I use https://github.com/slingamn/namespaced-openvpn to have a isolated namespace and VPN connection
On X, these two steps would allow me to run a GUI program in the protected namespace. So I could have .e.g an IDE configuration for my main user/personal projects, and another entirely different instance of the same IDE for work because they use different users
sudo xhost '+si:localuser:user'
sudo ip netns exec protected sudo -u user -i
On Wayland, although the protected shell is created fine, GUI programs don’t start. E.g fgor Dolphin
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
Failed to create wl_display (No such file or directory)
I’ve tried to preserve the env without success:
sudo -E ip netns exec protected sudo -u user -i
It seems that I access to the wayland socket is a must for this to work
This discussion has a nuke option - giving 777 access to the dir where the wayland socket is, and another less permissive approach adding the users to a group and giving access to a new location where the wayland socket is created
https://stackoverflow.com/questions/41736528/linux-wayland-display-multiple-user
Is this second approach secure? If not, which other steps could I take to achieve what I did in X?
Wayland uses a UNIX socket, so I’m a little confused why restricting the netns would block access to it.
Try using waypipe to forward the socket, that’s how I run Wayland over SSH. It has a few issues with some versions of GNOME (GNOME thinks every waypipe application is crashing because of message timeouts) but on other DEs it works fine.
Does waypipe also work with XWayland apps?
I believe it does, but I’ve only used it over SSH so it may not work for your use case. Worth a try, though!