𝖕𝖘𝖊𝖚𝖉

Configure the languages, then:

// LineageOS

zsh

Occasionally oil for neovim.

To each their own.

I thought that the trick with exposing the raw hardware to a VM was the coolest thing ever, since it negates this entire “do their special tools support Linux” issue. And you do it once every 6 months, maybe 4 times in total, until releases taper off.

Have a ready Qemu image of a Windows install. Have a live distro that has (or can install to RAM) Qemu. Boot Windows using Qemu in the live environment, and VFIO-passthrough your NVME as a PCI device. Install and run the official Windows-based update tool, which now has raw access to the SSD.

At least that’s what I’m doing for my WD.

Comment federation is glitched, yo.

This, that. But, but, but.

¯\(°_o)/¯

Here’s how I run Firefox, for instance:

#!/bin/zsh

function r { for p in $@; do [[ -e $p ]] && echo --ro-bind-try $p $p; done; }
function w { for p in $@; do [[ -e $p ]] && echo --bind-try $p $p; done; }
function ln { echo --symlink $1 $2; }
function wdev { for p in $@; do echo --dev-bind-try $p $p; done; }

bwopt=(
  --unshare-pid --unshare-uts --unshare-ipc --unshare-cgroup

  --proc /proc --dev /dev --tmpfs /dev/shm --mqueue /dev/mqueue

  $(wdev /dev/dri /dev/v4l /dev/video*)
  $(r /sys/{dev,devices,bus/pci})

  --dir /var/tmp --dir /run/lock
  $(ln ../run /var/run) $(ln ../run/lock /var/lock)
  $(w /tmp/.{X11-unix,ICE-unix})

  $(r /usr/lib) $(ln usr/lib /lib64) $(ln lib /usr/lib64)
  $(r /usr/share)
  $(r /var/{cache/fontconfig,lib/dbus/machine-id})

  $(r /etc/{passwd,group,nsswitch.conf,resolv.conf,hosts,gai.conf,ld.so*})
  $(r /etc/{localtime,lsb-release,machine-id})
  $(r /etc/{ca-certificates,ssl})
  $(r /etc/{dconf,fonts,gtk-*,host.conf,xdg,mime.types,pulse})
 
  $(r ${XAUTHORITY} ${DBUS_SESSION_BUS_ADDRESS/unix:path=})
  $(w ${XDG_RUNTIME_DIR}/{ICEauthority,dconf,pulse,gvfsd,wayland-*,p11-kit,flatpak-info})

  $(w ~/.{mozilla,cache/mozilla})
  $(r ~/.cache/{fontconfig,mesa_shader_cache})
  $(r ~/.config/{dconf,fontconfig,user-dirs.dirs,gtk-*,mimeapps.list,pulse})
  $(r ~/.{fonts,local/share/{themes,icons}})

  $(w ~/down /tmp/swap)
)

exec nice \
  systemd-run --quiet --user --scope --slice=firefox.slice \
  bwrap --args 9 9< <(printf $'%s\0' $bwopt) \
  -- /usr/lib/firefox/firefox $@

Using this for about 5 years. Ran strace on a session to see what to allow access to. It’s got full access to /lib and too much access to /sys b/c I’m lazy, but it can not see any executables or most of ~.

I’m using something similar whenever I want to precisely isolate a program.