def generate_bwrap_command(user, app_home_path, app_binary, permissions):
    command = [
        "/usr/bin/bwrap",
        "--ro-bind", "/bin", "/bin",
        "--ro-bind", "/usr/bin", "/usr/bin",
        "--ro-bind", "/lib", "/lib",
        "--ro-bind-try", "/lib32", "/lib32",
        "--ro-bind-try", "/lib64", "/lib64",
        "--ro-bind", "/usr/lib", "/usr/lib",
        "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
        "--ro-bind", "/usr/share", "/usr/share",
        "--ro-bind-try", "/usr/local/share", "/usr/local/share",
        "--ro-bind", "/usr/include", "/usr/include",
        "--ro-bind", "/etc", "/etc",
        "--ro-bind-try", f"{app_home_path}/.machine-id", "/etc/machine-id",
        "--ro-bind-try", f"{app_home_path}/.machine-id", "/var/lib/dbus/machine-id",
        "--ro-bind", "/var/lib", "/var/lib",
        "--tmpfs", "/var/lib/dbus",
        "--dev", "/dev",
        "--bind", app_home_path, f"/home/{user}",
        "--proc", "/proc",
        "--tmpfs", "/tmp",
        "--tmpfs", "/var/tmp",
        "--tmpfs", "/var/cache",
        "--tmpfs", "/run",
        "--symlink", "/run", "/var/run",
        "--chdir", f"/home/{user}",
        "--setenv", "HOME", f"/home/{user}",
        "--setenv", "SHELL", "/sbin/nologin",
        "--unsetenv", "SUDO_USER",
        "--unsetenv", "SUDO_UID",
        "--unsetenv", "SUDO_GID",
        "--unsetenv", "SUDO_COMMAND",
        "--unsetenv", "OLDPWD",
        "--unsetenv", "MAIL",
        "--unshare-all",
        "--new-session",
        "--cap-drop", "all",
    ]

    for p in permissions:
        if p == "network":
            command.append("--share-net")
        elif p == "x11":
            command.extend([
                "--ro-bind-try", f"/home/{user}/.Xauthority", f"/home/{user}/.Xauthority",
                "--ro-bind-try", "/tmp/.X11-unix", "/tmp/.X11-unix"
            ])
        elif p == "sys":
            command.extend([
                "--ro-bind", "/sys/dev", "/sys/dev",
                "--ro-bind", "/sys/devices", "/sys/devices",
                "--ro-bind", "/sys/class", "/sys/class",
                "--ro-bind", "/sys/bus", "/sys/bus",
                "--ro-bind", "/sys/fs/cgroup", "/sys/fs/cgroup",
                "--dev-bind", "/dev/dri", "/dev/dri",
            ])
        elif p == "microphone":
            command.extend([
                "--dev-bind-try", "/dev/snd", "/dev/snd",
            ])
        else:
            raise RuntimeError(f"unknown permission '{p}'")

    command.append(app_binary)

    return command

bash_command = generate_command(
    "hippoz",
    "/home/hippoz/sandbox",
    "/bin/bash",
    [
        "x11",
        "network",
        "microphone",
        "sys"
    ]
)
print(" ".join(bash_command))