1 files changed, 18 insertions, 12 deletions

diff --git a/sandboxlib/bubblewrap.py b/sandboxlib/bubblewrap.py
index a0c005e..e03b7a0 100644
--- a/sandboxlib/bubblewrap.py
+++ b/sandboxlib/bubblewrap.py
@@ -124,14 +124,15 @@ def run_sandbox(command, cwd=None, env=None,
     bwrap_command += process_mounts(filesystem_root, extra_mounts,
                                     filesystem_writable_paths)
 
-
+    # Set UID and GUI
+    bwrap_command.extend(['--unshare-user', '--uid', '0', '--gid', '0'])
 
     argv = bwrap_command + command
-    log.info("bubblewrap.run_command({}, stdou:{}, stderr:{}, env:{})"
+    log.info("bubblewrap.run_command({}, stdout:{}, stderr:{}, env:{})"
              .format(" ".join(argv), stdout, stderr, env))
-    
+
     exit, out, err = sandboxlib._run_command(argv, stdout, stderr, env=env)
-    
+
     return exit, out, err
 
 
@@ -149,6 +150,9 @@ def run_sandbox_with_redirection(command, **sandbox_config):
     # out and err will be None
     return exit
 
+def get_program():
+    return bubblewrap_program()
+
 # Non API methods below
 
 
@@ -204,12 +208,12 @@ def process_mounts(fs_root, mounts, writable_paths):
     log.debug("process_mounts(fs_root={}, mounts={}, writable_paths={})".format(fs_root, mounts, writable_paths))
     extra_args = []
     fs_dict = {}
-    
+
     for ex_mnt in mounts:
         mnt_src, mnt_target, mnt_type, mnt_options = ex_mnt
         # TODO
         # How to handle options? Can bwrap do this?
-        
+
         if mnt_target not in fs_dict.keys():
             fs_dict[mnt_target] = {'src': mnt_src, 'type': mnt_type, 'options': mnt_options}
         # already exists. should only upgrade some things
@@ -255,14 +259,16 @@ def process_mounts(fs_root, mounts, writable_paths):
             # First is using the --dev option that mounts host /dev
             # Second is using --dev-bind for moutning a [src] to [dest]
             # while allowing device access.
-            #
-            # How do we diferentiate the two?
 
-            # extra_args.extend(['--dev', mnt_target])
 
-            # Experiment to see if --dev-bind fixes permissions errors
-            log.info("Using --dev-bind instead")
-            extra_args.extend(['--dev-bind', mnt_src, mnt_target])
+            # How do we diferentiate the two?
+            # Check if we are mounting host root to target
+            if "/" in fs_dict.keys() and fs_dict['/']['src'] == "/":
+                log.info("Using --dev to share host dev")
+                extra_args.extend(['--dev', mnt_target])
+            else:
+                log.info("Using --dev-bind for local dev")
+                extra_args.extend(['--dev-bind', mnt_src, mnt_target])
         else:
             if is_mount_writable(mnt_target, writable_paths):
                 extra_args.extend(['--bind', mnt_src, mnt_target])