colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sanebox: bwrap: micro-optimize to not require env

Browse Source
This commit is contained in:
Colin
2024-08-01 08:49:20 +00:00
parent 81ea2210c9
commit 36491842cc
1 changed files with 20 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
pkgs/additional/sanebox/sanebox
View File

@@ -90,8 +90,8 @@ netDev=
netGateway=default netGateway=default
# list of IP addresses to use for DNS servers inside the sandbox (not supported by all backends) # list of IP addresses to use for DNS servers inside the sandbox (not supported by all backends)
dns=() dns=()
# list of `VAR=VALUE` environment variables to add to the sandboxed program's environment # VAR -> VALUE map of environment variables to add to the sandboxed program's environment
portalEnv=() declare -A portalEnv
# arguments to forward onto a specific backend (if that backend is active) # arguments to forward onto a specific backend (if that backend is active)
bwrapArgs=() bwrapArgs=()
@@ -542,11 +542,14 @@ parseArgs() {
# note that GIO_USE_PORTALS primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves. # note that GIO_USE_PORTALS primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves.
# this switch is typically accompanied by removing all MIME associations from the app's view, then. # this switch is typically accompanied by removing all MIME associations from the app's view, then.
# GTK_USE_PORTALS is the old name, beginning to be phased out as of 2023-10-02 # GTK_USE_PORTALS is the old name, beginning to be phased out as of 2023-10-02
portalEnv=("GIO_USE_PORTALS=1" "GTK_USE_PORTAL=1" "NIXOS_XDG_OPEN_USE_PORTAL=1") portalEnv[GIO_USE_PORTALS]=1
portalEnv[GTK_USE_PORTAL]=1
portalEnv[NIXOS_XDG_OPEN_USE_PORTAL]=1
;; ;;
(--sanebox-no-portal) (--sanebox-no-portal)
# override a previous --sanebox-portal call # override a previous --sanebox-portal call
portalEnv=() unset portalEnv
declare -A portalEnv
;; ;;
(--sanebox-bwrap-arg) (--sanebox-bwrap-arg)
local bwrapArg=$1 local bwrapArg=$1
@@ -723,7 +726,6 @@ bwrapGetCli() {
# --unshare-uts # --unshare-uts
# --unshare-user (implicit to every non-suid call to bwrap) # --unshare-user (implicit to every non-suid call to bwrap)
locate _bwrap "bwrap" "$BWRAP_FALLBACK" locate _bwrap "bwrap" "$BWRAP_FALLBACK"
locate _env "env" "$ENV_FALLBACK"
if [ -n "$bwrapUsePasta" ]; then if [ -n "$bwrapUsePasta" ]; then
# pasta drops us into an environment where we're root, but some apps complain if run as root. # pasta drops us into an environment where we're root, but some apps complain if run as root.
# TODO: this really belongs on the `pastaonlyGetCli` side. # TODO: this really belongs on the `pastaonlyGetCli` side.
@@ -735,13 +737,18 @@ bwrapGetCli() {
--gid "${GROUPS[0]}" --gid "${GROUPS[0]}"
) )
fi fi
for envName in "${!portalEnv[@]}"; do
bwrapArgs+=(--setenv "$envName" "${portalEnv[$envName]}")
done
cliArgs=( cliArgs=(
"$_bwrap" "${bwrapUnshareCgroup[@]}" "${bwrapUnshareIpc[@]}" "$_bwrap" "${bwrapUnshareCgroup[@]}" "${bwrapUnshareIpc[@]}"
"${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}" "${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}"
"${bwrapUnshareUts[@]}" "${bwrapUnshareUts[@]}"
"${bwrapVirtualizeDev[@]}" "${bwrapVirtualizeProc[@]}" "${bwrapVirtualizeTmp[@]}" "${bwrapVirtualizeDev[@]}" "${bwrapVirtualizeProc[@]}" "${bwrapVirtualizeTmp[@]}"
"${bwrapArgs[@]}" -- "${bwrapArgs[@]}" --
"$_env" "${portalEnv[@]}" "${cliArgs[@]}" "${cliArgs[@]}"
) )
if [ -n "$bwrapUsePasta" ]; then if [ -n "$bwrapUsePasta" ]; then
pastaonlyGetCli pastaonlyGetCli
@@ -875,8 +882,14 @@ capshonlyIngestCapability() {
capshonlyGetCli() { capshonlyGetCli() {
locate _capsh "capsh" "$CAPSH_FALLBACK" locate _capsh "capsh" "$CAPSH_FALLBACK"
locate _env "env" "$ENV_FALLBACK" locate _env "env" "$ENV_FALLBACK"
local envArgs=()
for envName in "${!portalEnv[@]}"; do
envArgs+=("$envName=${portalEnv[$envName]}")
done
cliArgs=( cliArgs=(
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="$_env" "${capshArgs[@]}" -- "${portalEnv[@]}" "${cliArgs[@]}" "$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="$_env" "${capshArgs[@]}" -- "${envArgs[@]}" "${cliArgs[@]}"
) )
} }