From c8d1fb3344ab21a15020b15da2ba8760bb39fd1f Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 6 Nov 2023 15:43:37 +0100 Subject: [PATCH] WIP: sandbox use bwrap and XWayland --- sandbox/sandbox | 22 +++++++++++++++++++++- sandbox/sandboxX.sh | 8 ++++++-- sandbox/seunshare.c | 11 +++++++++++ 3 files changed, 38 insertions(+), 3 deletions(-) diff --git a/sandbox/sandbox b/sandbox/sandbox index a2762a7d21..22a5c1f63c 100644 --- a/sandbox/sandbox +++ b/sandbox/sandbox @@ -269,6 +269,11 @@ class Sandbox: copyfile(f, homedir, self.__homedir) copyfile(f, "/tmp", self.__tmpdir) copyfile(f, "/var/tmp", self.__tmpdir) + # copyfile(f, "/run/user/1000", self.__runuserdir) + # os.system("sudo mount --bind /run/user/1000/wayland-1 " + self.__runuserdir + "/wayland-1") + # os.system("sudo mount --bind /run/user/1000/wayland-1 " + self.__runuserdir + "") + # print(self.__runuserdir) + # os.system("ls "+self.__runuserdir + " /run/user/1000") def __setup_sandboxrc(self, wm="/usr/bin/openbox"): execfile = self.__homedir + "/.sandboxrc" @@ -462,7 +467,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- def __execute(self): try: - cmds = [SEUNSHARE, "-Z", self.__execcon] + cmds = [SEUNSHARE, "-v", "-Z", self.__execcon] if self.__options.usecaps: cmds.append('-C') if self.__mount: @@ -487,6 +492,21 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- cmds += ["--", SANDBOXSH, self.__options.windowsize, dpi] else: cmds += ["--"] + self.__paths + cmds = """/usr/bin/bwrap + --ro-bind / / \ + --proc /proc \ + --dev /dev \ + --unshare-user \ + --new-session \ + --bind /home/user/sandbox/tmp /tmp \ + --bind /tmp/.X11-unix /tmp/.X11-unix \ + --bind /run/user/1000/wayland-1 /run/user/1000/wayland-1 \ + """.split() + \ + ["--exec-label", self.__execcon] + \ + ["--bind", self.__homedir, "/home/user"] + \ + ["--", SANDBOXSH, self.__options.windowsize, dpi] + print(cmds) + return subprocess.Popen(cmds).wait() pid = os.fork() diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh index eaa500d081..a89f419e2c 100644 --- a/sandbox/sandboxX.sh +++ b/sandbox/sandboxX.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/bash -x trap "" TERM context=`id -Z | secon -t -l -P` export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`" @@ -20,7 +20,11 @@ cat > ~/.config/openbox/rc.xml << EOF EOF -(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do +ls -a /run/user/1000 +echo $WAYLAND_DISPLAY + +# (/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do +(/usr/bin/Xwayland -v -v -terminate -dpi $DPI -retro -geometry $SCREENSIZE -decorate -displayfd 5 5>&1) | while read D; do export DISPLAY=:$D cat > ~/seremote << __EOF #!/bin/sh diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c index 1d38ea92b9..cf7f5e3f71 100644 --- a/sandbox/seunshare.c +++ b/sandbox/seunshare.c @@ -765,6 +765,7 @@ int main(int argc, char **argv) { if (child == 0) { char *display = NULL; + char *w_display = NULL; char *LANG = NULL; char *RUNTIME_DIR = NULL; int rc = -1; @@ -823,6 +824,14 @@ int main(int argc, char **argv) { } } + /* construct a new environment */ + if ((w_display = getenv("WAYLAND_DISPLAY")) != NULL) { + if ((w_display = strdup(w_display)) == NULL) { + perror(_("Out of memory")); + goto childerr; + } + } + /* construct a new environment */ if ((LANG = getenv("LANG")) != NULL) { if ((LANG = strdup(LANG)) == NULL) { @@ -837,6 +846,8 @@ int main(int argc, char **argv) { } if (display) rc |= setenv("DISPLAY", display, 1); + if (w_display) + rc |= setenv("WAYLAND_DISPLAY", w_display, 1); if (LANG) rc |= setenv("LANG", LANG, 1); if (RUNTIME_DIR)