From f158842c702f1cf665737d8a06f8a41f08e82232 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sun, 26 May 2024 13:03:50 +0000
Subject: [PATCH] sanebox: fix uid mapping when bwrap uses the pasta backend

---
 pkgs/additional/sanebox/sanebox | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/pkgs/additional/sanebox/sanebox b/pkgs/additional/sanebox/sanebox
index 439eedba..2c416094 100755
--- a/pkgs/additional/sanebox/sanebox
+++ b/pkgs/additional/sanebox/sanebox
@@ -663,10 +663,21 @@ bwrapGetCli() {
   # --unshare-uts
   # --unshare-user (implicit to every non-suid call to bwrap)
   locate _bwrap "bwrap" "$BWRAP_FALLBACK"
+  if [ -n "$bwrapUsePasta" ]; then
+    # pasta drops us into an environment where we're root, but some apps complain if run as root.
+    # TODO: this really belongs on the `pastaonlyGetCli` side.
+    # TODO: i think we need to add `/dev/net/tun` to the namespace for nested pasta calls to work?
+    bwrapFlags+=(
+      # --unshare-user is necessary for --uid to work when called as pseudo root
+      --unshare-user
+      --uid "$UID"
+      --gid "${GROUPS[0]}"
+    )
+  fi
   cliArgs=(
     "$_bwrap" "${bwrapUnshareCgroup[@]}" "${bwrapUnshareIpc[@]}"
       "${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}"
-      "${bwrapUnshareUser[@]}" "${bwrapUnshareUts[@]}"
+      "${bwrapUnshareUts[@]}"
       "${bwrapVirtualizeDev[@]}" "${bwrapVirtualizeProc[@]}" "${bwrapVirtualizeTmp[@]}"
       "${bwrapFlags[@]}" --
     env "${portalEnv[@]}" "${cliArgs[@]}"