colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bunpen: support --bunpen-keep-ipc

Browse Source
This commit is contained in:
Colin
2024-09-07 22:08:25 +00:00
parent 3fb566a3fd
commit 130ce0e69f
4 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkgs/additional/bunpen/config/cli.ha
View File

@@ -17,6 +17,7 @@ export type cli_opts = struct {
home_paths: []str,
keep_all_caps: bool,
keep_caps: []rt::ext::cap,
keep_ipc: bool,
keep_net: bool,
keep_pid: bool,
paths: []str,
@@ -43,6 +44,8 @@ export fn usage() void = {
fmt::println(" --bunpen-cap <all|sys_admin|net_raw|net_admin|...>")!;
fmt::println(" allow the sandboxed program to use the provided linux capability (both inside and outside the sandbox)")!;
fmt::println(" special cap 'all' to preserve all capabilities possible")!;
fmt::println(" --bunpen-keep-ipc")!;
fmt::println(" allow this process to talk to other processes in the same 'IPC namespace' (rarely needed)")!;
fmt::println(" --bunpen-keep-net")!;
fmt::println(" allow unrestricted access to the network")!;
fmt::println(" --bunpen-keep-pid")!;
@@ -113,6 +116,7 @@ export fn parse_args(args: []str) (cli_opts | errors::invalid) = {
case "--bunpen-drop-shell" => parsed.drop_shell = true;
case "--bunpen-help" => parsed.help = true;
case "--bunpen-home-path" => idx += 1; append(parsed.home_paths, expect_arg("--bunpen-home-path", next)?);
case "--bunpen-keep-ipc" => parsed.keep_ipc = true;
case "--bunpen-keep-net" => parsed.keep_net = true;
case "--bunpen-keep-pid" => parsed.keep_pid = true;
case "--bunpen-path" => idx += 1; append(parsed.paths, expect_arg("--bunpen-path", next)?);

3
pkgs/additional/bunpen/config/translate_opts.ha
View File

@@ -97,6 +97,9 @@ export fn ingest_cli_opts(opts: cli_opts) (cli_request | exec_params | help) = {
if (opts.keep_all_caps)
req.resources.caps = rt::ext::CAPS_ALL;
//---- ingest `keep_ipc` ----//
req.resources.ipc = opts.keep_ipc;
//---- ingest `keep_net` ----//
req.resources.net = opts.keep_net;

4
pkgs/additional/bunpen/restrict/namespace.ha
View File

@@ -30,6 +30,10 @@ export fn namespace_restrict(what: *resources) void = {
rt::ext::clone_flag::NEWUSER |
rt::ext::clone_flag::NEWUTS
;
if (what.ipc) {
log::println("[namespace] keeping ipc namespace");
what_to_unshare &= ~rt::ext::clone_flag::NEWIPC;
};
if (what.net) {
log::println("[namespace] keeping net namespace");
what_to_unshare &= ~rt::ext::clone_flag::NEWNET;

2
pkgs/additional/bunpen/restrict/resources.ha
View File

@@ -7,6 +7,8 @@ export type resources = struct {
// user has naturally.
paths: []path::buffer,
caps: rt::ext::caps,
// true to allow speaking to other processes in the same IPC namespace
ipc: bool,
// true to allow unrestricted net access.
// false to maximally disable net access.
net: bool,