ruf-puppy-flask.sh (puli attempt w/ ungoogle chromium)

#!/bin/sh
#ROUTER_IP=192.168.100.1
# Rufwoof Jan 2021 (updated May 2019 version). Comments at end
WM=jwm
cd "$(realpath "${0%/*}")" #added by s243a (4 lines)
CWD="$(realpath .)" #"$PWD"
SFS_NAME="$(ls -1 ../puppy_*.sfs | head -n 1 | sed -r 's#^[.][.]/##g' | sed -r 's#[.]sfs##g')"
Parent_WD="$(realpath "$CWD/..")"
SFS_PATH="$Parent_WD/$SFS_NAME".sfs #End Adds by s243a

xterm & # added so have at least one window I can alt-tab to out of the container
#[ ! -d /mnt/sda4/shared ] && mkdir /mnt/sda4/shared # as a shared folder
SHARED_LOC="$CWD"/shared #For a more portable container script add shared folder relative to script path.


#Uncomment the following to use a shared folder:
#SHARED="$SHARED_LOC"

#CHANGES_LOC=/mnt/sda4/changes        # Non pre-existing ext fs work folder
CHANGES_LOC="$CWD"/container #For a more portable container script add changes folder relative to script path.

#MAIN_SFS=/mnt/sda1/FATDOG811-FINAL/fd64.sfs # Where the main sfs is located
MAIN_SFS="$SFS_PATH" #s243a: Replaces above line

# Xephyr parameters
   XP="-fullscreen -title container -name Xephyr2 -dpi 144 -nolisten tcp"
#XEPHYR="-fullscreen -name Xephyr2 -dpi 144 -nolisten tcp"
XEPHYR="$XP"

MOUNTS="--mount=bind:/dev/snd:/dev/snd \
        --mount=bind:/dev/mixer:/dev/mixer \
        --mount=bind:/mnt/pts:/mnt/pts"
[ ! -z "${SHARED}" ] && MOUNTS="$MOUNTS -mount=bind:${SHARED}:/home/shared"

CAPS="--caps=all,-sys_admin,-sys_boot,-sys_chroot,-sys_ptrace,-sys_time,\
-sys_tty_config,-chown,-kill,-dac_override,-dac_read_search,\
-fowner,-setfcap,-setpcap,-net_admin,-mknod,-sys_module,\
-sys_nice,-sys_resource"
#PF="${PF} --chroot=${CHANGES_LOC}/top"
PFLASK="--keepenv --no-ipcns --no-netns ${MOUNTS} ${CAPS} \
        --chroot=${CHANGES_LOC}/top"
declare -a options="$(getopt -o b:: --long browser-cmd::,browser-command -- "$@")"
eval set --"$options"
while [ $# -gt 0 ]; do
  case "$1" in
  -b|--browser-cmd|--browser-command)
    if [ $# -gt 1 ] && [[ ! $2 = 1* ]]; then
      BROWSER_CMD="$2"
    else
      BROWSER_CMD=""
    fi
    ;;
  --)
    shift
    break
    ;;
  *)
    shift
    ;;
  esac
done
#[ -z ${BROWSER_CMD+x} ] && BROWSER_CMD=/opt/Ungoogled_Chromium-portable/LAUNCH

function umountall(){
  if [ ! -z "$PID" ]; then
    kill PID
  else
    killall Xephyr
  fi
  cd ${CHANGES_LOC}
  #umount top sfs
  umount -l top/dev/shm
  umount -l top/dev/pts
  umount -l top/dev
  umount -l top
  umount -l sfs
  rm -rf changes
  rmdir top sfs
  [ -d "$SHARED/flags" ] && [ ! -z "$HOSTGRAB" ] && kill $HOSTGRAB
  rm /tmp/container.run
}

# Avoid double click 2 instances
N=`date +%s` # Seconds since January 1970
if [ -f /tmp/container.run ];then
        L=`cat /tmp/container.run`
        D=`expr $N - $L`
        if [ $D -lt 2 ];then
            exit # quick 2 launches (doubled clicked ignore second click)
        fi
fi

trap 'umountall' 1


echo $N >/tmp/container.run

# Create a separate X instance so isolated from the main real root X
T=`ps -ef | grep Xephyr2 | wc -l`
if [ $T -ne 2 ];then
        Xephyr :2 ${XP} &
else
        exit # Xephyr2 already running
fi

if [ ! -z "${ROUTER_IP}" ]; then
  iptables -A INPUT -s ${ROUTER_IP} -j DROP     # Drop access to router admin
fi

# Prepare and launch 'container' and shared folder

if [ ! -z "$SHARED" ]; then
  [ ! -d $SHARED ] && mkdir $SHARED
  [ ! -d ${SHARED}/flags ] && mkdir ${SHARED}/flags
fi

# Create a changes folder, sfs mount point for main.sfs and top layer
# folders and aufs mount to combine changes and sfs folders -> top
mkdir -p "${CHANGES_LOC}"
cd "${CHANGES_LOC}"
# Check for possible hangover - such as if restarted X and clean out if so
if [ -d top ] || [ -d sfs ] || [ -d changes ]; then
        umount top sfs
        rm -rf changes
        rmdir top sfs
fi
mkdir top sfs changes

#s243a: added append_mnt_id_awk (bellow). See: https://forum.puppylinux.com/viewtopic.php?f=136&t=1932
append_mnt_id_awk='
function get_mnt_id(mnt_pt,loop){
  if (length(mnt_pt) > 0 && length(loop)>0){
    cmd="cat /proc/self/mountinfo | sort | grep '" loop "' | grep " mnt_pt " | head -n 1"
  } else if (length(mnt_pt) > 0){
    cmd="cat /proc/self/mountinfo | sort | grep '" mnt_pt "' | head -n 1"
  } else if (length(loop)>0){
    cmd="cat /proc/self/mountinfo | sort | grep '" loop "' | head -n 1"
  }
  while ((cmd | getline )){
    mnt_id=$1
    break
  }
  close(cmd)
  return mnt_id
}
{
  mnt_pt=$1
  loop=$2
  mnt_id=get_mnt_id(mnt_pt,loop)
  print mnt_id "|" mnt_pt "|" loop
}'
loop=$(losetup -a | grep  "${MAIN_SFS}"  | sed "s/:.*$//" )
if [ ! -z "$loop" ]; then #
  sfs_MP="$(findmnt -o TARGET,SOURCE -D -n | grep $loop\$ | awk "$append_mnt_id_awk" | sort -t '|' -k1 | cut -d'|' -f2 | head -n 1)"
else
  sfs_MP="${CHANGES_LOC}"/sfs
  mount -r -t squashfs ${MAIN_SFS} "$sfs_MP"
fi
cd ${CHANGES_LOC}
mount -t aufs -o br=changes:"$sfs_MP" none top
cp /var/lib/dbus/machine-id top/var/lib/dbus/machine-id
cp /etc/resolv.conf top/etc/resolv.conf
ln -s top/var/lib/dbus/machine-id top/etc/machine-id

#http://www.linuxfromscratch.org/lfs/view/6.1/chapter06/devices.html
#mount -n -t tmpfs none top/dev
#mknod -m 622 top/dev/console c 5 1
#mknod -m 666 top/dev/null c 1 3
#mknod -m 666 top/dev/zero c 1 5
#mknod -m 666 top/dev/ptmx c 5 2
#mknod -m 666 top/dev/tty c 5 0
#mknod -m 444 top/dev/random c 1 8
#mknod -m 444 top/dev/urandom c 1 9
#chown root:tty top/dev/{console,ptmx,tty}
#ln -s top/proc/self/fd /dev/fd
#ln -s top/proc/self/fd/0 /dev/stdin
#ln -s top/proc/self/fd/1 /dev/stdout
#ln -s top/proc/self/fd/2 /dev/stderr
#ln -s top/proc/kcore /dev/core
#mkdir top/dev/pts
#mkdir top/dev/shm
#mount -n -t devpts -o gid=4,mode=620 none /dev/pts
#mount -n -t tmpfs none /dev/shm


#echo >$SHARED/flags/host-grab

[ -d "$SHARED/flags" ] && echo >$SHARED/flags/host-grab
if [ -d "$SHARED/flags" ]; then #TODO add more conditions to execute this code.
  cat <<EOF >top/tmp/hostgrab
  #!/bin/bash
  xsetroot -bg \#ff0000 -mod 5 5
  while inotifywait -e modify /home/shared/flags; do
    C=\$(tail -1 /home/shared/flags/host-grab | grep release)
    if [ ! -z "\${C}" ]; then
        xsetroot -bg \#0000ff -mod 5 5
    else
        xsetroot -bg \#ff0000 -mod 5 5
    fi
  done
EOF
chmod +x top/tmp/hostgrab
fi

# # create a script to run inside the chroot (i.e. must be a script, not a bin)

# s243a: puppy doesn't have lxqt-panel
# echo "lxqt-panel &" >>top/init
# echo "openbox" >>top/init
case "$WM" in
jwm)
echo '
#!/bin/sh
export DISPLAY=:2
. /etc/DISTRO_SPECS
if [ "$DISTRO_ARCHDIR" ] ; then
    ARCHDIR="/$DISTRO_ARCHDIR"
fi
ldconfig
iconvconfig
#update-pango-querymodules
#Failed to create file /usr/lib/i86/-linux-gnu/pango/1.8.0/modules.cache.8P0KX0 No such file or directory
gdk-pixbuf-query-loaders --update-cache
update-mime-database -V /usr/share/mime/
status_func $?
UPDATE_MIME_DATABASE_DONE=1

source /etc/profile
fixmenus #probably not necessary
keymap-set --update
userresources=$HOME/.Xresources
usermodmap=$HOME/.Xmodmap
sysresources=/usr/lib/X11/xinit/Xresources
sysmodmap=/usr/lib/X11/xinit/.Xmodmap

# merge in defaults and keymaps

if [ -f $sysresources ]; then
    xrdb -merge -nocpp $sysresources
fi

if [ -f $sysmodmap ]; then
    xmodmap $sysmodmap
fi

if [ -f $userresources ]; then
    xrdb -merge -nocpp $userresources
fi

if [ -f $usermodmap ]; then
    xmodmap $usermodmap
fi
setxkbmap -option keypad:pointerkeys
DISPLAY=:2 jwm &
DISPLAY=:2 roxfiler &
'"$(if [ ! -z "$BROWSER_CMD" ]; then
  echo "DISPLAY=:2 xterm -e $BROWSER_CMD"
   fi )"'
' >top/init
;;
cwm)
cat <<EOF >top/init
#!/bin/sh
$(if [ -d "$SHARED/flags" ]; then
echo '/tmp/hostgrab &
/usr/bin/help &'
fi )
cwm -c /root/.cwmrc
EOF
cat <<EOF >top/usr/bin/help
#!/bin/sh
message() {
    Xdialog --title Information --msgbox "\$1" 0 0
}
M="This is a Xephyr X session window where cwm is the window manager.\n"
M="\${M}cwm is great for laptops (nearly all OpenBSD developer use cwm) and is relatively easy to learn.\n"
M="\${M}Whilst you run as 'root' within Xephyr, root is actually a highly restricted userid that is running\n"
M="\${M}in a contained environment, as such some programs may not run as expected.\n"
M="\${M}\nLeft mouse press on desktop shows windows menu, right mouse press for applications menu\n"
M="\${M}(a gap is left around the screen edges so the desktop is still accessible even if a window is maximised)\n\n"
M="\${M}Ctrl Alt Enter : terminal. Alt m : toggles maximise. Ctrl Alt x : close window. Alt ? : Open exec launcher\n"
M="\${M}\nCtrl Shift : toggles mouse/keyboard focus (desktop changes between red and blue)\n"
M="\${M}Alt Tab : if desktop is red - steps between main session windows\n"
M="\${M}OR if desktop is blue - steps between windows within the Xephyr container\n"
M="\${M}\nWHEN THE DESKTOP IS BLUE (mouse/keyboard locked into Xephyr) ...\n"
M="\${M}Alt middle mouse drag: resizes window. Alt left mouse drag : moves window\n"
M="\${M}\nWHEN THE DESKTOP IS RED (mouse/keyboard unlocked from Xephyr) ...\n"
M="\${M}you can use usual main system controls such as Alt-F1 for menu, Alt-F4 to close the Xephyr ...etc.\n"
M="\${M}\nRevisit this list again at any time by running 'help', or search online for the cwm manual"
message "\${M}"
EOF
chmod +x top/usr/bin/help
;;
esac

for a_autostart in dunst.desktop firewallstatus.desktop flsynclient.desktop freememapplet.desktop netmon_wce.desktop powerapplet.desktop retrovol.desktop; do
  mv top/root/.config/autostart/"$a_autostart" top/root/.config/autostart/"$a_autostart"-disable
done


chmod +x top/init
# The big Xephyr capabilities dropped chroot switch
DISPLAY=:2 empty -f unshare -m pflask ${PFLASK} -- /init
PID=$!

if [ -d "$SHARED/flags" ]; then
  function _hostgrabstate() {

    local WID=""

    while [ -z "${WID}" ]; do
        WID=$(wmctrl -lp | grep Xephyr | cut -d ' ' -f 1)
        sleep 1
    done
    sleep 2
    xprop -id ${WID} -spy WM_NAME >>$SHARED/flags/host-grab
  }
  _hostgrabstate &
  HOSTGRAB=$!
fi

#DISPLAY=:2 pflask ${PF} -- /init
wait $PID # above backgrounds, so we wait until that ends

# Clean up


umountall
#rmdir top sfs


############################################################################
# FOR FATDOG 811 ... (Draft Modifications by s243a for other platforms)
#
# Aufs mounts changes (initial empty rw folder), main sfs, that combined
# is visible/accessed via folder 'top', that we chroot into
#
# chroot with chroot capability dropped (to prevent chroot out of the chroot)
# using another X session (Xephyr) to isolate it from the main X session.
# We chroot using pflask as that makes things easier into the top folder
# applying further restrictions. We use the main sfs as our base for the
# chroot, so very low overheads.
#
# alt-F4    closes the Xephyr container (if not then ctrl-shift to unfocus
#           mouse/keyboard.
# alt Tab   to step to another window in main system, but if use
#           xdotool keydown alt key Tab;xdotool keyup alt .... it doesn't
#           work (as intended i.e. it's locked into the "container").
# seamonkey from menu doesn't work, run seamonkey from within urxvt
# We use DISPLAY :2 for the Xephyr server
#
# Requires empty, pflask and a ext filesystem to create/work within
#
# I use fatdog multi-session save type frugal boot, and periodically I've
# re-merged the save files into fd64.sfs so my fd64.sfs isn't the standard
# version (merging changes and not copying fd64.sfs to ram helps keep ram
# usage low).
############################################################################