sanebox: fix uid mapping when bwrap uses the pasta backend
This commit is contained in:
parent
90d428be7f
commit
f158842c70
|
@ -663,10 +663,21 @@ bwrapGetCli() {
|
||||||
# --unshare-uts
|
# --unshare-uts
|
||||||
# --unshare-user (implicit to every non-suid call to bwrap)
|
# --unshare-user (implicit to every non-suid call to bwrap)
|
||||||
locate _bwrap "bwrap" "$BWRAP_FALLBACK"
|
locate _bwrap "bwrap" "$BWRAP_FALLBACK"
|
||||||
|
if [ -n "$bwrapUsePasta" ]; then
|
||||||
|
# pasta drops us into an environment where we're root, but some apps complain if run as root.
|
||||||
|
# TODO: this really belongs on the `pastaonlyGetCli` side.
|
||||||
|
# TODO: i think we need to add `/dev/net/tun` to the namespace for nested pasta calls to work?
|
||||||
|
bwrapFlags+=(
|
||||||
|
# --unshare-user is necessary for --uid to work when called as pseudo root
|
||||||
|
--unshare-user
|
||||||
|
--uid "$UID"
|
||||||
|
--gid "${GROUPS[0]}"
|
||||||
|
)
|
||||||
|
fi
|
||||||
cliArgs=(
|
cliArgs=(
|
||||||
"$_bwrap" "${bwrapUnshareCgroup[@]}" "${bwrapUnshareIpc[@]}"
|
"$_bwrap" "${bwrapUnshareCgroup[@]}" "${bwrapUnshareIpc[@]}"
|
||||||
"${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}"
|
"${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}"
|
||||||
"${bwrapUnshareUser[@]}" "${bwrapUnshareUts[@]}"
|
"${bwrapUnshareUts[@]}"
|
||||||
"${bwrapVirtualizeDev[@]}" "${bwrapVirtualizeProc[@]}" "${bwrapVirtualizeTmp[@]}"
|
"${bwrapVirtualizeDev[@]}" "${bwrapVirtualizeProc[@]}" "${bwrapVirtualizeTmp[@]}"
|
||||||
"${bwrapFlags[@]}" --
|
"${bwrapFlags[@]}" --
|
||||||
env "${portalEnv[@]}" "${cliArgs[@]}"
|
env "${portalEnv[@]}" "${cliArgs[@]}"
|
||||||
|
|
Loading…
Reference in New Issue
Block a user