sane-sandboxed: implement --sane-sandbox-no-portal flag
This commit is contained in:
parent
430592632c
commit
4510352c07
|
@ -72,7 +72,7 @@ net=
|
||||||
# list of IP addresses to use for DNS servers inside the sandbox (firejail only)
|
# list of IP addresses to use for DNS servers inside the sandbox (firejail only)
|
||||||
dns=()
|
dns=()
|
||||||
# list of `VAR=VALUE` environment variables to add to the sandboxed program's environment
|
# list of `VAR=VALUE` environment variables to add to the sandboxed program's environment
|
||||||
extraEnv=()
|
portalEnv=()
|
||||||
# profilesNamed: list of profile names we've successfully loaded
|
# profilesNamed: list of profile names we've successfully loaded
|
||||||
profilesNamed=()
|
profilesNamed=()
|
||||||
|
|
||||||
|
@ -106,6 +106,8 @@ usage() {
|
||||||
echo ' allow the sandboxed program to use the provided linux capability (both inside and outside the sandbox)'
|
echo ' allow the sandboxed program to use the provided linux capability (both inside and outside the sandbox)'
|
||||||
echo ' --sane-sandbox-portal'
|
echo ' --sane-sandbox-portal'
|
||||||
echo ' set environment variables so that the sandboxed program will attempt to use xdg-desktop-portal for operations like opening files'
|
echo ' set environment variables so that the sandboxed program will attempt to use xdg-desktop-portal for operations like opening files'
|
||||||
|
echo ' --sane-sandbox-no-portal'
|
||||||
|
echo ' undo a previous `--sane-sandbox-portal` arg'
|
||||||
echo ' --sane-sandbox-dns <server>'
|
echo ' --sane-sandbox-dns <server>'
|
||||||
echo ' --sane-sandbox-firejail-arg <arg>'
|
echo ' --sane-sandbox-firejail-arg <arg>'
|
||||||
echo ' --sane-sandbox-bwrap-arg <arg>'
|
echo ' --sane-sandbox-bwrap-arg <arg>'
|
||||||
|
@ -391,7 +393,11 @@ parseArgs() {
|
||||||
# note that GIO_USE_PORTALS primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves.
|
# note that GIO_USE_PORTALS primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves.
|
||||||
# this switch is typically accompanied by removing all MIME associations from the app's view, then.
|
# this switch is typically accompanied by removing all MIME associations from the app's view, then.
|
||||||
# GTK_USE_PORTALS is the old name, beginning to be phased out as of 2023-10-02
|
# GTK_USE_PORTALS is the old name, beginning to be phased out as of 2023-10-02
|
||||||
extraEnv+=("GIO_USE_PORTALS=1" "GTK_USE_PORTAL=1" "NIXOS_XDG_OPEN_USE_PORTAL=1")
|
portalEnv=("GIO_USE_PORTALS=1" "GTK_USE_PORTAL=1" "NIXOS_XDG_OPEN_USE_PORTAL=1")
|
||||||
|
;;
|
||||||
|
(--sane-sandbox-no-portal)
|
||||||
|
# override a previous --sane-sandbox-portal call
|
||||||
|
portalEnv=()
|
||||||
;;
|
;;
|
||||||
(--sane-sandbox-dns)
|
(--sane-sandbox-dns)
|
||||||
# N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed
|
# N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed
|
||||||
|
@ -500,7 +506,7 @@ firejailGetCli() {
|
||||||
locate _firejail "firejail" "@firejail@/bin/firejail"
|
locate _firejail "firejail" "@firejail@/bin/firejail"
|
||||||
cliArgs=(
|
cliArgs=(
|
||||||
"$_firejail" "${firejailFlags[@]}" --
|
"$_firejail" "${firejailFlags[@]}" --
|
||||||
env "${extraEnv[@]}" "${cliArgs[@]}"
|
env "${portalEnv[@]}" "${cliArgs[@]}"
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -592,7 +598,7 @@ bwrapGetCli() {
|
||||||
"${bwrapUnshareUser[@]}" "${bwrapUnshareUts[@]}"
|
"${bwrapUnshareUser[@]}" "${bwrapUnshareUts[@]}"
|
||||||
"${bwrapVirtualizeDev[@]}" "${bwrapVirtualizeProc[@]}" "${bwrapVirtualizeTmp[@]}"
|
"${bwrapVirtualizeDev[@]}" "${bwrapVirtualizeProc[@]}" "${bwrapVirtualizeTmp[@]}"
|
||||||
"${bwrapFlags[@]}" --
|
"${bwrapFlags[@]}" --
|
||||||
env "${extraEnv[@]}" "${cliArgs[@]}"
|
env "${portalEnv[@]}" "${cliArgs[@]}"
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -660,7 +666,7 @@ landlockGetCli() {
|
||||||
locate _capsh "capsh" "@libcap@/bin/capsh"
|
locate _capsh "capsh" "@libcap@/bin/capsh"
|
||||||
cliArgs=(env LL_FS_RO= LL_FS_RW="$landlockPaths"
|
cliArgs=(env LL_FS_RO= LL_FS_RW="$landlockPaths"
|
||||||
"$_sandboxer"
|
"$_sandboxer"
|
||||||
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
|
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="/usr/bin/env" -- "${portalEnv[@]}" "${cliArgs[@]}"
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -710,7 +716,7 @@ capshonlyIngestCapability() {
|
||||||
capshonlyGetCli() {
|
capshonlyGetCli() {
|
||||||
locate _capsh "capsh" "@libcap@/bin/capsh"
|
locate _capsh "capsh" "@libcap@/bin/capsh"
|
||||||
cliArgs=(
|
cliArgs=(
|
||||||
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
|
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="/usr/bin/env" -- "${portalEnv[@]}" "${cliArgs[@]}"
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user