js/Bubblewine
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improve distro compatibility

Browse source
This commit is contained in:
Jonathan Schleifer 2021-08-06 22:56:23 +02:00
parent 0e04e6eda5
commit 72013460fd
No known key found for this signature in database
GPG key ID: 636703577395312F
1 changed files with 35 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

43
bubblewine
View file

@ -36,8 +36,42 @@ if [ ! -d "$HOME/.bubblewine" ]; then
WINEPREFIX="$HOME/.bubblewine" wineserver -k WINEPREFIX="$HOME/.bubblewine" wineserver -k
fi fi
# Rather than pass in all X11 sockets by allowing abstract sockets, only pass
# in the socket actually being used. This increases security when using a
# separate X11 for wine.
#
# WARNING: Running wine on an X11 that has other things open (a terminal, a
# desktop environment, etc.) that allows to start things outside of
# the sandbox is very probably a sandbox escape! The fix is obviously
# to migrate to Wayland and put X11 to its well deserved grave, but
# as an interim solution, a separate X11 can be used.
xsocket="/tmp/.X11-unix/X${DISPLAY#:}" xsocket="/tmp/.X11-unix/X${DISPLAY#:}"
ro_binds=""
# Handle various wrapper scripts around wine that some distros have.
if head -c 1 $(which wine) | grep -F '/bin/sh' >/dev/null 2>&1; then
ro_binds="$ro_binds --ro-bind /bin/sh /bin/sh"
fi
if head -c 1 $(which wine) | grep -F '/bin/bash' >/dev/null 2>&1; then
ro_binds="$ro_binds --ro-bind /bin/bash /bin/bash"
fi
ro_bind_if_exists() {
if [ -e "$1" ]; then
ro_binds="$ro_binds --ro-bind $1 $1"
fi
}
ro_bind_if_exists /usr/bin/wine32
ro_bind_if_exists /usr/bin/wine64
ro_bind_if_exists /usr/bin/wine-preloader
ro_bind_if_exists /usr/bin/wine32-preloader
ro_bind_if_exists /usr/bin/wine64-preloader
ro_bind_if_exists /usr/bin/wineserver32
ro_bind_if_exists /usr/bin/wineserver64
ro_bind_if_exists /usr/lib64
bwrap \ bwrap \
--unshare-user \ --unshare-user \
--unshare-ipc \ --unshare-ipc \
@ -48,17 +82,10 @@ bwrap \
--new-session \ --new-session \
--die-with-parent \ --die-with-parent \
--ro-bind /usr/bin/wine /usr/bin/wine \ --ro-bind /usr/bin/wine /usr/bin/wine \
--ro-bind /usr/bin/wine-preloader /usr/bin/wine-preloader \
--ro-bind /usr/bin/wine32 /usr/bin/wine32 \
--ro-bind /usr/bin/wine32-preloader /usr/bin/wine32-preloader \
--ro-bind /usr/bin/wine64 /usr/bin/wine64 \
--ro-bind /usr/bin/wine64-preloader /usr/bin/wine64-preloader \
--ro-bind /usr/bin/wineserver /usr/bin/wineserver \ --ro-bind /usr/bin/wineserver /usr/bin/wineserver \
--ro-bind /usr/bin/wineserver32 /usr/bin/wineserver32 \
--ro-bind /usr/bin/wineserver64 /usr/bin/wineserver64 \
--ro-bind /usr/lib /usr/lib \ --ro-bind /usr/lib /usr/lib \
--ro-bind /usr/lib64 /usr/lib64 \
--ro-bind /usr/share/wine /usr/share/wine \ --ro-bind /usr/share/wine /usr/share/wine \
$ro_binds \
--symlink usr/lib /lib \ --symlink usr/lib /lib \
--symlink usr/lib64 /lib64 \ --symlink usr/lib64 /lib64 \
--proc /proc \ --proc /proc \