sethostname = some(config.sethostname.get(eConf.sethostname.get(false)))
|
||||||
|
config.allowdri = some(config.allowdri.get(eConf.allowdri.get(false)))
|
||||||
|
config.devmount = some(config.devmount.get(eConf.devmount.get(@[])))
|
||||||
|
|
||||||
|
config.dbus = some(config.dbus.get(eConf.dbus.get(false)))
|
||||||
|
config.dbussee = some(config.dbussee.get(@[]).concat(eConf.dbussee.get(@[])))
|
||||||
|
config.dbustalk = some(config.dbustalk.get(@[]).concat(eConf.dbustalk.get(@[])))
|
||||||
|
config.dbusown = some(config.dbusown.get(@[]).concat(eConf.dbusown.get(@[])))
|
||||||
|
config.dbuscall = some(config.dbuscall.get(@[]).concat(eConf.dbuscall.get(@[])))
|
||||||
|
config.dbusbroadcast = some(config.dbusbroadcast.get(@[]).concat(eConf.dbusbroadcast.get(@[])))
|
||||||
|
|
||||||
return config
|
return config
|
||||||
|
|
|
@ -0,0 +1,54 @@
|
||||||
|
import strformat
|
||||||
|
import options
|
||||||
|
import config
|
||||||
|
import osproc
|
||||||
|
import random
|
||||||
|
import os
|
||||||
|
|
||||||
|
type DbusProxy* = object
|
||||||
|
process*: Process
|
||||||
|
socket*: string
|
||||||
|
args: seq[string]
|
||||||
|
|
||||||
|
proc exec*(proxy: DbusProxy): Process =
|
||||||
|
# todo: start dbus proxy in bwrap
|
||||||
|
# todo: pass arguments as fd
|
||||||
|
startProcess("xdg-dbus-proxy", args = proxy.args,
|
||||||
|
options = {poEchoCmd, poParentStreams, poUsePath})
|
||||||
|
|
||||||
|
proc startDBusProxy*(config: Config, hostname: string): DbusProxy =
|
||||||
|
let busPath = getEnv("DBUS_SESSION_BUS_ADDRESS")
|
||||||
|
let runtimeDir = getEnv("XDG_RUNTIME_DIR")
|
||||||
|
|
||||||
|
if busPath == "" or runtimeDir == "":
|
||||||
|
raise newException(IOError, "DBUS_SESSION_BUS_ADDRESS and XDG_RUNTIME_DIR are required")
|
||||||
|
|
||||||
|
let id = rand(1000)
|
||||||
|
let filterName = &"dbus-proxy-{hostname}-{id}"
|
||||||
|
|
||||||
|
var proxy = DbusProxy()
|
||||||
|
proxy.socket = &"{runtimeDir}/{filterName}"
|
||||||
|
|
||||||
|
proxy.args.add(busPath)
|
||||||
|
proxy.args.add(proxy.socket)
|
||||||
|
|
||||||
|
for name in config.dbussee.get(@[]):
|
||||||
|
proxy.args.add(&"--see={name}")
|
||||||
|
|
||||||
|
for name in config.dbustalk.get(@[]):
|
||||||
|
proxy.args.add(&"--talk={name}")
|
||||||
|
|
||||||
|
for name in config.dbuscall.get(@[]):
|
||||||
|
proxy.args.add(&"--call={name}")
|
||||||
|
|
||||||
|
for name in config.dbusown.get(@[]):
|
||||||
|
proxy.args.add(&"--own={name}")
|
||||||
|
|
||||||
|
for name in config.dbusbroadcast.get(@[]):
|
||||||
|
proxy.args.add(&"--broadcast={name}")
|
||||||
|
|
||||||
|
proxy.args.add("--filter")
|
||||||
|
proxy.args.add("--log")
|
||||||
|
proxy.process = proxy.exec()
|
||||||
|
|
||||||
|
proxy
|
|
@ -1,16 +1,19 @@
|
||||||
import os
|
import strutils
|
||||||
import args
|
import sequtils
|
||||||
import json
|
import options
|
||||||
|
import config
|
||||||
import utils
|
import utils
|
||||||
import bwrap
|
import bwrap
|
||||||
import config
|
import args
|
||||||
import options
|
import json
|
||||||
|
import dbus
|
||||||
|
import os
|
||||||
|
|
||||||
proc sandboxExec*(args: Args) =
|
proc sandboxExec*(args: Args) =
|
||||||
var call = BwrapCall()
|
var call = BwrapCall()
|
||||||
var configPath = none(string)
|
var configPath = none(string)
|
||||||
|
|
||||||
let hostname = args.name.get(getProfile(argst ))
|
let hostname = args.name.get(getProfile(args))
|
||||||
|
|
||||||
if args.name.isSome:
|
if args.name.isSome:
|
||||||
let name = args.name.unsafeGet
|
let name = args.name.unsafeGet
|
||||||
|
@ -18,7 +21,6 @@ proc sandboxExec*(args: Args) =
|
||||||
let sandboxFiles = sandboxPath.joinPath("files")
|
let sandboxFiles = sandboxPath.joinPath("files")
|
||||||
let userConfig = sandboxPath.joinPath("config.json")
|
let userConfig = sandboxPath.joinPath("config.json")
|
||||||
|
|
||||||
|
|
||||||
createDir(sandboxFiles)
|
createDir(sandboxFiles)
|
||||||
call.addArg("--bind", sandboxFiles, getHomeDir())
|
call.addArg("--bind", sandboxFiles, getHomeDir())
|
||||||
|
|
||||||
|
@ -35,10 +37,17 @@ proc sandboxExec*(args: Args) =
|
||||||
config.extendConfig()
|
config.extendConfig()
|
||||||
|
|
||||||
call
|
call
|
||||||
.addMount("--dev-bind", "/dev/null")
|
.addArg("--new-session")
|
||||||
|
.addArg("--dev", "/dev")
|
||||||
.addMount("--dev-bind", "/dev/random")
|
.addMount("--dev-bind", "/dev/random")
|
||||||
.addMount("--dev-bind", "/dev/urandom")
|
.addMount("--dev-bind", "/dev/urandom")
|
||||||
|
.addMount("--ro-bind", "/sys/block")
|
||||||
|
.addMount("--ro-bind", "/sys/bus")
|
||||||
|
.addMount("--ro-bind", "/sys/class")
|
||||||
|
.addMount("--ro-bind", "/sys/dev")
|
||||||
|
.addMount("--ro-bind", "/sys/devices")
|
||||||
.addArg("--tmpfs", "/tmp")
|
.addArg("--tmpfs", "/tmp")
|
||||||
|
.addArg("--tmpfs", "/dev/shm")
|
||||||
.addArg("--proc", "/proc")
|
.addArg("--proc", "/proc")
|
||||||
.addArg("--unshare-all")
|
.addArg("--unshare-all")
|
||||||
.addArg("--share-net")
|
.addArg("--share-net")
|
||||||
|
@ -46,13 +55,27 @@ proc sandboxExec*(args: Args) =
|
||||||
.addArg("--setenv", "BWSANDBOX", "1")
|
.addArg("--setenv", "BWSANDBOX", "1")
|
||||||
.applyConfig(config)
|
.applyConfig(config)
|
||||||
|
|
||||||
if config.mountcwd.get(false):
|
|
||||||
call
|
|
||||||
.addMount("--bind", getCurrentDir())
|
|
||||||
.addArg("--chdir", getCurrentDir())
|
|
||||||
|
|
||||||
if config.sethostname.get(false):
|
if config.sethostname.get(false):
|
||||||
call
|
call
|
||||||
.addArg("--hostname", hostname)
|
.addArg("--hostname", hostname)
|
||||||
|
|
||||||
call.addArg(args.getCmd).exec()
|
if config.dbus.get(false):
|
||||||
|
# todo: handle process and cleanup later
|
||||||
|
let proxy = startDBusProxy(config, hostname)
|
||||||
|
call.addArg("--ro-bind", proxy.socket,
|
||||||
|
getEnv("DBUS_SESSION_BUS_ADDRESS").split('=')[1])
|
||||||
|
|
||||||
|
# todo: use fd signaling instead of this
|
||||||
|
sleep(100)
|
||||||
|
|
||||||
|
if config.allowdri.get(false):
|
||||||
|
enableDri(call)
|
||||||
|
|
||||||
|
# resolve binary path outside of the sandbox
|
||||||
|
var cmd = args.getCmd
|
||||||
|
cmd[0] = findExe(cmd[0])
|
||||||
|
|
||||||
|
echo call.args.join(" ")
|
||||||
|
echo cmd
|
||||||
|
|
||||||
|
call.addArg(cmd).exec()
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
import os
|
import strformat
|
||||||
|
import posix
|
||||||
|
import bwrap
|
||||||
import args
|
import args
|
||||||
|
import os
|
||||||
|
|
||||||
const APP_NAME = "bwsandbox"
|
const APP_NAME = "bwsandbox"
|
||||||
|
|
||||||
|
@ -12,9 +15,19 @@ proc checkRelativePath*(p: string): string =
|
||||||
getHomeDir().joinPath(p)
|
getHomeDir().joinPath(p)
|
||||||
|
|
||||||
proc getProfilePath*(profile: string): string =
|
proc getProfilePath*(profile: string): string =
|
||||||
getConfigDir()
|
let pid = getCurrentProcessId()
|
||||||
.joinPath(APP_NAME)
|
|
||||||
.joinPath(profile)
|
for path in [
|
||||||
|
getConfigDir().joinPath(APP_NAME),
|
||||||
|
&"/usr/share/{APP_NAME}",
|
||||||
|
parentDir(expandSymlink(&"/proc/{pid}/exe")).joinPath("configs")
|
||||||
|
]:
|
||||||
|
let file = path.joinPath(profile)
|
||||||
|
|
||||||
|
if fileExists(file):
|
||||||
|
return file
|
||||||
|
|
||||||
|
raise newException(IOError, "Profile not found")
|
||||||
|
|
||||||
proc getProfilePath*(args: Args): string =
|
proc getProfilePath*(args: Args): string =
|
||||||
getProfilePath(args.getProfile())
|
getProfilePath(args.getProfile())
|
||||||
|
@ -23,3 +36,39 @@ proc getSandboxPath*(name: string): string =
|
||||||
getDataDir()
|
getDataDir()
|
||||||
.joinPath(APP_NAME)
|
.joinPath(APP_NAME)
|
||||||
.joinPath(name)
|
.joinPath(name)
|
||||||
|
|
||||||
|
proc deviceExists(path: string): bool =
|
||||||
|
var res: Stat
|
||||||
|
return stat(path, res) >= 0 and S_ISCHR(res.st_mode)
|
||||||
|
|
||||||
|
proc mountDriFolder(call: var BwrapCall, path: string) =
|
||||||
|
for file in walkPattern(&"{path}/*"):
|
||||||
|
if dirExists(file):
|
||||||
|
mountDriFolder(call, file)
|
||||||
|
elif deviceExists(file):
|
||||||
|
call.addMount("--dev-bind", file)
|
||||||
|
#else:
|
||||||
|
# call.addMount("--ro-bin", file)
|
||||||
|
|
||||||
|
# https://github.com/flatpak/flatpak/blob/1bdbb80ac57df437e46fce2cdd63e4ff7704718b/common/flatpak-run.c#L1496
|
||||||
|
proc enableDri*(call: var BwrapCall) =
|
||||||
|
const folder = "/dev/dri"
|
||||||
|
const mounts = [
|
||||||
|
folder, # general
|
||||||
|
"/dev/mali", "/dev/mali0", "/dev/umplock", # mali
|
||||||
|
"/dev/nvidiactl", "/dev/nvidia-modeset", # nvidia
|
||||||
|
"/dev/nvidia-uvm", "/dev/nvidia-uvm-tools" # nvidia OpenCl/CUDA
|
||||||
|
]
|
||||||
|
|
||||||
|
if dirExists(folder):
|
||||||
|
mountDriFolder(call, folder)
|
||||||
|
|
||||||
|
for mount in mounts:
|
||||||
|
if deviceExists(mount) or dirExists(mount):
|
||||||
|
call.addMount("--dev-bind", mount)
|
||||||
|
|
||||||
|
for i in 0..20:
|
||||||
|
let device = &"/dev/nvidia{i}"
|
||||||
|
|
||||||
|
if deviceExists(device):
|
||||||
|
call.addMount("--dev-bind", device)
|
|
@ -0,0 +1,29 @@
|
||||||
|
#!/run/current-system/sw/bin/bash
|
||||||
|
|
||||||
|
if [ $# -ne 1 ]; then
|
||||||
|
echo "Usage: $0 <target_dir>"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
check_dir() {
|
||||||
|
local dir=$1
|
||||||
|
local file
|
||||||
|
|
||||||
|
for application in "$dir/"*; do
|
||||||
|
file="$(basename "$application")"
|
||||||
|
|
||||||
|
sed "s/^Exec=/Exec=bwbox --name '$file' --profile wayland /gi" "$application" > "$target/$file"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
dirs=($(echo "$XDG_DATA_DIRS" | tr ':' '\n'))
|
||||||
|
dirs+=("$HOME/.local/share")
|
||||||
|
target="$1"
|
||||||
|
|
||||||
|
mkdir -p "$target"
|
||||||
|
|
||||||
|
for dir in "${dirs[@]}"; do
|
||||||
|
if [ -d "$dir/applications" ]; then
|
||||||
|
check_dir "$dir/applications"
|
||||||
|
fi
|
||||||
|
done
|
Loading…
Reference in New Issue