colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bunpen: make --bunpen-caps all behave as shorthand for literally specifying every capability

Browse Source
This commit is contained in:
Colin
2024-09-02 20:39:18 +00:00
parent da72fc9d52
commit 5e84056715
3 changed files with 9 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
pkgs/additional/bunpen/config/translate_opts.ha
View File

@@ -50,13 +50,14 @@ export fn ingest_cli_opts(opts: cli_opts) (cli_request | help) = {
return help; return help;
}; };
//---- ingest `caps` ----//
req.resources.caps = restrict::cap_array_to_caps(opts.keep_caps);
//---- ingest `home_paths` ----// //---- ingest `home_paths` ----//
ingest_paths(&req.resources.paths, opts.home_paths, os::getenv("HOME")); ingest_paths(&req.resources.paths, opts.home_paths, os::getenv("HOME"));
//---- ingest `keep_all_caps` ----// //---- ingest `keep_all_caps` ----//
req.resources.all_caps = opts.keep_all_caps; if (opts.keep_all_caps)
req.resources.caps = rt::ext::CAPS_ALL;
//---- ingest `caps` ----//
req.resources.caps = restrict::cap_array_to_caps(opts.keep_caps);
//---- ingest `keep_net` ----// //---- ingest `keep_net` ----//
req.resources.net = opts.keep_net; req.resources.net = opts.keep_net;

11
pkgs/additional/bunpen/main.ha
View File

@@ -47,14 +47,11 @@ export fn main() void = {
case let other: config::cli_request => yield other; case let other: config::cli_request => yield other;
}; };
restrict::namespace_restrict(&req.resources); // set no_new_privs early. this is a flag which prevents us from gaining privs
if (req.resources.all_caps) { // via SUID/SGID executables, which we never intend to do.
// TODO: this probably isn't what i want? i think this actually results in having no caps
log::printfln("not restricting capabilities");
} else {
restrict::capability_restrict(&req.resources);
};
errors::ext::check("no_new_privs", rt::ext::no_new_privs()); errors::ext::check("no_new_privs", rt::ext::no_new_privs());
restrict::namespace_restrict(&req.resources);
restrict::capability_restrict(&req.resources);
// XXX: landlock prevents other sandboxers like `bwrap` from executing, // XXX: landlock prevents other sandboxers like `bwrap` from executing,
// because it forbids all future `mount` syscalls. so don't landlock. // because it forbids all future `mount` syscalls. so don't landlock.
// restrict::landlock_restrict(&req.resources); // restrict::landlock_restrict(&req.resources);

1
pkgs/additional/bunpen/restrict/resources.ha
View File

@@ -6,7 +6,6 @@ export type resources = struct {
// paths to allow unrestricted access to (i.e. with whatever permissions the // paths to allow unrestricted access to (i.e. with whatever permissions the
// user has naturally. // user has naturally.
paths: []path::buffer, paths: []path::buffer,
all_caps: bool,
caps: rt::ext::caps, caps: rt::ext::caps,
// true to allow unrestricted net access. // true to allow unrestricted net access.
// false to maximally disable net access. // false to maximally disable net access.