Skip to content

Commit

Permalink
--xephyr: disable -glamor #196
Browse files Browse the repository at this point in the history
  • Loading branch information
@mviereck
mviereck committed Nov 21, 2019
1 parent 6b6dd20 commit 7bd06d2
Showing 1 changed file with 3 additions and 190 deletions.
193 changes: 3 additions & 190 deletions x11docker
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2806,8 +2806,9 @@ startup-animation=fade
--xephyr)
command -v Xephyr >/dev/null && {
Xserveroptions="$Xserveroptions \\
-glamor \\
-noxv"
# Xserveroptions="$Xserveroptions \\
# -glamor" # disabled because of lagginess reported in #196
case $Fullscreen in
yes)
Xserveroptions="$Xserveroptions \\
Expand Down Expand Up @@ -4333,7 +4334,7 @@ create_containerrootrc() { ### create containerrootrc: This script runs as
echo ""

echo "# Check container user"
echo "Containeruser=\"\$(storeinfo dump containeruser)\""
echo "Containeruser=\"\$(storeinfo dump containeruser)\"" # reading root access
echo ""
case $Createcontaineruser in
yes)
Expand Down Expand Up @@ -7966,194 +7967,6 @@ ${2:-}" ; shift ;; # Add custo

return 0
}
check_options_restricted() {
# experimental code. not in use yet.
local Allow
eval set -- "$@"
while { [ $# -gt 0 ] && [ -z "$Imagename" ] ;}; do
Allow=no
case "${1:-}" in
--help) Allow=yes ;;
--license|--licence) Allow=yes ;;
--version) Allow=yes ;;
--wmlist) Allow=yes ;;

-e|--exe) Allow=yes ;;
--xonly) Allow=yes ;;

#### Choice of X servers and Wayland compositors
--auto) Allow=yes ;; ### CHECK --hostdisplay or --xorg
-h|--hostdisplay) Allow=yes ;; ### CHECK access to user space
-H|--hostwayland) Allow=yes ;;
-K|--kwin) Allow=yes ;;
--kwin-xwayland) Allow=yes ;;
-n|--nxagent) Allow=yes ;;
-t|--tty) Allow=yes ;;
-T|--weston) Allow=yes ;;
-Y|--weston-xwayland) Allow=yes ;;
--xdummy) Allow=yes ;;
-y|--xephyr) Allow=yes ;;
-a|--xpra) Allow=yes ;;
-A|--xpra-xwayland) Allow=yes ;;
-x|--xorg) Allow=yes ;; ### CHECK system abuse possible?
--xvfb) Allow=yes ;;
-X|--xwayland) Allow=yes ;;
--xwin) Allow=yes ;;

#### Influencing automatical choice of X server or Wayland compositor
-d|--desktop) Allow=yes ;;
-g|--gpu) Allow=yes ;; ### LEVEL
-W|--wayland) Allow=yes ;;
--wm) Allow=yes ;; ### CHECK

#### X and Wayland appearance
--border) Allow=yes ;;
--dpi) Allow=yes ;;
-f|--fullscreen) Allow=yes ;;
--output-count) Allow=yes ;;
--rotate) Allow=yes ;;
--scale) Allow=yes ;;
--size) Allow=yes ;;
-F|--xfishtank) Allow=yes ;;

#### X and Wayland configuration
--display) Allow=yes ;;
--keymap) Allow=yes ;;
--vt) Allow=yes ;; ### CHECK
--westonini) Allow=yes ;; ### CHECK

#### X Authentication
--clean-xhost|--no-xhost) Allow=yes ;; ### LEVEL
--no-auth) Allow=yes ;; ### LEVEL
--xhost) Allow=yes ;; ### LEVEL

#### Host integration options
--alsa) Allow=yes ;; ### LEVEL
-c|--clipboard) Allow=yes ;;
-l) Allow=yes ;;
--lang) Allow=yes ;;
-P|--printer) Allow=yes ;; ### LEVEL
-p) Allow=yes ;; ### LEVEL
--pulseaudio) Allow=yes ;; ### LEVEL
--sharessh) Allow=yes ;; ### CHECK
--webcam) Allow=yes ;; ### LEVEL

#### Special options
--enforce-i) Allow=yes ;;
-i|--interactive) Allow=yes ;;
--pull) Allow=yes ;; ### LEVEL'
--pw) Allow=yes ;;
--runasroot) Allow=yes ;; ### LEVEL
--runfromhost) Allow=yes ;;

#### User settings
--group-add) Allow="no" ;; ### LEVEL?
--hostuser) Allow="no" ;;
--sudouser) Allow=yes ;; ### LEVEL
--user) [ "$Containeruser" = "RETAIN" ] && Allow=yes || Allow=no ;; ### LEVEL

#### Init system and DBus
--dbus) Allow=yes ;; ### LEVEL =system
--hostdbus) Allow=yes ;; ### CHECK
--init) Allow=yes ;; ### LEVEL
--sharecgroup) Allow=yes ;; ### LEVEL
--systemd) Allow=yes ;; ### LEVEL

#### Container configuration
--cap-default) Allow=yes ;; ### LEVEL
--env) Allow=yes ;;
--hostipc) Allow="no" ;;
--hostnet) Allow="no" ;;
--limit) Allow=yes ;;
--name) Allow=yes ;;
--newprivileges) Allow=yes ;; ### LEVEL
--no-entrypoint) Allow=yes ;;
--no-internet) Allow=yes ;;
--runtime) Allow=yes ;;
--stdin) Allow=yes ;;
--workdir) Allow=yes ;;

#### host folders
-m) Allow=yes ;;
--home|--homedir) restrictedpath "${2:-}" && Allow=yes || Allow="no" ;;
--share|--sharedir) restrictedpath "${2:-}" && Allow=yes || Allow="no" ;;
--homebasedir) restrictedpath "${2:-}" && Allow=yes || Allow="no" ;;
--cachebasedir) restrictedpath "${2:-}" && Allow=yes || Allow="no" ;;

#### Verbosity options
-D|--debug) Allow=yes ;;
--showinfofile) Allow=yes ;;
-v|--verbose) Allow=yes ;;
-V) Allow=yes ;;
-q|--quiet) Allow=yes ;;
--showcache) Allow=yes ;;
--showenv) Allow=yes ;;
--showid) Allow=yes ;;
--showpid1) Allow=yes ;;

#### Special options not starting X or docker
--cleanup) Allow=yes ;; ### CHECK Do not remove containers?
--install|--update|--update-master|--remove) Allow="no" ;;
--launcher) Allow=yes ;;

#### Experimental options
--iglx) Allow=yes ;;
--xcomposite) Allow=yes ;;
--xorgconf) Allow="no" ;;
--xoverip) Allow=yes ;;
--xtest) Allow=yes ;;
--) break ;;
esac
[ "$Allow" = "yes" ] || error "x11docker restricted mode:
Found forbidden option or argument: ${1:-}"
shift
done
[ -n "$Customdockeroptions" ] && error "x11docker restricted mode:
Found forbidden custom docker options: $Customdockeroptions"
}
restrict_options() {
# experimental code, not in use yet. Intention: Allow harmless options only.

# level 1:
# --hostipc
# --hostnet
# custom docker options
# --share --home=DIR --cachebasedir --homebasedir # HOME only
# --user except RETAIN if --home
# --hostuser
# --install, --update, --update-master, --remove

# check parameter abuse
# --env
# basically all

# level 2:
# --hostdisplay

# unsure:
# --pull
# --runasroot
# --hostdbus
# --cleanup in multi-user environment?
# level 3:
# --newprivileges
# --cap-default
# --sudouser
# --group-add
# --init=systemd|openrc|sysvinit|runit
# --dbus=system
# --sharecgroup
local Message
[ "$Hostipc" = "yes" ] && Message="$Message
--hostipc"
[ "$Hostnet" = "yes" ] && Message="$Message
--hostnet"
[ "$Customdockeroptions" ] && Message="$Message
Custom docker options: $(escapestring "$Customdockeroptions")"
error "x11docker runs in restricted mode.
Found following options that are not allowed:
$Message"
}
unpriv() { # run a command as unprivileged user. Needed if x11docker was started by root or with sudo.
# $Unpriv is declared in check_hostuser: 'eval' or 'su $Hostuser -c'
$Unpriv "${1:-}"
Expand Down

0 comments on commit 7bd06d2

Please sign in to comment.