programs: sane-sandboxed: avoid reading firejail profiles when the backend isnt firejail
this should provide a marginal perf gain
This commit is contained in:
@@ -3,8 +3,7 @@
|
||||
test -n "$SANE_SANDBOX_DEBUG" && set -x
|
||||
|
||||
cliArgs=()
|
||||
name=
|
||||
firejailProfile=
|
||||
profilesNamed=()
|
||||
rootPaths=()
|
||||
homePaths=()
|
||||
net=
|
||||
@@ -25,9 +24,7 @@ loadProfileByPath() {
|
||||
}
|
||||
|
||||
tryLoadProfileByName() {
|
||||
if [ -z "$name" ]; then
|
||||
name="$1"
|
||||
fi
|
||||
profilesNamed+=("$1")
|
||||
|
||||
_profileDirs=(@profileDirs@)
|
||||
for _profileDir in "${_profileDirs[@]}"; do
|
||||
@@ -38,17 +35,6 @@ tryLoadProfileByName() {
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if [ -z "$firejailProfile" ]; then
|
||||
_fjProfileDirs=(@firejailProfileDirs@)
|
||||
for _fjProfileDir in "${_fjProfileDirs[@]}"; do
|
||||
_fjProfile="$_fjProfileDir/$1.profile"
|
||||
debug "try firejail profile at path: '$_fjProfile'"
|
||||
if [ -f "$_fjProfile" ]; then
|
||||
firejailProfile="$_fjProfile"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
## parse CLI args into the variables declared above
|
||||
@@ -125,8 +111,13 @@ parseArgs() {
|
||||
|
||||
## FIREJAIL BACKEND
|
||||
|
||||
firejailName=
|
||||
firejailProfile=
|
||||
|
||||
firejailIngestRootPath() {
|
||||
firejailFlags+=("--noblacklist=$1" "--whitelist=$1")
|
||||
# XXX: firejail flat-out refuses to whitelist certain root paths
|
||||
# this exception list is non-exhaustive
|
||||
[ "$1" != "/bin" ] && [ "$1" != "/etc" ] && firejailFlags+=("--noblacklist=$1" "--whitelist=$1")
|
||||
}
|
||||
firejailIngestHomePath() {
|
||||
firejailFlags+=("--noblacklist="'${HOME}/'"$1" "--whitelist="'${HOME}/'"$1")
|
||||
@@ -137,11 +128,26 @@ firejailIngestNet() {
|
||||
firejailIngestDns() {
|
||||
firejailFlags+=("--dns=$1")
|
||||
}
|
||||
firejailIngestName() {
|
||||
firejailFlags+=("--join-or-start=$1")
|
||||
firejailIngestProfile() {
|
||||
if [ -z "$firejailName" ]; then
|
||||
firejailName="$1"
|
||||
fi
|
||||
if [ -z "$firejailProfile" ]; then
|
||||
_fjProfileDirs=(@firejailProfileDirs@)
|
||||
for _fjProfileDir in "${_fjProfileDirs[@]}"; do
|
||||
_fjProfile="$_fjProfileDir/$1.profile"
|
||||
debug "try firejail profile at path: '$_fjProfile'"
|
||||
if [ -f "$_fjProfile" ]; then
|
||||
firejailProfile="$_fjProfile"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
firejailExec() {
|
||||
if [ -n "$firejailName" ]; then
|
||||
firejailFlags+=("--join-or-start=$firejailName")
|
||||
fi
|
||||
if [ -n "$firejailProfile" ]; then
|
||||
firejailFlags+=("--profile=$firejailProfile")
|
||||
fi
|
||||
@@ -163,8 +169,8 @@ bwrapIngestHomePath() {
|
||||
# `test -r` isn't needed here, unless/until i try mounting a symlink like `~/Videos/servo` directly.
|
||||
bwrapFlags+=("--dev-bind" "$_path" "$_path")
|
||||
}
|
||||
bwrapIngestName() {
|
||||
echo "bwrap naming/labeling not yet implemented"
|
||||
bwrapIngestProfile() {
|
||||
debug "bwrap doesn't implement profiles"
|
||||
}
|
||||
# WIP
|
||||
|
||||
@@ -199,9 +205,9 @@ for _addr in "${dns[@]}"; do
|
||||
"$method"IngestDns "$_addr"
|
||||
done
|
||||
|
||||
if [ -n "$name" ]; then
|
||||
"$method"IngestName "$name"
|
||||
fi
|
||||
for _prof in "${profilesNamed[@]}"; do
|
||||
"$method"IngestProfile "$_prof"
|
||||
done
|
||||
|
||||
"$method"Exec
|
||||
|
||||
|
Reference in New Issue
Block a user