18 changed files with 41 additions and 612 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,2 @@
 .idea
-bwbox
-result
-scripts/applications
+main
--- a/bwbox.nimble
+++ b/bwbox.nimble
@ -1,13 +0,0 @@
-# Package
-
-version       = "1.0.0"
-author        = "mawalu"
-description   = "An experimental sandbox tool for linux apps"
-license       = "MIT"
-srcDir        = "."
-bin           = @["bwbox"]
-
-
-# Dependencies
-
-requires "nim >= 1.6.0"
--- a/configs/box
+++ b/configs/box
@ -1,4 +1 @@
-{
-    "extends": "shell",
-    "mountcwd": true
-}
+{"extends": "shell", "mountcwd": true}
--- a/configs/config.json
+++ b/configs/config.json
@ -0,0 +1,10 @@
+{
+  "mount": [],
+  "romount": ["/etc", "/var", "/usr", "/opt", ".oh-my-zsh", ".zsh", ".zshrc"],
+  "symlinks": [
+    {"src": "usr/lib", "dst": "/lib"},
+    {"src": "usr/lib64", "dst": "/lib64"},
+    {"src": "usr/bin", "dst": "/bin"},
+    {"src": "usr/sbin", "dst": "/sbin"}
+  ]
+}
--- a/configs/dev
+++ b/configs/dev
@ -1,6 +1 @@
-{
-    "extends": "shell",
-    "romount": [".gitconfig", ".gnupg", "/run/user/1000/gnupg", ".ssh/config"],
-    "mountcwd": true,
-    "mount": [".ssh/known_hosts"]
-}
+{"extends": "shell", "romount": [".gitconfig", ".gnupg", "/run/user/1000/gnupg", ".ssh/config"], "mountcwd": true, "mount": [".ssh/known_hosts"]}
--- a/configs/gui
+++ b/configs/gui
@ -1,7 +1 @@
-{
-    "extends": "default",
-    "romount": [".Xauthority", "/tmp/.X11-unix", "/run/user/1000/pulse/native"],
-    "dbus": true,
-    "dbuscall": ["org.freedesktop.Notifications.*=@/org/freedesktop/Notifications", "org.freedesktop.portal.*=*"],
-    "dbusbroadcast": ["org.freedesktop.portal.*=@/org/freedesktop/portal/*"]
-}
+{"extends": "default", "romount": [".Xauthority", "/tmp/.X11-unix", "/run/user/1000/pulse/native"], "dbus": true, "dbuscall": ["org.freedesktop.Notifications.*=@/org/freedesktop/Notifications", "org.freedesktop.portal.*=*"], "dbusbroadcast": ["org.freedesktop.portal.*=@/org/freedesktop/portal/*"]}
--- a/configs/shell
+++ b/configs/shell
@ -1,5 +1 @@
-{
-    "extends": "default",
-    "romount": [".oh-my-zsh", ".zsh", ".zshrc", ".zshrc-local"],
-    "sethostname": true
-}
+{"extends": "default", "romount": [".oh-my-zsh", ".zsh", ".zshrc", ".zshrc-local"], "sethostname": true}
--- a/configs/wayland
+++ b/configs/wayland
@ -1,7 +0,0 @@
-{
-    "extends": "default",
-    "romount": ["/run/user/1000/pulse/native", "/run/user/1000/wayland-1"],
-    "dbus": true,
-    "dbuscall": ["org.freedesktop.Notifications.*=@/org/freedesktop/Notifications", "org.freedesktop.portal.*=*"],
-    "dbusbroadcast": ["org.freedesktop.portal.*=@/org/freedesktop/portal/*"]
-}
--- a/flake.lock
+++ b/flake.lock
@ -1,26 +0,0 @@
-{
-  "nodes": {
-    "nixpkgs": {
-      "locked": {
-        "lastModified": 1720893482,
-        "narHash": "sha256-fGQczQ3JuvqSK3rYsJvvbE7j8BENLp8DqJH1B0uXYKg=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "94c843e8f05bac70e905c48c965ba7be79bde613",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "root": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      }
-    }
-  },
-  "root": "root",
-  "version": 7
-}
--- a/flake.nix
+++ b/flake.nix
@ -1,20 +0,0 @@
-{
-  description = "An experimental sandboxing tool for linux apps";
-
-  inputs.nixpkgs.url = github:NixOS/nixpkgs;
-
-  outputs = { self, nixpkgs }: {
-    packages.x86_64-linux.default =
-      with import nixpkgs { system = "x86_64-linux"; };
-      buildNimPackage {
-        name = "bwbox";
-        src = self;
-        nativeBuildInputs = [pkgs.makeWrapper];
-        postInstall = ''
-          wrapProgram $out/bin/bwbox \
-            --prefix PATH ':' ${pkgs.bubblewrap}/bin \
-            --prefix PATH ':' ${pkgs.xdg-dbus-proxy}/bin
-        '';
-      };
-  };
-}
--- a/lib/args.nim
+++ b/lib/args.nim
@ -5,10 +5,9 @@ type Args* = object
  name*: Option[string]
  cmd*: Option[seq[string]]
  profile*: Option[string]
-  debug*: bool

 proc getCmd*(args: Args): seq[string] =
-  return args.cmd.get(@[getEnv("SHELL", "/bin/sh")])
+  return args.cmd.get(@[getEnv("SHELL", "/bin/bash")])

 proc getProfile*(args: Args): string =
  if args.profile.isSome:
@ -17,33 +16,26 @@ proc getProfile*(args: Args): string =
  return "default"

 proc parseArgs*(): Option[Args] =
-  var args = Args(debug: false)
+  var args = Args()

  var command = newSeq[string]()
-  var parsingSandboxArgs = true
  var i = 1

  while i <= paramCount():
    var arg = paramStr(i)

-    if arg == "--name" and parsingSandboxArgs:
+    if arg == "--name":
      args.name = some(paramStr(i + 1))
      i += 2
-    elif arg == "--profile" and parsingSandboxArgs:
+    elif arg == "--profile":
      args.profile = some(paramStr(i + 1))
      i += 2
-    elif arg == "--debug" and parsingSandboxArgs:
-      args.debug = true
-      i += 1
    else:
-      parsingSandboxArgs = false
+      echo arg
      command.add(arg)
      i += 1

  if command.len > 0:
    args.cmd = some(command)

-  if args.name.isSome or args.cmd.isSome or args.profile.isSome:
-    return some(args)
-  else:
-    return none(Args)
+  return some(args)
--- a/lib/bwrap.nim
+++ b/lib/bwrap.nim
@ -1,9 +1,8 @@
-import os
 import posix
 import sequtils

 type BwrapCall* = object
-  args*: seq[string]
+  args: seq[string]

 proc addArg*(call: var BwrapCall, args: varargs[string]): var BwrapCall {.discardable.}  =
  for arg in args:
@ -15,4 +14,4 @@ proc addMount*(call: var BwrapCall, mType: string, path: string): var BwrapCall
  call

 proc exec*(call: var BwrapCall) =
-  discard execv("/usr/bin/env", allocCStringArray(@["/usr/bin/env", "bwrap"].concat(call.args)))
+  discard execv("/usr/bin/bwrap", allocCStringArray(@["bwrap"].concat(call.args)))
--- a/lib/config.nim
+++ b/lib/config.nim
@ -3,7 +3,6 @@ import options
 import bwrap
 import utils
 import json
-import os

 type Link* = object
  src*: string
@ -24,7 +23,6 @@ type Config* = object
  dbusown*: Option[seq[string]]
  dbuscall*: Option[seq[string]]
  dbusbroadcast*: Option[seq[string]]
-  devmount*: Option[seq[string]]

 proc applyConfig*(call: var BwrapCall, config: Config) =
  for mount in config.mount.get(@[]):
@ -36,14 +34,6 @@ proc applyConfig*(call: var BwrapCall, config: Config) =
  for symlink in config.symlinks.get(@[]):
     call.addArg("--symlink", symlink.src, symlink.dst)

-  for device in config.devmount.get(@[]):
-      call.addArg("--dev-bind", device, device)
-
-  if config.mountcwd.get(false):
-      call
-        .addMount("--bind", getCurrentDir())
-        .addArg("--chdir", getCurrentDir())
-
 proc loadConfig*(path: string): Config =
  return readFile(path)
    .parseJson()
@ -63,7 +53,6 @@ proc extendConfig*(config: var Config): Config {.discardable.} =
  config.mountcwd = some(config.mountcwd.get(eConf.mountcwd.get(false)))
  config.sethostname = some(config.sethostname.get(eConf.sethostname.get(false)))
  config.allowdri = some(config.allowdri.get(eConf.allowdri.get(false)))
-  config.devmount = some(config.devmount.get(eConf.devmount.get(@[])))

  config.dbus = some(config.dbus.get(eConf.dbus.get(false)))
  config.dbussee = some(config.dbussee.get(@[]).concat(eConf.dbussee.get(@[])))
--- a/lib/sandbox.nim
+++ b/lib/sandbox.nim
@ -1,5 +1,4 @@
 import strutils
-import sequtils
 import options
 import config
 import utils
@ -37,15 +36,9 @@ proc sandboxExec*(args: Args) =
  config.extendConfig()

  call
-    .addArg("--new-session")
    .addArg("--dev", "/dev")
    .addMount("--dev-bind", "/dev/random")
    .addMount("--dev-bind", "/dev/urandom")
-    .addMount("--ro-bind", "/sys/block")
-    .addMount("--ro-bind", "/sys/bus")
-    .addMount("--ro-bind", "/sys/class")
-    .addMount("--ro-bind", "/sys/dev")
-    .addMount("--ro-bind", "/sys/devices")
    .addArg("--tmpfs", "/tmp")
    .addArg("--tmpfs", "/dev/shm")
    .addArg("--proc", "/proc")
@ -55,10 +48,6 @@ proc sandboxExec*(args: Args) =
    .addArg("--setenv", "BWSANDBOX", "1")
    .applyConfig(config)

-  if config.sethostname.get(false):
-    call
-      .addArg("--hostname", hostname)
-
  if config.dbus.get(false):
    # todo: handle process and cleanup later
    let proxy = startDBusProxy(config, hostname)
@ -71,11 +60,13 @@ proc sandboxExec*(args: Args) =
  if config.allowdri.get(false):
    enableDri(call)

-  # resolve binary path outside of the sandbox
-  var cmd = args.getCmd
-  cmd[0] = findExe(cmd[0])
+  if config.mountcwd.get(false):
+    call
+      .addMount("--bind", getCurrentDir())
+      .addArg("--chdir", getCurrentDir())

-  echo call.args.join("  ")
-  echo cmd
+  if config.sethostname.get(false):
+    call
+      .addArg("--hostname", hostname)

-  call.addArg(cmd).exec()
+  call.addArg(args.getCmd).exec()
--- a/lib/utils.nim
+++ b/lib/utils.nim
@ -15,19 +15,9 @@ proc checkRelativePath*(p: string): string =
  getHomeDir().joinPath(p)

 proc getProfilePath*(profile: string): string =
-  let pid = getCurrentProcessId()
-
-  for path in [
-    getConfigDir().joinPath(APP_NAME),
-    &"/usr/share/{APP_NAME}",
-    parentDir(expandSymlink(&"/proc/{pid}/exe")).joinPath("configs")
-  ]:
-    let file = path.joinPath(profile)
-
-    if fileExists(file):
-      return file
-
-  raise newException(IOError, "Profile not found")
+  getConfigDir()
+        .joinPath(APP_NAME)
+        .joinPath(profile)

 proc getProfilePath*(args: Args): string =
  getProfilePath(args.getProfile())
@ -41,30 +31,17 @@ proc deviceExists(path: string): bool =
  var res: Stat
  return stat(path, res) >= 0 and S_ISCHR(res.st_mode)

-proc mountDriFolder(call: var BwrapCall, path: string) =
-  for file in walkPattern(&"{path}/*"):
-    if dirExists(file):
-      mountDriFolder(call, file)
-    elif deviceExists(file):
-      call.addMount("--dev-bind", file)
-    #else:
-    #  call.addMount("--ro-bin", file)
-
 # https://github.com/flatpak/flatpak/blob/1bdbb80ac57df437e46fce2cdd63e4ff7704718b/common/flatpak-run.c#L1496
 proc enableDri*(call: var BwrapCall) =
-  const folder = "/dev/dri"
  const mounts = [
-    folder,                                    # general
+    "/dev/dri",                                # general
    "/dev/mali", "/dev/mali0", "/dev/umplock", # mali
    "/dev/nvidiactl", "/dev/nvidia-modeset",   # nvidia
    "/dev/nvidia-uvm", "/dev/nvidia-uvm-tools" # nvidia OpenCl/CUDA
  ]

-  if dirExists(folder):
-    mountDriFolder(call, folder)
-
  for mount in mounts:
-    if deviceExists(mount) or dirExists(mount):
+    if deviceExists(mount):
      call.addMount("--dev-bind", mount)

  for i in 0..20:
--- a/441
+++ b/441
--- a/bwbox.nim
+++ b/bwbox.nim
@ -5,6 +5,7 @@ import random

 proc main(): int =
  let args = parseArgs()
+  echo args

  if args.isNone:
    echo "Usage: bwshell --name=sandbox_name --profile=profile <sandbox_cmd>"
--- a/scripts/applications.sh
+++ b/scripts/applications.sh
@ -1,4 +1,4 @@
-#!/run/current-system/sw/bin/bash
+#!/bin/bash

 if [ $# -ne 1 ]; then
  echo "Usage: $0 <target_dir>"
@ -12,18 +12,15 @@ check_dir() {
  for application in "$dir/"*; do
    file="$(basename "$application")"

-    sed "s/^Exec=/Exec=bwbox --name '$file' --profile wayland /gi" "$application" > "$target/$file"
+    sed "s/Exec=/Exec=bwshell --name '$file' --profile gui /gi" "$application" > "$target/$file"
  done
 }

-dirs=($(echo "$XDG_DATA_DIRS" | tr ':' '\n'))
-dirs+=("$HOME/.local/share")
+dirs=("/usr/share/applications" "$HOME/.local/share/applications")
 target="$1"

 mkdir -p "$target"

 for dir in "${dirs[@]}"; do
-  if [ -d "$dir/applications" ]; then
-    check_dir "$dir/applications"
-  fi
+  check_dir "$dir"
 done