colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sane-sandboxed: implement a "capshonly" backend

Browse Source
This commit is contained in:
Colin
2024-01-27 12:39:36 +00:00
parent 0a25ef544f
commit 15fd7bf4a5
1 changed files with 36 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
modules/programs/sane-sandboxed
View File

@@ -19,7 +19,7 @@ method=
firejailFlags=() firejailFlags=()
bwrapFlags=() bwrapFlags=()
landlockPaths= landlockPaths=
landlockCapshCapsArg= capshCapsArg=
debug() { debug() {
[ -n "$isDebug" ] && printf "[debug] %s" "$1" >&2 [ -n "$isDebug" ] && printf "[debug] %s" "$1" >&2
@@ -279,16 +279,7 @@ landlockIngestProfile() {
debug "landlock doesn't implement profiles" debug "landlock doesn't implement profiles"
} }
landlockIngestCapability() { landlockIngestCapability() {
# N.B. `capsh` parsing of `--caps=X` arg is idiosyncratic: capshonlyIngestCapability "$1"
# - valid: `capsh --caps=CAP_FOO,CAP_BAR=eip -- <cmd>`
# - valid: `capsh --caps= -- <cmd>`
# - invalid: `capsh --caps=CAP_FOO,CAP_BAR -- <cmd>`
# - invalid: `capsh --caps==eip -- <cmd>`
if [ -z "$landlockCapshCapsArg" ]; then
landlockCapshCapsArg="cap_$1=eip"
else
landlockCapshCapsArg="cap_$1,$landlockCapshCapsArg"
fi
} }
landlockExec() { landlockExec() {
# other sandboxing methods would create fake /dev, /proc, /tmp filesystems # other sandboxing methods would create fake /dev, /proc, /tmp filesystems
@@ -319,7 +310,40 @@ landlockExec() {
# invoke the actual user command. # invoke the actual user command.
PATH="$PATH:@landlockSandboxer@/bin:@libcap@/bin" LL_FS_RO= LL_FS_RW="$landlockPaths" exec \ PATH="$PATH:@landlockSandboxer@/bin:@libcap@/bin" LL_FS_RO= LL_FS_RW="$landlockPaths" exec \
sandboxer \ sandboxer \
capsh "--caps=$landlockCapshCapsArg" -- \ capsh "--caps=$capshCapsArg" -- \
-c "${cliArgs[*]}"
}
## CAPSH-ONLY BACKEND
# this backend exists because apps which are natively bwrap may complain about having ambient privileges.
# then, run them in a capsh sandbox, which ignores any path sandboxing and just lowers privs to what's needed.
capshonlyIngestRootPath() {
debug "capshonly doesn't implement root paths"
}
capshonlyIngestHomePath() {
debug "capshonly doesn't implement home paths"
}
capshonlyIngestProfile() {
debug "capshonly doesn't implement profiles"
}
capshonlyIngestCapability() {
# N.B. `capsh` parsing of `--caps=X` arg is idiosyncratic:
# - valid: `capsh --caps=CAP_FOO,CAP_BAR=eip -- <cmd>`
# - valid: `capsh --caps= -- <cmd>`
# - invalid: `capsh --caps=CAP_FOO,CAP_BAR -- <cmd>`
# - invalid: `capsh --caps==eip -- <cmd>`
if [ -z "$capshCapsArg" ]; then
capshCapsArg="cap_$1=eip"
else
capshCapsArg="cap_$1,$capshCapsArg"
fi
}
capshonlyExec() {
PATH="$PATH:@libcap@/bin" exec \
capsh "--caps=$capshCapsArg" -- \
-c "${cliArgs[*]}" -c "${cliArgs[*]}"
} }