nrclark/Makefile

## Makefile
# Shell script example of how to run Windows tools from inside
# of a Docker container on WSL2. Note that

# env_vars returns a list of all input words that are defined
# in the environment.

env_vars = $(strip $(foreach x,$1,$(if $(filter environment,$(origin $x)),$x,)))
WSL_VARS := $(sort $(call env_vars,$(filter WSL%,$(.VARIABLES))))
comma := ,

#-----------------------------------------------------------------------------#

clean::
	rm -f seccomp-default.json
	rm -f seccomp-allow-sockets.json

# This commit was the tip of 'master' when checked on 2023-Dec-06
MOBY_COMMIT := 891241e7e74d4aae6de5f6125574eb994f25e169

seccomp-default.json:
#Note: this seccomp profile is the one Docker uses by default when launching containers.
#Our intent is to patch it as lightly as possible.
	curl -s "https://raw.githubusercontent.com/moby/moby/$(MOBY_COMMIT)/profiles/seccomp/default.json" | jq > $@

seccomp-allow-sockets.json: seccomp-perms.patch seccomp-default.json
	patch -o $@ $(filter %.json,$^) $<

#-----------------------------------------------------------------------------#

run: $(if $(WSL_VARS),seccomp-allow-sockets.json,)
	$(strip docker run --rm -it \
        --mount type=bind,source=/mnt,target=/mnt \
        $(if $(WSL_VARS),--mount type=bind$(comma)source=/run/WSL$(comma)target=/run/WSL) \
        --mount type=bind,source=/etc/passwd,target=/etc/passwd,readonly \
        --mount type=bind,source=/etc/group,target=/etc/group,readonly \
        --mount "type=bind,source=${HOME},target=${HOME}" \
        --workdir "${HOME}" \
        -u $$(id -u):$$(id -g) \
        $(if $(WSL_VARS),--security-opt seccomp=seccomp-allow-sockets.json,) \
        $(foreach x,$(WSL_VARS),--env $x="$${$x}") \
        ubuntu \
        sh -c '/mnt/c/Windows/system32/notepad.exe' \
    )

#-----------------------------------------------------------------------------#

#This patch is applied against Docker's default seccomp profile,
#and enables sockets while leaving everything else alone. When
#The result can be used with docker-run under WSL2 to allow your
#containers to launch Windows binaries. Very helpful from time to
#time.

define patch_contents
--- seccomp-default.json
+++ seccomp-allow-sockets.json
@@ -421,14 +421,7 @@
       "names": [
         "socket"
       ],
-      "action": "SCMP_ACT_ALLOW",
-      "args": [
-        {
-          "index": 0,
-          "value": 40,
-          "op": "SCMP_CMP_NE"
-        }
-      ]
+      "action": "SCMP_ACT_ALLOW"
     },
     {
       "names": [
endef

define \n


endef

seccomp-perms.patch:
	printf -- '$(subst $(\n),\n,$(patch_contents))\n' >$@

clean::
	rm -f seccomp-perms.patch

#-----------------------------------------------------------------------------#
	# Shell script example of how to run Windows tools from inside
	# of a Docker container on WSL2. Note that

	# env_vars returns a list of all input words that are defined
	# in the environment.

	env_vars = $(strip $(foreach x,$1,$(if $(filter environment,$(origin $x)),$x,)))
	WSL_VARS := $(sort $(call env_vars,$(filter WSL%,$(.VARIABLES))))
	comma := ,

	#-----------------------------------------------------------------------------#

	clean::
	rm -f seccomp-default.json
	rm -f seccomp-allow-sockets.json

	# This commit was the tip of 'master' when checked on 2023-Dec-06
	MOBY_COMMIT := 891241e7e74d4aae6de5f6125574eb994f25e169

	seccomp-default.json:
	#Note: this seccomp profile is the one Docker uses by default when launching containers.
	#Our intent is to patch it as lightly as possible.
	curl -s "https://raw.githubusercontent.com/moby/moby/$(MOBY_COMMIT)/profiles/seccomp/default.json" \| jq > $@

	seccomp-allow-sockets.json: seccomp-perms.patch seccomp-default.json
	patch -o $@ $(filter %.json,$^) $<

	#-----------------------------------------------------------------------------#

	run: $(if $(WSL_VARS),seccomp-allow-sockets.json,)
	$(strip docker run --rm -it \
	--mount type=bind,source=/mnt,target=/mnt \
	$(if $(WSL_VARS),--mount type=bind$(comma)source=/run/WSL$(comma)target=/run/WSL) \
	--mount type=bind,source=/etc/passwd,target=/etc/passwd,readonly \
	--mount type=bind,source=/etc/group,target=/etc/group,readonly \
	--mount "type=bind,source=${HOME},target=${HOME}" \
	--workdir "${HOME}" \
	-u $$(id -u):$$(id -g) \
	$(if $(WSL_VARS),--security-opt seccomp=seccomp-allow-sockets.json,) \
	$(foreach x,$(WSL_VARS),--env $x="$${$x}") \
	ubuntu \
	sh -c '/mnt/c/Windows/system32/notepad.exe' \
	)

	#-----------------------------------------------------------------------------#

	#This patch is applied against Docker's default seccomp profile,
	#and enables sockets while leaving everything else alone. When
	#The result can be used with docker-run under WSL2 to allow your
	#containers to launch Windows binaries. Very helpful from time to
	#time.

	define patch_contents
	--- seccomp-default.json
	+++ seccomp-allow-sockets.json
	@@ -421,14 +421,7 @@
	"names": [
	"socket"
	],
	- "action": "SCMP_ACT_ALLOW",
	- "args": [
	- {
	- "index": 0,
	- "value": 40,
	- "op": "SCMP_CMP_NE"
	- }
	- ]
	+ "action": "SCMP_ACT_ALLOW"
	},
	{
	"names": [
	endef

	define \n


	endef

	seccomp-perms.patch:
	printf -- '$(subst $(\n),\n,$(patch_contents))\n' >$@

	clean::
	rm -f seccomp-perms.patch

	#-----------------------------------------------------------------------------#