Merge pull request #2 from Kraftland/XAuth

Use system XAuthority
Kraftland · Nov 20, 2024 · 3d835d9 · 3d835d9
2 parents 22f8f12 + 30c05e7
commit 3d835d9
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 24 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,10 @@
 # Portable
 A sandboxing framework, originally designed for WeChat. Still in heavy development.
 
+![Example](https://raw.githubusercontent.com/Kraftland/portable/refs/heads/master/example.webp)
+
+---
+
 # File installment
 
 ## Portable
@@ -27,7 +31,7 @@ install -Dm755 config /usr/lib/portable/info/appID/config
 
 ## Runtime
 
-Environment variables are read from stateDirectory/portable.env
+Environment variables are read from `XDG_DATA_HOME/stateDirectory/portable.env`
 
 Start portable with environment variable `_portalConfig`, which is pointed to the actual config.
 

diff --git a/config b/config
@@ -1,13 +1,16 @@
 #!/usr/bin/bash
 
 # This is your Application ID, avoid conflict
-appID=""
+appID="top.kimiblock.example"
 
 # This is a friendly name of an application. It should only contain ASCII characters and not spaces.
-friendlyName=""
+friendlyName="Portable_Test"
 
 # This is the state directory of your application, which is located under "XDG_DATA_HOME"
-stateDirectory=""
+stateDirectory="Portable_Test_Data"
 
 # This is the target executable to launch
-launchTarget=""
+launchTarget="gtk3-demo"
+
+# Takes boolean value. When enabled, do not process XAuth files and enable X access. Generally this should be always on.
+waylandOnly="false"
diff --git a/example.webp b/example.webp
diff --git a/portable.sh b/portable.sh
@@ -38,17 +38,25 @@ function manageDirs() {
 	createWrapIfNotExist "${XDG_DATA_HOME}"/${stateDirectory}
 }
 
-function detectXauth() {
-	if [ ! ${XAUTHORITY} ]; then
-		echo '[Warn] No ${XAUTHORITY} detected! Do you have any X server running?'
-		export XAUTHORITYpath="/$(uuidgen)/$(uuidgen)"
-		xhost +localhost
-	else
-		export XAUTHORITYpath="${XAUTHORITY}"
-	fi
-	if [[ ! ${DISPLAY} ]]; then
-		echo '[Warn] No ${DISPLAY} detected! Do you have any X server running?'
+function genXAuth() {
+	if [[ ${waylandOnly} = "true" ]]; then
+		touch "${XDG_DATA_HOME}/${stateDirectory}/.XAuthority"
+		return $?
 	fi
+	echo "[Info] Processing X Server security restriction..."
+	#authHash="$(xxd -p -l 16 /dev/urandom)"
+	rm "${XDG_DATA_HOME}/${stateDirectory}/.XAuthority"
+	touch "${XDG_DATA_HOME}/${stateDirectory}/.XAuthority"
+	xauth -f \
+		"${XDG_DATA_HOME}/${stateDirectory}/.XAuthority" \
+		add $(xauth list :0)
+	#xauth -f \
+	#	"${XDG_DATA_HOME}/${stateDirectory}/.XAuthority" \
+	#	add \
+	#	"${DISPLAY}" \
+	#	. \
+	#	"${authHash}"
+	#xauth merge "${XDG_DATA_HOME}/${stateDirectory}/.XAuthority"
 }
 
 function createWrapIfNotExist() {
@@ -111,11 +119,6 @@ function execApp() {
 	fi
 	cameraDect
 	importEnv
-	if [ ${XDG_SESSION_TYPE} = wayland ]; then
-		echo "[Info] Skipping Xhost operation"
-	else
-		xhost +localhost #Unlock the XServer for X11 users
-	fi
 	mkdir -p "${XDG_DATA_HOME}"/"${stateDirectory}"/.config
 	echo "GTK_IM_MODULE is ${GTK_IM_MODULE}"
 	echo "QT_IM_MODULE is ${QT_IM_MODULE}"
@@ -195,6 +198,8 @@ function execApp() {
 	-p BindReadOnlyPaths=-/run/systemd/resolve/stub-resolv.conf \
 	-p BindReadOnlyPaths=/usr/lib/portable/flatpak-info:"${XDG_RUNTIME_DIR}/.flatpak-info" \
 	-p Environment=PATH=/sandbox:"${PATH}" \
+	-p Environment=XAUTHORITY="${HOME}/.XAuthority" \
+	-p Environment=DISPLAY="${DISPLAY}" \
 	-- \
 	bwrap \
 		--tmpfs /tmp \
@@ -210,9 +215,9 @@ function execApp() {
 		--ro-bind /sys/dev/char /sys/dev/char \
 		--ro-bind /sys/devices /sys/devices \
 		--dir /sandbox \
-		--ro-bind /usr/lib/flatpak-xdg-utils/xdg-open \
+		--ro-bind /usr/lib/portable/open \
 			/sandbox/chromium \
-		--ro-bind /usr/lib/flatpak-xdg-utils/xdg-open \
+		--ro-bind /usr/lib/portable/open \
 			/sandbox/firefox \
 		--ro-bind /usr/lib/portable/mimeapps.list \
 			"${XDG_DATA_HOME}/${stateDirectory}/.config/mimeapps.list" \
@@ -229,7 +234,6 @@ function execApp() {
 			"${XDG_RUNTIME_DIR}/pulse" \
 		--bind "${XDG_DATA_HOME}/${stateDirectory}" "${HOME}" \
 		--ro-bind-try "${XDG_DATA_HOME}"/icons "${XDG_DATA_HOME}"/icons \
-		--ro-bind-try "${XAUTHORITYpath}" "${XAUTHORITYpath}" \
 		--ro-bind-try "${XDG_RUNTIME_DIR}/${WAYLAND_DISPLAY}" \
 				"${XDG_RUNTIME_DIR}/${WAYLAND_DISPLAY}" \
 		--ro-bind-try "${XDG_RUNTIME_DIR}/${WAYLAND_DISPLAY}.lock" \
@@ -443,7 +447,7 @@ function openDataDir() {
 }
 
 function launch() {
-	detectXauth
+	genXAuth
 	inputMethod
 	moeDect
 	if [[ $(systemctl --user is-failed ${unitName}.service) = failed ]]; then