colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bunpen: move restrict::namespace_restrict -> restrict::ns::namespace_restrict

Browse Source
This commit is contained in:
Colin
2024-09-20 11:15:04 +00:00
parent f6a93e120a
commit 3993f26cc6
2 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pkgs/additional/bunpen/main.ha
View File

@@ -5,6 +5,7 @@ use errors::ext;
use log; use log;
use log::tree; use log::tree;
use restrict; use restrict;
use restrict::ns;
use rt; use rt;
use rt::ext; use rt::ext;
use strings; use strings;
@@ -35,7 +36,7 @@ fn prepare_env(req: config::cli_request) config::exec_params = {
// set no_new_privs early. this is a flag which prevents us from gaining privs // set no_new_privs early. this is a flag which prevents us from gaining privs
// via SUID/SGID executables, which we never intend to do. // via SUID/SGID executables, which we never intend to do.
errors::ext::check("no_new_privs", rt::ext::no_new_privs()); errors::ext::check("no_new_privs", rt::ext::no_new_privs());
restrict::namespace_restrict(&req.resources); restrict::ns::namespace_restrict(&req.resources);
restrict::capability_restrict(&req.resources); restrict::capability_restrict(&req.resources);
// XXX: landlock prevents other sandboxers like `bwrap` from executing, // XXX: landlock prevents other sandboxers like `bwrap` from executing,
// because it forbids all future `mount` syscalls. so don't landlock. // because it forbids all future `mount` syscalls. so don't landlock.

17
pkgs/additional/bunpen/restrict/namespace.ha → pkgs/additional/bunpen/restrict/ns/namespace.ha
View File

@@ -8,13 +8,14 @@ use log;
use os; use os;
use os::exec; use os::exec;
use path; use path;
use restrict;
use rt; use rt;
use rt::ext; use rt::ext;
use strings; use strings;
use unix; use unix;
use unix::signal; use unix::signal;
export fn namespace_restrict(what: *resources) void = { export fn namespace_restrict(what: *restrict::resources) void = {
// record the uid and gid of the initial namespace, so that we can re-map them // record the uid and gid of the initial namespace, so that we can re-map them
// in the new ns. // in the new ns.
let uid = unix::getuid(); let uid = unix::getuid();
@@ -35,10 +36,10 @@ export fn namespace_restrict(what: *resources) void = {
what_to_unshare &= ~rt::ext::clone_flag::NEWIPC; what_to_unshare &= ~rt::ext::clone_flag::NEWIPC;
}; };
match (what.net) { match (what.net) {
case net_none => void; case restrict::net_none => void;
case let subset: net_subset => case let subset: restrict::net_subset =>
log::println("[namespace] TODO: not keeping subset of net namespace"); log::println("[namespace] TODO: not keeping subset of net namespace");
case net_all => case restrict::net_all =>
log::println("[namespace] keeping net namespace"); log::println("[namespace] keeping net namespace");
what_to_unshare &= ~rt::ext::clone_flag::NEWNET; what_to_unshare &= ~rt::ext::clone_flag::NEWNET;
}; };
@@ -55,7 +56,7 @@ export fn namespace_restrict(what: *resources) void = {
log::println("[namespace] failed to unshare w/o user namespace. raising CAP_SYS_ADMIN and trying again"); log::println("[namespace] failed to unshare w/o user namespace. raising CAP_SYS_ADMIN and trying again");
let raise_caps = rt::ext::CAPS_NONE; let raise_caps = rt::ext::CAPS_NONE;
caps_add(&raise_caps, rt::ext::cap::SYS_ADMIN); restrict::caps_add(&raise_caps, rt::ext::cap::SYS_ADMIN);
if (try_unshare_with(unshare_keep_users, raise_caps)) if (try_unshare_with(unshare_keep_users, raise_caps))
what_to_unshare = 0; what_to_unshare = 0;
}; };
@@ -127,7 +128,7 @@ fn try_unshare_with(flags: rt::ext::clone_flags, caps: rt::ext::caps) bool = {
}; };
let new_caps = orig_caps; let new_caps = orig_caps;
caps_add_caps(&new_caps.effective, caps); restrict::caps_add_caps(&new_caps.effective, caps);
errors::ext::swallow("[namespace] raise caps", rt::ext::capset(new_caps)); errors::ext::swallow("[namespace] raise caps", rt::ext::capset(new_caps));
let unshared = try_unshare(flags); let unshared = try_unshare(flags);
@@ -145,7 +146,7 @@ fn try_unshare_with(flags: rt::ext::clone_flags, caps: rt::ext::caps) bool = {
// everything inside this struct is borrowed // everything inside this struct is borrowed
type ns_ctx = struct { type ns_ctx = struct {
what: *resources, what: *restrict::resources,
old_fs: *fs::fs, old_fs: *fs::fs,
new_fs: *fs::fs, new_fs: *fs::fs,
}; };
@@ -256,7 +257,7 @@ fn forward_signal_handler(sig: unix::signal::sig, info: *unix::signal::siginfo,
// i don't know if this really matters anywhere (maybe `/` and `/proc`?), // i don't know if this really matters anywhere (maybe `/` and `/proc`?),
// `sanebox` behavior is to gather all paths, expand their symlinks, // `sanebox` behavior is to gather all paths, expand their symlinks,
// and then only bind-mount the top-most path in the case of overlap. // and then only bind-mount the top-most path in the case of overlap.
fn isolate_paths(what: *resources) void = { fn isolate_paths(what: *restrict::resources) void = {
// allow new mounts to propagate from the parent namespace into the child // allow new mounts to propagate from the parent namespace into the child
// namespace, but not vice versa: // namespace, but not vice versa:
errors::ext::check("[namespace] reconfigure / as MS_SLAVE", rt::ext::mount("/", "/", "", rt::ext::mount_flag::SLAVE | rt::ext::mount_flag::REC, null)); errors::ext::check("[namespace] reconfigure / as MS_SLAVE", rt::ext::mount("/", "/", "", rt::ext::mount_flag::SLAVE | rt::ext::mount_flag::REC, null));