sane-vpn: port to bunpen

This commit is contained in:
2024-09-21 12:41:49 +00:00
parent b1763ccd02
commit 1501c99016
2 changed files with 11 additions and 12 deletions

View File

@@ -201,10 +201,10 @@ let
pname = "sane-vpn"; pname = "sane-vpn";
srcRoot = ./src; srcRoot = ./src;
pkgs = [ pkgs = [
"bunpen"
"iproute2" "iproute2"
"networkmanager-split.nmcli" "networkmanager-split.nmcli"
"sane-scripts.ip-check" "sane-scripts.ip-check"
"sanebox"
"systemd" "systemd"
]; ];
}; };

View File

@@ -1,5 +1,5 @@
#!/usr/bin/env nix-shell #!/usr/bin/env nix-shell
#!nix-shell -i python3 -p iproute2 -p networkmanager-split.nmcli -p python3 -p sane-scripts.ip-check -p sanebox -p systemd #!nix-shell -i python3 -p bunpen -p iproute2 -p networkmanager-split.nmcli -p python3 -p sane-scripts.ip-check -p systemd
# vim: set filetype=python : # vim: set filetype=python :
""" """
sane-vpn: tool to route all system internet traffic through some VPN, or just one application's sane-vpn: tool to route all system internet traffic through some VPN, or just one application's
@@ -226,24 +226,23 @@ def get_vpn(vpn_name: str) -> VpnConfig:
def vpn_do(config: VpnConfig, cmd: list[str]) -> None: def vpn_do(config: VpnConfig, cmd: list[str]) -> None:
net_flags = [] net_flags = []
net_flags += [ "--sanebox-net-dev", config.dev ] net_flags += [ "--bunpen-net-dev", config.dev ]
for d in config.dns: for d in config.dns:
net_flags += [ "--sanebox-dns", d ] net_flags += [ "--bunpen-dns", d ]
if config.addr_v4: if config.addr_v4:
net_flags += [ "--sanebox-net-gateway", config.addr_v4 ] net_flags += [ "--bunpen-net-gateway", config.addr_v4 ]
wrapped_cmd = [ wrapped_cmd = [
"sanebox", "bunpen",
# method: pastaonly, should be enough, but it leaves us as root in the user namespace. "--bunpen-keep-ipc",
# some apps don't like that -- bwrap is the fix to have uid mapping "--bunpen-keep-pid",
"--sanebox-method", "bwrap", "--bunpen-try-keep-users",
"--sanebox-keep-namespace", "all", "--bunpen-path", "/",
"--sanebox-path", "/",
] + net_flags + cmd ] + net_flags + cmd
logger.debug(f"exec {wrapped_cmd}") logger.debug(f"exec {wrapped_cmd}")
# exec instead of subprocess so that (hopefully) the process inherits stdin/stdout. # exec instead of subprocess so that (hopefully) the process inherits stdin/stdout.
os.execvp("sanebox", wrapped_cmd) os.execvp("bunpen", wrapped_cmd)
def vpn_toggle(config: VpnConfig, dir_: ToggleDir) -> None: def vpn_toggle(config: VpnConfig, dir_: ToggleDir) -> None:
print("old IP address ...") print("old IP address ...")