#!/bin/sh
#
#  Copyright (c) 2021 Jonathan Schleifer <js@nil.im>
#
#  https://github.com/Midar/bubblewine
#
#  Permission to use, copy, modify, and/or distribute this software for any
#  purpose with or without fee is hereby granted, provided that the above
#  copyright notice and this permission notice is present in all copies.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
#  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
#  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
#  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
#  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
#  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
#  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
#  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
#  POSSIBILITY OF SUCH DAMAGE.
#

set -eu

if ! type bwrap >/dev/null 2>&1; then
	echo "You don't have bubblewrap installed." 1>&2
	echo "Please install bubblewrap." 1>&2
	exit 1
fi

# Create the wine prefix outside the sandbox. For some reason, it hangs when
# creating it inside the sandbox.
if [ ! -d "$HOME/.bubblewine" ]; then
	WINEPREFIX="$HOME/.bubblewine" wineboot
	WINEPREFIX="$HOME/.bubblewine" wineserver -k
fi

# Rather than pass in all X11 sockets by allowing abstract sockets, only pass
# in the socket actually being used. This increases security when using a
# separate X11 for wine.
#
# WARNING: Running wine on an X11 that has other things open (a terminal, a
#          desktop environment, etc.) that allows to start things outside of
#          the sandbox is very probably a sandbox escape! The fix is obviously
#          to migrate to Wayland and put X11 to its well deserved grave, but
#          as an interim solution, a separate X11 can be used.
xsocket="/tmp/.X11-unix/X${DISPLAY#:}"

ro_binds=""

# Handle various wrapper scripts around wine that some distros have.
if head -1 $(which wine) | grep -F '/bin/sh' >/dev/null 2>&1; then
	ro_binds="$ro_binds --ro-bind /bin/sh /bin/sh"
fi
if head -1 $(which wine) | grep -F '/bin/bash' >/dev/null 2>&1; then
	ro_binds="$ro_binds --ro-bind /bin/bash /bin/bash"
fi

ro_bind_if_exists() {
	if [ -e "$1" ]; then
		ro_binds="$ro_binds --ro-bind $1 $1"
	fi
}

ro_bind_if_exists /usr/bin/wine32
ro_bind_if_exists /usr/bin/wine64
ro_bind_if_exists /usr/bin/wine-preloader
ro_bind_if_exists /usr/bin/wine32-preloader
ro_bind_if_exists /usr/bin/wine64-preloader
ro_bind_if_exists /usr/bin/wineserver32
ro_bind_if_exists /usr/bin/wineserver64
ro_bind_if_exists /usr/lib64

bwrap									\
	--unshare-user							\
	--unshare-ipc							\
	--unshare-pid							\
	--unshare-net							\
	--unshare-uts							\
	--unshare-cgroup						\
	--new-session							\
	--die-with-parent						\
	--ro-bind /usr/bin/wine /usr/bin/wine				\
	--ro-bind /usr/bin/wineserver /usr/bin/wineserver		\
	--ro-bind /usr/lib /usr/lib					\
	--ro-bind /usr/share/wine /usr/share/wine			\
	$ro_binds							\
	--symlink usr/lib /lib						\
	--symlink usr/lib64 /lib64					\
	--proc /proc							\
	--tmpfs /tmp							\
	--bind "$HOME/.bubblewine" /wineprefix				\
	--bind "$xsocket" "$xsocket"					\
	--setenv WINEPREFIX /wineprefix					\
	wine "$@"