colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sanebox: remove all profile-related features except for direct, path-based profile loading

Browse Source
This commit is contained in:
Colin
2024-05-15 08:58:30 +00:00
parent 530664294a
commit 17eaa7446a
4 changed files with 5 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/common/programs/xdg-desktop-portal-gtk.nix
View File

@@ -34,7 +34,7 @@ in
]; ];
fs.".config/xdg-desktop-portal/portals/gtk.portal".symlink.target = fs.".config/xdg-desktop-portal/portals/gtk.portal".symlink.target =
"${cfg.package}/share/xdg-desktop-portal/portals/gtk.portal"; "${cfg.packageUnwrapped}/share/xdg-desktop-portal/portals/gtk.portal";
# XXX: overcome bug when manually setting `$XDG_DESKTOP_PORTAL_DIR` # XXX: overcome bug when manually setting `$XDG_DESKTOP_PORTAL_DIR`
# which causes *.portal files to be looked for in the toplevel instead of under `portals/` # which causes *.portal files to be looked for in the toplevel instead of under `portals/`
fs.".config/xdg-desktop-portal/gtk.portal".symlink.target = "portals/gtk.portal"; fs.".config/xdg-desktop-portal/gtk.portal".symlink.target = "portals/gtk.portal";

2
modules/programs/default.nix
View File

@@ -159,7 +159,7 @@ let
wrapperType wrapperType
; ;
extraSandboxerArgs = [ extraSandboxerArgs = [
"--sanebox-profile-dir" "${sandboxProfiles}/share/sanebox/profiles" "--sanebox-profile" "${sandboxProfiles}/share/sanebox/profiles/${pkgName}.profile"
]; ];
} }
); );

2
modules/programs/make-sandboxed.nix
View File

@@ -79,7 +79,7 @@ let
mv "$_dir/$_name" "$_dir/.sandboxed/" mv "$_dir/$_name" "$_dir/.sandboxed/"
fi fi
echo '#!${runtimeShell}' > "$_dir/$_name" echo '#!${runtimeShell}' > "$_dir/$_name"
echo 'exec ${sanebox'} --sanebox-profile ${pkgName}' "$_dir/.sandboxed/$_name" '"$@"' >> "$_dir/$_name" echo 'exec ${sanebox'}' ${extraSandboxArgsStr} "$_dir/.sandboxed/$_name" '"$@"' >> "$_dir/$_name"
chmod +x "$_dir/$_name" chmod +x "$_dir/$_name"
} }

84
pkgs/additional/sanebox/sanebox
View File

@@ -32,7 +32,6 @@ fi
## MUTABLE GLOBAL VARIABLES AND HELPER FUNCTIONS ## MUTABLE GLOBAL VARIABLES AND HELPER FUNCTIONS
profileDirs=()
# isDisable: set non-empty to invoke the binary without any sandboxing # isDisable: set non-empty to invoke the binary without any sandboxing
isDisable= isDisable=
# isDryRun: don't actually execute the program or sandbox: just print the command which would be run (and which the user may run from their own shell) # isDryRun: don't actually execute the program or sandbox: just print the command which would be run (and which the user may run from their own shell)
@@ -76,8 +75,6 @@ net=
dns=() dns=()
# list of `VAR=VALUE` environment variables to add to the sandboxed program's environment # list of `VAR=VALUE` environment variables to add to the sandboxed program's environment
portalEnv=() portalEnv=()
# profilesNamed: list of profile names we've successfully loaded
profilesNamed=()
# arguments to forward onto a specific backend (if that backend is active) # arguments to forward onto a specific backend (if that backend is active)
firejailFlags=() firejailFlags=()
@@ -126,8 +123,7 @@ usage() {
echo ' allow access to the host <path>, relative to XDG_RUNTIME_DIR' echo ' allow access to the host <path>, relative to XDG_RUNTIME_DIR'
echo ' --sanebox-add-pwd' echo ' --sanebox-add-pwd'
echo ' shorthand for `--sanebox-path $PWD`' echo ' shorthand for `--sanebox-path $PWD`'
echo ' --sanebox-profile <profile>' echo ' --sanebox-profile <path/to/profile>'
echo ' --sanebox-profile-dir <dir>'
echo ' --sanebox-cache-symlink <from> <to>' echo ' --sanebox-cache-symlink <from> <to>'
echo ' assume that <from> is a symlink to <to>' echo ' assume that <from> is a symlink to <to>'
echo ' performance optimization to avoid spawning a readlink subshell' echo ' performance optimization to avoid spawning a readlink subshell'
@@ -353,34 +349,6 @@ loadProfileByPath() {
parseArgs "${_profArgs[@]}" parseArgs "${_profArgs[@]}"
} }
tryLoadProfileByName() {
local profile="$1"
if [ "${profile:0:1}" = "/" ]; then
# absolute path to profile.
# consider it an error if it doesn't exist.
# in general, prefer to use `--sanebox-profile-dir` and specify the profile by name.
# doing so maximizes compatibility with anything else that uses the name, like firejail.
loadProfileByPath "$profile"
else
profilesNamed+=("$profile")
for profileDir in "${profileDirs[@]}"; do
local profilePath="$profileDir/$profile.profile"
debug "try profile at path: '$profilePath'"
if [ -f "$profilePath" ]; then
loadProfileByPath "$profilePath"
break
fi
done
fi
}
initDefaultProfileDirs() {
for d in ${XDG_DATA_DIRS//:/ }; do
profileDirs+=("$d/sanebox/profiles")
done
}
# subroutine of `tryArgAsPath` for after the arg has been converted into a valid (but possibly not existing) path. # subroutine of `tryArgAsPath` for after the arg has been converted into a valid (but possibly not existing) path.
# adds an entry to `paths` and evals `true` on success; # adds an entry to `paths` and evals `true` on success;
# evals `false` if the path couldn't be added, for any reason. # evals `false` if the path couldn't be added, for any reason.
@@ -569,16 +537,9 @@ parseArgs() {
(--sanebox-profile) (--sanebox-profile)
# load the profile *immediately*, inline. # load the profile *immediately*, inline.
# this way, user arguments which come later on the CLI can override any profile config, v.s. if profile loading were defered. # this way, user arguments which come later on the CLI can override any profile config, v.s. if profile loading were defered.
tryLoadProfileByName "$1" loadProfileByPath "$1"
shift shift
;; ;;
(--sanebox-profile-dir)
# add another directory in which to search for profiles,
# and give it *greater* precedence than the existing search directories (i.e. override the default profile)
local dir="$1"
shift
profileDirs=("$dir" "${profileDirs[@]}")
;;
(--sanebox-cache-symlink) (--sanebox-cache-symlink)
local from="$1" local from="$1"
shift shift
@@ -597,9 +558,6 @@ parseArgs() {
## FIREJAIL BACKEND ## FIREJAIL BACKEND
firejailName=
firejailProfile=
firejailSetup() { firejailSetup() {
debug "firejailSetup: noop" debug "firejailSetup: noop"
} }
@@ -617,29 +575,8 @@ firejailIngestDns() {
firejailIngestKeepNamespace() { firejailIngestKeepNamespace() {
debug "firejailIngestKeepNamespace: noop" debug "firejailIngestKeepNamespace: noop"
} }
firejailIngestProfile() {
if [ -z "$firejailName" ]; then
firejailName="$1"
fi
if [ -z "$firejailProfile" ]; then
local fjProfileDirs=(@firejailProfileDirs@)
for fjProfileDir in "${fjProfileDirs[@]}"; do
local fjProfile="$fjProfileDir/$1.profile"
debug "try firejail profile at path: '$fjProfile'"
if [ -f "$fjProfile" ]; then
firejailProfile="$fjProfile"
fi
done
fi
}
firejailGetCli() { firejailGetCli() {
if [ -n "$firejailName" ]; then
firejailFlags+=("--join-or-start=$firejailName")
fi
if [ -n "$firejailProfile" ]; then
firejailFlags+=("--profile=$firejailProfile")
fi
locate _firejail "firejail" "@firejail@/bin/firejail" locate _firejail "firejail" "@firejail@/bin/firejail"
cliArgs=( cliArgs=(
"$_firejail" "${firejailFlags[@]}" -- "$_firejail" "${firejailFlags[@]}" --
@@ -720,9 +657,6 @@ bwrapIngestKeepNamespace() {
;; ;;
esac esac
} }
bwrapIngestProfile() {
debug "bwrapIngestProfile: stubbed"
}
bwrapIngestCapability() { bwrapIngestCapability() {
bwrapFlags+=("--cap-add" "cap_$1") bwrapFlags+=("--cap-add" "cap_$1")
} }
@@ -796,9 +730,6 @@ landlockIngestNet() {
landlockIngestKeepNamespace() { landlockIngestKeepNamespace() {
debug "landlockIngestKeepNamespace: noop" debug "landlockIngestKeepNamespace: noop"
} }
landlockIngestProfile() {
debug "landlockIngestProfile: stubbed"
}
landlockIngestCapability() { landlockIngestCapability() {
capshonlyIngestCapability "$1" capshonlyIngestCapability "$1"
} }
@@ -834,9 +765,6 @@ capshonlyIngestNet() {
capshonlyIngestKeepNamespace() { capshonlyIngestKeepNamespace() {
debug "capshonlyIngestKeepNamespace: noop" debug "capshonlyIngestKeepNamespace: noop"
} }
capshonlyIngestProfile() {
debug "capshonlyIngestProfile: stubbed"
}
capshonlyIngestCapability() { capshonlyIngestCapability() {
# N.B. `capsh` parsing of `--caps=X` arg is idiosyncratic: # N.B. `capsh` parsing of `--caps=X` arg is idiosyncratic:
# - valid: `capsh --caps=CAP_FOO,CAP_BAR=eip -- <cmd>` # - valid: `capsh --caps=CAP_FOO,CAP_BAR=eip -- <cmd>`
@@ -880,9 +808,6 @@ noneIngestNet() {
noneIngestKeepNamespace() { noneIngestKeepNamespace() {
: :
} }
noneIngestProfile() {
:
}
noneIngestCapability() { noneIngestCapability() {
: :
} }
@@ -999,17 +924,12 @@ ingestForBackend() {
for ns in "${keepNamespace[@]}"; do for ns in "${keepNamespace[@]}"; do
"$method"IngestKeepNamespace "$ns" "$method"IngestKeepNamespace "$ns"
done done
for prof in "${profilesNamed[@]}"; do
"$method"IngestProfile "$prof"
done
} }
## TOPLEVEL EXECUTION ## TOPLEVEL EXECUTION
# no code evaluated before this point should be dependent on user args / environment. # no code evaluated before this point should be dependent on user args / environment.
initDefaultProfileDirs
parseArgsAndEnvironment "$@" parseArgsAndEnvironment "$@"
# variables meant to be inherited # variables meant to be inherited