Skip to content

Commit

Permalink
Don't include user account in the image
Browse files Browse the repository at this point in the history
Create at run time, with a matching id - so D-Bus authentication
should work.
  • Loading branch information
amezin committed Sep 8, 2024
1 parent 85dfab7 commit cc45b67
Show file tree
Hide file tree
Showing 7 changed files with 17 additions and 30 deletions.
4 changes: 1 addition & 3 deletions archlinux.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,6 @@ COPY data /

RUN systemctl set-default multi-user.target && \
systemctl mask systemd-oomd low-memory-monitor rtkit-daemon udisks2 && \
useradd -m -U -G users,adm gnomeshell && \
truncate --size 0 /etc/machine-id && \
dconf update
truncate --size 0 /etc/machine-id

CMD [ "/sbin/init" ]
7 changes: 0 additions & 7 deletions data/etc/dbus-1/session.d/insecure.conf

This file was deleted.

4 changes: 1 addition & 3 deletions debian.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,6 @@ COPY data /

RUN systemctl set-default multi-user.target && \
systemctl mask systemd-oomd low-memory-monitor rtkit-daemon udisks2 && \
useradd -m -U -G users,adm gnomeshell && \
truncate --size 0 /etc/machine-id && \
dconf update
truncate --size 0 /etc/machine-id

CMD [ "/sbin/init" ]
4 changes: 1 addition & 3 deletions fedora.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,7 @@ COPY data /

RUN systemctl set-default multi-user.target && \
systemctl mask systemd-oomd low-memory-monitor rtkit-daemon udisks2 && \
adduser -m -U -G users,adm gnomeshell && \
chmod u+rw /etc/shadow && \
truncate --size 0 /etc/machine-id && \
dconf update
truncate --size 0 /etc/machine-id

CMD [ "/sbin/init" ]
4 changes: 1 addition & 3 deletions suse.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,6 @@ COPY data /

RUN systemctl set-default multi-user.target && \
systemctl mask systemd-oomd low-memory-monitor rtkit-daemon udisks2 && \
useradd -m -U -G users gnomeshell && \
truncate --size 0 /etc/machine-id && \
dconf update
truncate --size 0 /etc/machine-id

CMD [ "/sbin/init" ]
10 changes: 6 additions & 4 deletions test/test-wayland.sh
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,12 @@ ENV_VARS=(
mkdir -p "${SHARED_DIR}/runtime" "${SHARED_DIR}/config" "${SHARED_DIR}/cache" "${SHARED_DIR}/state"
chmod 0700 "${SHARED_DIR}/runtime" "${SHARED_DIR}/config" "${SHARED_DIR}/cache" "${SHARED_DIR}/state"

UID="$(id -u)"

set -ex

CAPS="SYS_ADMIN,SYS_NICE,SYS_PTRACE,SETPCAP,NET_RAW,NET_BIND_SERVICE,IPC_LOCK"
CID="$(podman create --log-driver=none --tty --cap-add="$CAPS" --security-opt=label=disable --user=0 --userns=keep-id:uid=1000,gid=1000 -v "$SHARED_DIR:$SHARED_DIR" "$1")"
CID="$(podman create --log-driver=none --tty --cap-add="$CAPS" --security-opt=label=disable --user=0 --userns=keep-id -v "$SHARED_DIR:$SHARED_DIR" "$1")"

trap shutdown EXIT

Expand All @@ -39,11 +41,11 @@ podman wait --condition=running "$CID"
podman exec "$CID" busctl --watch-bind=true status
podman exec "$CID" systemctl is-system-running --wait

podman exec --user=1000 "${ENV_VARS[@]/#/--env=}" "$CID" dbus-daemon --session --nopidfile --syslog --fork "--address=unix:path=${SHARED_DIR}/runtime/bus"
podman exec --user=1000 "${ENV_VARS[@]/#/--env=}" "$CID" busctl --user --watch-bind=true status
podman exec "--user=$UID" "${ENV_VARS[@]/#/--env=}" "$CID" dbus-daemon --session --nopidfile --syslog --fork "--address=unix:path=${SHARED_DIR}/runtime/bus"
podman exec "--user=$UID" "${ENV_VARS[@]/#/--env=}" "$CID" busctl --user --watch-bind=true status
env "${ENV_VARS[@]}" dbus-send --session --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.Peer.Ping

podman exec --user=1000 "${ENV_VARS[@]/#/--env=}" "$CID" gnome-shell --wayland --headless --sm-disable --unsafe-mode --virtual-monitor 1600x960 &
podman exec "--user=$UID" "${ENV_VARS[@]/#/--env=}" "$CID" gnome-shell --wayland --headless --sm-disable --unsafe-mode --virtual-monitor 1600x960 &

while ! env "${ENV_VARS[@]}" dbus-send --session --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames | grep '"org.gnome.Shell.Screenshot"'
do
Expand Down
14 changes: 7 additions & 7 deletions test/test-x11.sh
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,17 @@ ENV_VARS=(
"DBUS_SESSION_BUS_ADDRESS=unix:path=${SHARED_DIR}/runtime/bus"
"NO_AT_BRIDGE=1"
"GTK_A11Y=none"
"DISPLAY=:99"
)

mkdir -p "${SHARED_DIR}/runtime" "${SHARED_DIR}/config" "${SHARED_DIR}/cache" "${SHARED_DIR}/state"
chmod 0700 "${SHARED_DIR}/runtime" "${SHARED_DIR}/config" "${SHARED_DIR}/cache" "${SHARED_DIR}/state"

UID="$(id -u)"

set -ex

CAPS="SYS_ADMIN,SYS_NICE,SYS_PTRACE,SETPCAP,NET_RAW,NET_BIND_SERVICE,IPC_LOCK"
CID="$(podman create --log-driver=none --tty --cap-add="$CAPS" --security-opt=label=disable --user=0 --userns=keep-id:uid=1000,gid=1000 -v "$SHARED_DIR:$SHARED_DIR" "$1")"
CID="$(podman create --log-driver=none --tty --cap-add="$CAPS" --security-opt=label=disable --user=0 --userns=keep-id -v "$SHARED_DIR:$SHARED_DIR" "$1")"

trap shutdown EXIT

Expand All @@ -40,17 +41,16 @@ podman wait --condition=running "$CID"
podman exec "$CID" busctl --watch-bind=true status
podman exec "$CID" systemctl is-system-running --wait

podman exec --user=1000 "${ENV_VARS[@]/#/--env=}" "$CID" dbus-daemon --session --nopidfile --syslog --fork "--address=unix:path=${SHARED_DIR}/runtime/bus"
podman exec --user=1000 "${ENV_VARS[@]/#/--env=}" "$CID" busctl --user --watch-bind=true status
podman exec "--user=$UID" "${ENV_VARS[@]/#/--env=}" "$CID" dbus-daemon --session --nopidfile --syslog --fork "--address=unix:path=${SHARED_DIR}/runtime/bus"
podman exec "--user=$UID" "${ENV_VARS[@]/#/--env=}" "$CID" busctl --user --watch-bind=true status
env "${ENV_VARS[@]}" dbus-send --session --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.Peer.Ping

mkfifo "${SHARED_DIR}/display_pipe"
podman exec --user=1000 "${ENV_VARS[@]/#/--env=}" "$CID" bash -c "Xvfb -screen 0 1600x960x24 -nolisten tcp -displayfd 3 :99 3>'${SHARED_DIR}/display_pipe'" &
podman exec "--user=$UID" "${ENV_VARS[@]/#/--env=}" "$CID" bash -c "Xvfb -screen 0 1600x960x24 -nolisten tcp -displayfd 3 3>'${SHARED_DIR}/display_pipe'" &

read -r DISPLAY_NUMBER <"${SHARED_DIR}/display_pipe"
test ":$DISPLAY_NUMBER" = ":99"

podman exec --user=1000 "${ENV_VARS[@]/#/--env=}" "$CID" gnome-shell --x11 --sm-disable --unsafe-mode &
podman exec "--user=$(id -u)" "${ENV_VARS[@]/#/--env=}" "--env=DISPLAY=:$DISPLAY_NUMBER" "$CID" gnome-shell --x11 --sm-disable --unsafe-mode &

while ! env "${ENV_VARS[@]}" dbus-send --session --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames | grep '"org.gnome.Shell.Screenshot"'
do
Expand Down

0 comments on commit cc45b67

Please sign in to comment.