sanebox: fix uid mapping when bwrap uses the pasta backend

2024-05-26 13:03:50 +00:00 · 2024-05-26 13:03:50 +00:00 · f158842c70
commit f158842c70
parent 90d428be7f
1 changed files with 12 additions and 1 deletions
--- a/pkgs/additional/sanebox/sanebox
+++ b/pkgs/additional/sanebox/sanebox
@ -663,10 +663,21 @@ bwrapGetCli() {
  # --unshare-uts
  # --unshare-user (implicit to every non-suid call to bwrap)
  locate _bwrap "bwrap" "$BWRAP_FALLBACK"
+  if [ -n "$bwrapUsePasta" ]; then
+    # pasta drops us into an environment where we're root, but some apps complain if run as root.
+    # TODO: this really belongs on the `pastaonlyGetCli` side.
+    # TODO: i think we need to add `/dev/net/tun` to the namespace for nested pasta calls to work?
+    bwrapFlags+=(
+      # --unshare-user is necessary for --uid to work when called as pseudo root
+      --unshare-user
+      --uid "$UID"
+      --gid "${GROUPS[0]}"
+    )
+  fi
  cliArgs=(
    "$_bwrap" "${bwrapUnshareCgroup[@]}" "${bwrapUnshareIpc[@]}"
      "${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}"
-      "${bwrapUnshareUser[@]}" "${bwrapUnshareUts[@]}"
+      "${bwrapUnshareUts[@]}"
      "${bwrapVirtualizeDev[@]}" "${bwrapVirtualizeProc[@]}" "${bwrapVirtualizeTmp[@]}"
      "${bwrapFlags[@]}" --
    env "${portalEnv[@]}" "${cliArgs[@]}"