Update permissions/README.md

Also correctly replace hard coded `/run/user/uid` with $XDG_RUNTIME_DIR

appimage.go

@@ -41,7 +41,7 @@ type AppImage struct {
 
 // Current version of aisap
 const (
-	Version = "0.5.3-alpha"
+	Version = "0.5.4-alpha"
 )
 
 // Create a new AppImage object from a path

permissions/README.md

@@ -1,5 +1,5 @@
 # aisap permissions
-Simplified permissions and what actual bwrap flags they corrispond to
+Simplified permissions and what actual bwrap flags they correspond to
 
 ## Base levels
 As you can see, level 1 gives access to a wide range of system files, but personal [HOME] files are still restricted. Level 1 is intended to allow some sandboxing of apps that refuse to with higher levels
@@ -65,17 +65,56 @@ Level 3:
 For further security or to run an AppImage designed for another distro, you can use `(AppImage) SetRootDir()` to change where it pulls system files from
 
 ## Sockets
-x11:
- * `  [HOME]/.Xauthority`
- * `[TMPDIR]/.X11-unix/X[DISPLAY]`
+alsa:
+ * `/usr/share/alsa`
+ * `/etc/alsa`
+ * `/etc/group`
+ * `/dev/snd`
+
+audio:
+pulseaudio and alsa combined
+
+cgroup:
+same as not using `--unshare-cgroup-try` in bwrap
+
+dbus:
+ * `$XDG_RUNTIME_DIR/bus`
+
+ipc:
+same as not using `--unshare-ipc` in bwrap
 
 network:
  * `/etc/ca-certificates`
  * `/etc/resolv.conf`
  * `/etc/ssl`
+ * `/usr/share/ca-certificates`
+
+pid:
+same as not using `--unshare-pid` in bwrap
+
+pipewire:
+ * `$XDG_RUNTIME_DIR/pipewire-0`
 
- pulseaudio:
- * `/run/user/[UID]/pulse`
+pulseaudio:
+ * `$XDG_RUNTIME_DIR/pulse`
+ * `/etc/pulse`
+
+session:
+same as not using `--new-session` in bwrap
+
+user:
+same as not using `--unshare-user-try` in bwrap
+
+uts:
+same as not using `--unshare-uts` in bwrap
+
+wayland:
+ * `$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY`
+ * `/usr/share/x11`
+
+x11:
+ * `$XAUTHORITY`
+ * `$TMPDIR/.X11-unix/X[DISPLAY]`
 
 ## Devices
 dri:

wrap.go

@@ -146,6 +146,7 @@ func (ai *AppImage) mainWrapArgs() []string {
 		"--setenv", "XDG_CONFIG_HOME",     filepath.Join(xdg.Home, ".config"),
 		"--setenv", "XDG_CACHE_HOME",      filepath.Join(xdg.Home, ".cache"),
 		"--setenv", "XDG_STATE_HOME",      filepath.Join(xdg.Home, ".local/state"),
+		"--setenv", "XDG_RUNTIME_DIR",     filepath.Join("/run/user", uid),
 		"--die-with-parent",
 		"--perms",       "0700",
 		"--dir",         filepath.Join("/run/user", uid),
@@ -363,7 +364,7 @@ func parseSockets(ai *AppImage) []string {
 			"--dev-bind",    "/dev/snd",        "/dev/snd",
 		},
 		"audio": {
-			"--ro-bind-try", "/run/user/"+uid+"/pulse", "/run/user/"+uid+"/pulse",
+			"--ro-bind-try", filepath.Join(xdg.RuntimeDir, "pulse"), "/run/user/"+uid+"/pulse",
 			"--ro-bind-try", "/usr/share/alsa",         "/usr/share/alsa",
 			"--ro-bind-try", "/usr/share/pulseaudio",   "/usr/share/pulseaudio",
 			"--ro-bind-try", "/etc/alsa",               "/etc/alsa",
@@ -373,7 +374,7 @@ func parseSockets(ai *AppImage) []string {
 		},
 		"cgroup": {},
 		"dbus": {
-			"--ro-bind-try", "/run/user/"+uid+"/bus", "/run/user/"+uid+"/bus",
+			"--ro-bind-try", filepath.Join(xdg.RuntimeDir, "bus"), "/run/user/"+uid+"/bus",
 		},
 		"ipc":    {},
 		"network": {
@@ -385,17 +386,17 @@ func parseSockets(ai *AppImage) []string {
 		},
 		"pid": {},
 		"pipewire": {
-			"--ro-bind-try", "/run/user/"+uid+"/pipewire-0", "/run/user/"+uid+"/pipewire-0",
+			"--ro-bind-try", filepath.Join(xdg.RuntimeDir, "pipewire-0"), "/run/user/"+uid+"/pipewire-0",
 		},
 		"pulseaudio": {
-			"--ro-bind-try", "/run/user/"+uid+"/pulse", "/run/user/"+uid+"/pulse",
+			"--ro-bind-try", filepath.Join(xdg.RuntimeDir, "pulse"), "/run/user/"+uid+"/pulse",
 			"--ro-bind-try", "/etc/pulse",              "/etc/pulse",
 		},
 		"session": {},
 		"user":    {},
 		"uts":     {},
 		"wayland": {
-			"--ro-bind-try", "/run/user/"+uid+"/"+wDisplay, "/run/user/"+uid+"/wayland-0",
+			"--ro-bind-try", filepath.Join(xdg.RuntimeDir, wDisplay), "/run/user/"+uid+"/wayland-0",
 			"--ro-bind-try", "/usr/share/X11",               "/usr/share/X11",
 			// TODO: Add more enviornment variables for app compatability
 			// maybe theres a better way to do this?