mrrl-containers

commit 90f10a847769c260ff9a958987eb14b644c532cf
parent c283592168779a83c277df226356bcf70c74a79b
Author: ccx <ccx@te2000.cz>
Date:   Wed, 27 Mar 2024 20:30:59 +0000

Give gpg container access to /dev/bus/usb

Diffstat:
M
sbin/ns_run_mount_dev
 | 
1
+
M
service_scripts/generic/run
 | 
8
++++----
M
zsh-functions/confz_containers_init
 | 
16
++++++++++++++++
M
zsh-functions/confz_site_containers_init
 | 
8
+++++++-

4 files changed, 28 insertions(+), 5 deletions(-)
diff --git a/sbin/ns_run_mount_dev b/sbin/ns_run_mount_dev
@@ -26,6 +26,7 @@ if {
 
 	${1}/block
 	${1}/bus
+	${1}/bus/usb
 	${1}/char
 	${1}/dri
 	${1}/input
diff --git a/service_scripts/generic/run b/service_scripts/generic/run
@@ -7,14 +7,14 @@ multisubstitute {
 	importas -i -u CONTAINER_USER CONTAINER_USER
 }
 backtick -in CONTAINER_USER_HOME { homeof $CONTAINER_USER }
-backtick -D "true" PREPARE_RUN { if { test -x data/run.prepare } realpath data/run.prepare }
-backtick -D "exec" PID1_EXEC { if { test -x data/exec.pid1 } realpath data/exec.pid1 }
+backtick -D "true" PREPARE_CHROOT { if { test -x data/prepare_chroot } realpath data/run.prepare }
+backtick -D "exec" PID1_EXEC { if { test -x data/pid1_exec } realpath data/exec.pid1 }
 multisubstitute {
 	importas -i -u CONTAINER_USER_HOME CONTAINER_USER_HOME
 	define CONTAINER_TMPFS /run/containers/${CONTAINER_NAME}.${CONTAINER_USER}
 	define -s tmpfs_dirs "home run tmp run/inbox run/shm tmp/.X11-unix"
 	importas -D ns -s -C -u CONTAINER_MNT_DIRS CONTAINER_MNT_DIRS
-	importas -i -u PREPARE_RUN PREPARE_RUN
+	importas -i -u PREPARE_CHROOT PREPARE_CHROOT
 	importas -i -u PID1_EXEC PID1_EXEC
 }
 
@@ -62,7 +62,7 @@ ns_run_unshared data/root {
 	# pre pivot-root commands
 	if { mount -o bind,ro /etc/passwd ./etc/passwd }
 	if { mount -o bind,ro /etc/group ./etc/group }
-	$PREPARE_RUN
+	$PREPARE_CHROOT
 }
 
 # This runs with changed / so use absolute paths before dropping privs
diff --git a/zsh-functions/confz_containers_init b/zsh-functions/confz_containers_init
@@ -59,6 +59,22 @@ confz_container_service_check() {
 		require fs_r filename=$vars[svc_dir]/data/fstab
 	fi
 
+	if (($+vars[prepare_chroot])); then
+		require fs_contentnl filename=$vars[svc_dir]/data/prepare_chroot \
+			content=$vars[prepare_chroot]
+		require fs_m filename=$vars[svc_dir]/data/fstab mode=755
+	else
+		require fs_r filename=$vars[svc_dir]/data/fstab
+	fi
+
+	if (($+vars[pid1_exec])); then
+		require fs_contentnl filename=$vars[svc_dir]/data/pid1_exec \
+			content=$vars[pid1_exec]
+		require fs_m filename=$vars[svc_dir]/data/fstab mode=755
+	else
+		require fs_r filename=$vars[svc_dir]/data/fstab
+	fi
+
 	require fs_d filename=$vars[svc_dir]/env
 	if [[ -n $vars[fstab_post] ]]; then
 		require fs_contentnl filename=$vars[svc_dir]/env/NS_FSTAB \
diff --git a/zsh-functions/confz_site_containers_init b/zsh-functions/confz_site_containers_init
@@ -84,6 +84,12 @@ confz_site_containers_user_check() {
 			display_number=$display image_name=alpine-xsession \
 			:containers_dir :svscan_dir :user
 	done
+
+	local -a mount_usb_devices=(
+		"#!$(which execlineb) -P"
+		'mount -o bind,ro /dev/bus/usb dev/bus/usb'
+	)
+
 	local -A container_img=(
 		{,}alpine-browsers
 		{,}pentoo
@@ -96,7 +102,7 @@ confz_site_containers_user_check() {
 		{,alpine-}tor
 		{,alpine-}ssh
 		{,alpine-}socials
-		{,alpine-}gpg
+		gpg $'alpine-gpg\0prepare_chroot='"${(F)mount_usb_devices}"
 		{,void-}signal
 		{,void-}telegram
 		recombee-browser void-browsers