sanebox: bwrap: micro-optimize to not require env
This commit is contained in:
@@ -90,8 +90,8 @@ netDev=
|
||||
netGateway=default
|
||||
# list of IP addresses to use for DNS servers inside the sandbox (not supported by all backends)
|
||||
dns=()
|
||||
# list of `VAR=VALUE` environment variables to add to the sandboxed program's environment
|
||||
portalEnv=()
|
||||
# VAR -> VALUE map of environment variables to add to the sandboxed program's environment
|
||||
declare -A portalEnv
|
||||
|
||||
# arguments to forward onto a specific backend (if that backend is active)
|
||||
bwrapArgs=()
|
||||
@@ -542,11 +542,14 @@ parseArgs() {
|
||||
# note that GIO_USE_PORTALS primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves.
|
||||
# this switch is typically accompanied by removing all MIME associations from the app's view, then.
|
||||
# GTK_USE_PORTALS is the old name, beginning to be phased out as of 2023-10-02
|
||||
portalEnv=("GIO_USE_PORTALS=1" "GTK_USE_PORTAL=1" "NIXOS_XDG_OPEN_USE_PORTAL=1")
|
||||
portalEnv[GIO_USE_PORTALS]=1
|
||||
portalEnv[GTK_USE_PORTAL]=1
|
||||
portalEnv[NIXOS_XDG_OPEN_USE_PORTAL]=1
|
||||
;;
|
||||
(--sanebox-no-portal)
|
||||
# override a previous --sanebox-portal call
|
||||
portalEnv=()
|
||||
unset portalEnv
|
||||
declare -A portalEnv
|
||||
;;
|
||||
(--sanebox-bwrap-arg)
|
||||
local bwrapArg=$1
|
||||
@@ -723,7 +726,6 @@ bwrapGetCli() {
|
||||
# --unshare-uts
|
||||
# --unshare-user (implicit to every non-suid call to bwrap)
|
||||
locate _bwrap "bwrap" "$BWRAP_FALLBACK"
|
||||
locate _env "env" "$ENV_FALLBACK"
|
||||
if [ -n "$bwrapUsePasta" ]; then
|
||||
# pasta drops us into an environment where we're root, but some apps complain if run as root.
|
||||
# TODO: this really belongs on the `pastaonlyGetCli` side.
|
||||
@@ -735,13 +737,18 @@ bwrapGetCli() {
|
||||
--gid "${GROUPS[0]}"
|
||||
)
|
||||
fi
|
||||
|
||||
for envName in "${!portalEnv[@]}"; do
|
||||
bwrapArgs+=(--setenv "$envName" "${portalEnv[$envName]}")
|
||||
done
|
||||
|
||||
cliArgs=(
|
||||
"$_bwrap" "${bwrapUnshareCgroup[@]}" "${bwrapUnshareIpc[@]}"
|
||||
"${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}"
|
||||
"${bwrapUnshareUts[@]}"
|
||||
"${bwrapVirtualizeDev[@]}" "${bwrapVirtualizeProc[@]}" "${bwrapVirtualizeTmp[@]}"
|
||||
"${bwrapArgs[@]}" --
|
||||
"$_env" "${portalEnv[@]}" "${cliArgs[@]}"
|
||||
"${cliArgs[@]}"
|
||||
)
|
||||
if [ -n "$bwrapUsePasta" ]; then
|
||||
pastaonlyGetCli
|
||||
@@ -875,8 +882,14 @@ capshonlyIngestCapability() {
|
||||
capshonlyGetCli() {
|
||||
locate _capsh "capsh" "$CAPSH_FALLBACK"
|
||||
locate _env "env" "$ENV_FALLBACK"
|
||||
|
||||
local envArgs=()
|
||||
for envName in "${!portalEnv[@]}"; do
|
||||
envArgs+=("$envName=${portalEnv[$envName]}")
|
||||
done
|
||||
|
||||
cliArgs=(
|
||||
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="$_env" "${capshArgs[@]}" -- "${portalEnv[@]}" "${cliArgs[@]}"
|
||||
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="$_env" "${capshArgs[@]}" -- "${envArgs[@]}" "${cliArgs[@]}"
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user