The sandbox strictness can now be controlled with the SANDBOX_LEVEL environment variable. There are 3 available levels, the default is 1.
Level 1 isolates all user files.
Level 2 isolates all user files, disables dbus and hides all running processes.
Level 3 does the same as the level 2, but additionally disables network access and isolates X11 server with Xephyr.
The XEPHYR_SIZE env variable controls the size of the Xephyr window, the default is 800x600.
The dwarfs utils are relatively large (~20 MB when extracted) and are not needed for squashfs-compressed images, so it's better to move them into a separate archive.
The integrated utils now include two squashfuse binaries: the one is for fuse2 and the second is for fuse3.
Conty will automatically use the fuse3 version if fuse3 is installed, otherwise it will use the fuse2 version.
Besides, glibc libs are now included and they are used for the integrated utils.
Which means that the integrated utils now don't depend on system-wide glibc and will work even on really old distros (like Ubuntu 12.04, for example), assuming that kernel version is new enough, of course.
This is required for any graphical application to work (to connect to X server) when SANDBOX is enabled. Another possible solution is to allow any local user to connect to X server by using xhost, but binding XAUTHORITY is simpler.
However, it's necessary to bind /tmp/.X11-unix, otherwise applications will not be able to connect to X server when network is disabled (DISABLE_NET=1).
In my testing, compression using level 14 is almost 3x faster than level 19, while compression ratio is only about 2% lower. In my opinion, it's definitely worth it.
This revert commit 9d73f302f8
squashfuse_ll causes some weird filesystem access issues. For example, some applications are unable to access /usr/share/alsa when the squashfs image mounted with squashfuse_ll.
