colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

modules/programs: sane-sandboxed: avoid adding the sandbox implementation to $PATH

Browse Source
This commit is contained in:
Colin
2024-02-15 17:58:22 +00:00
parent 52d768a162
commit 1edb1fc8b6
1 changed files with 19 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
modules/programs/sane-sandboxed
View File

@@ -33,6 +33,11 @@ debug() {
[ -n "$isDebug" ] && printf "[debug] %s" "$1" >&2 [ -n "$isDebug" ] && printf "[debug] %s" "$1" >&2
} }
# `locate <bin-name> </path/to/default>` => print the full path to `<bin-name>` if it's on PATH, else print `</path/to/default>`
locate() {
command -v "$1" || echo "$2"
}
loadProfileByPath() { loadProfileByPath() {
# profile format is simply a list of arguments one would pass to this sane-sandboxed script itself, # profile format is simply a list of arguments one would pass to this sane-sandboxed script itself,
# with one argument per line # with one argument per line
@@ -302,8 +307,9 @@ firejailExec() {
if [ -n "$firejailProfile" ]; then if [ -n "$firejailProfile" ]; then
firejailFlags+=("--profile=$firejailProfile") firejailFlags+=("--profile=$firejailProfile")
fi fi
PATH="$PATH:@firejail@/bin" exec \ _firejail="$(locate firejail @firejail@/bin/firejail)"
firejail "${firejailFlags[@]}" -- \ exec \
"$_firejail" "${firejailFlags[@]}" -- \
env "${extraEnv[@]}" "${cliArgs[@]}" env "${extraEnv[@]}" "${cliArgs[@]}"
} }
@@ -349,8 +355,9 @@ bwrapExec() {
# --unshare-cgroup # --unshare-cgroup
# --unshare-uts # --unshare-uts
# --unshare-user (implicit to every non-suid call to bwrap) # --unshare-user (implicit to every non-suid call to bwrap)
PATH="$PATH:@bubblewrap@/bin" exec \ _bwrap="$(locate bwrap @bubblewrap@/bin/bwrap)"
bwrap --unshare-cgroup --unshare-ipc --unshare-user --unshare-uts "${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}" --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \ exec \
"$_bwrap" --unshare-cgroup --unshare-ipc --unshare-user --unshare-uts "${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}" --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
env "${extraEnv[@]}" "${cliArgs[@]}" env "${extraEnv[@]}" "${cliArgs[@]}"
} }
@@ -411,9 +418,11 @@ landlockExec() {
# so trampoline through `capsh` as well, to drop privs. # so trampoline through `capsh` as well, to drop privs.
# N.B: capsh passes its arg to bash (via /nix/store/.../bash), which means you have to `-c "my command"` to # N.B: capsh passes its arg to bash (via /nix/store/.../bash), which means you have to `-c "my command"` to
# invoke the actual user command. # invoke the actual user command.
PATH="$PATH:@landlockSandboxer@/bin:@libcap@/bin" LL_FS_RO= LL_FS_RW="$landlockPaths" exec \ _sandboxer="$(locate sandboxer @landlockSandboxer@/bin/sandboxer)"
sandboxer \ _capsh="$(locate capsh @libcap@/bin/capsh)"
capsh "--caps=$capshCapsArg" --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}" LL_FS_RO= LL_FS_RW="$landlockPaths" exec \
"$_sandboxer" \
"$_capsh" "--caps=$capshCapsArg" --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
} }
@@ -450,8 +459,9 @@ capshonlyIngestCapability() {
} }
capshonlyExec() { capshonlyExec() {
PATH="$PATH:@libcap@/bin" exec \ _capsh="$(locate capsh @libcap@/bin/capsh)"
capsh "--caps=$capshCapsArg" --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}" exec \
"$_capsh" "--caps=$capshCapsArg" --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
} }