Enumerate input/graphics devices with udev

[djpohly]

We can query udev to get a list of devices more reliably and simply. For example, the previous code does not detect controllers unless the joydev module (old API) is loaded, whereas udev has already labeled the correct event*, input*, and js* devices with ID_INPUT_JOYSTICK.

The same approach can probably be used for video/media devices, but I didn't feel as confident with how to make that change.

The added pyudev dependency is documented in the README.

[igo95862]

Thank you for submitting this Pull Request.

The code is definitely much cleaner with udev.

However, I don't really like the pyudev as it lacks modern python features such as typing and asyncio.

I think creating new ctype binds for libudev would be better. There are already separated binds for libseccomp instead of Cython based upstream ones.

I will add this to the TODO list.

[djpohly]

I don't think bubblejail would need any I/O calls where asyncio would make a difference. Maybe we could submit a typing PR to the pyudev project? :)

[igo95862]

I don't think bubblejail would need any I/O calls where asyncio would make a difference.

I am planning on adding dynamic hardware binds. For example, a controller gets plugged and it would be nice if it becomes available in sandbox without restarting. Libudev lets you watch a file descriptor and look for new devices. pyudev only has sync methods and not integrated with asyncio.

[djpohly]

That sounds cool, but will bwrap allow anything to add binds after it is already running?

[igo95862]

That sounds cool, but will bwrap allow anything to add binds after it is already running?

You can access the namespaces under the /proc/[pid]/ns/ folder. I will need to make a big investigation in to this. Right now nsenter only works when running as root.

[igo95862]

I opened two issues on pyudev github about asyncio and typing.

pyudev/pyudev#449

pyudev/pyudev#450

Lets see if it gets any traction.

[igo95862]

Looks like upstream is not interested.

Also libudev is actually deprecated. The replacement is sd-device component of libsystemd. Since my D-Bus library is based on libsystemd already might as well add the sd-device component. (elogind for Alpine Linux also supports that)

[djpohly]

Good to know. I still suspect it's unlikely on the bwrap side as well. With its focus on security and simplicity, allowing dynamic changes once the sandbox is established sounds like something they'd consider a bug.

[igo95862]

I still suspect it's unlikely on the bwrap side as well. With its focus on security and simplicity, allowing dynamic changes once the sandbox is established sounds like something they'd consider a bug.

I thought about that and I think I know the solution: two stage sandbox. Bubblewrap would be the second stage and would just use --dev-bind on virtual /sys and /dev that the first stage would create. First stage would not use pivot_root so it would have access to both file trees and will be able to bind new devices from outside.

[igo95862]

New mount API provides a very easy way to create new bind mounts inside namespace: https://brauner.io/2023/02/28/mounting-into-mount-namespaces.html