96 lines
3.4 KiB
Bash
Executable file
96 lines
3.4 KiB
Bash
Executable file
#!/bin/sh
|
|
#
|
|
# Copyright (c) 2021 Jonathan Schleifer <js@nil.im>
|
|
#
|
|
# https://github.com/Midar/bubblewine
|
|
#
|
|
# Permission to use, copy, modify, and/or distribute this software for any
|
|
# purpose with or without fee is hereby granted, provided that the above
|
|
# copyright notice and this permission notice is present in all copies.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
|
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
# POSSIBILITY OF SUCH DAMAGE.
|
|
#
|
|
|
|
set -eu
|
|
|
|
if ! type bwrap >/dev/null 2>&1; then
|
|
echo "You don't have bubblewrap installed." 1>&2
|
|
echo "Please install bubblewrap." 1>&2
|
|
exit 1
|
|
fi
|
|
|
|
# Create the wine prefix outside the sandbox. For some reason, it hangs when
|
|
# creating it inside the sandbox.
|
|
if [ ! -d "$HOME/.bubblewine" ]; then
|
|
WINEPREFIX="$HOME/.bubblewine" wineboot
|
|
WINEPREFIX="$HOME/.bubblewine" wineserver -k
|
|
fi
|
|
|
|
# Rather than pass in all X11 sockets by allowing abstract sockets, only pass
|
|
# in the socket actually being used. This increases security when using a
|
|
# separate X11 for wine.
|
|
#
|
|
# WARNING: Running wine on an X11 that has other things open (a terminal, a
|
|
# desktop environment, etc.) that allows to start things outside of
|
|
# the sandbox is very probably a sandbox escape! The fix is obviously
|
|
# to migrate to Wayland and put X11 to its well deserved grave, but
|
|
# as an interim solution, a separate X11 can be used.
|
|
xsocket="/tmp/.X11-unix/X${DISPLAY#:}"
|
|
|
|
ro_binds=""
|
|
|
|
# Handle various wrapper scripts around wine that some distros have.
|
|
if head -c 1 $(which wine) | grep -F '/bin/sh' >/dev/null 2>&1; then
|
|
ro_binds="$ro_binds --ro-bind /bin/sh /bin/sh"
|
|
fi
|
|
if head -c 1 $(which wine) | grep -F '/bin/bash' >/dev/null 2>&1; then
|
|
ro_binds="$ro_binds --ro-bind /bin/bash /bin/bash"
|
|
fi
|
|
|
|
ro_bind_if_exists() {
|
|
if [ -e "$1" ]; then
|
|
ro_binds="$ro_binds --ro-bind $1 $1"
|
|
fi
|
|
}
|
|
|
|
ro_bind_if_exists /usr/bin/wine32
|
|
ro_bind_if_exists /usr/bin/wine64
|
|
ro_bind_if_exists /usr/bin/wine-preloader
|
|
ro_bind_if_exists /usr/bin/wine32-preloader
|
|
ro_bind_if_exists /usr/bin/wine64-preloader
|
|
ro_bind_if_exists /usr/bin/wineserver32
|
|
ro_bind_if_exists /usr/bin/wineserver64
|
|
ro_bind_if_exists /usr/lib64
|
|
|
|
bwrap \
|
|
--unshare-user \
|
|
--unshare-ipc \
|
|
--unshare-pid \
|
|
--unshare-net \
|
|
--unshare-uts \
|
|
--unshare-cgroup \
|
|
--new-session \
|
|
--die-with-parent \
|
|
--ro-bind /usr/bin/wine /usr/bin/wine \
|
|
--ro-bind /usr/bin/wineserver /usr/bin/wineserver \
|
|
--ro-bind /usr/lib /usr/lib \
|
|
--ro-bind /usr/share/wine /usr/share/wine \
|
|
$ro_binds \
|
|
--symlink usr/lib /lib \
|
|
--symlink usr/lib64 /lib64 \
|
|
--proc /proc \
|
|
--tmpfs /tmp \
|
|
--bind "$HOME/.bubblewine" /wineprefix \
|
|
--bind "$xsocket" "$xsocket" \
|
|
--setenv WINEPREFIX /wineprefix \
|
|
wine "$@"
|