bunpen: make --bunpen-caps all behave as shorthand for literally specifying every capability
This commit is contained in:
@@ -50,13 +50,14 @@ export fn ingest_cli_opts(opts: cli_opts) (cli_request | help) = {
|
||||
return help;
|
||||
};
|
||||
|
||||
//---- ingest `caps` ----//
|
||||
req.resources.caps = restrict::cap_array_to_caps(opts.keep_caps);
|
||||
|
||||
//---- ingest `home_paths` ----//
|
||||
ingest_paths(&req.resources.paths, opts.home_paths, os::getenv("HOME"));
|
||||
//---- ingest `keep_all_caps` ----//
|
||||
req.resources.all_caps = opts.keep_all_caps;
|
||||
|
||||
//---- ingest `caps` ----//
|
||||
req.resources.caps = restrict::cap_array_to_caps(opts.keep_caps);
|
||||
if (opts.keep_all_caps)
|
||||
req.resources.caps = rt::ext::CAPS_ALL;
|
||||
|
||||
//---- ingest `keep_net` ----//
|
||||
req.resources.net = opts.keep_net;
|
||||
|
@@ -47,14 +47,11 @@ export fn main() void = {
|
||||
case let other: config::cli_request => yield other;
|
||||
};
|
||||
|
||||
restrict::namespace_restrict(&req.resources);
|
||||
if (req.resources.all_caps) {
|
||||
// TODO: this probably isn't what i want? i think this actually results in having no caps
|
||||
log::printfln("not restricting capabilities");
|
||||
} else {
|
||||
restrict::capability_restrict(&req.resources);
|
||||
};
|
||||
// set no_new_privs early. this is a flag which prevents us from gaining privs
|
||||
// via SUID/SGID executables, which we never intend to do.
|
||||
errors::ext::check("no_new_privs", rt::ext::no_new_privs());
|
||||
restrict::namespace_restrict(&req.resources);
|
||||
restrict::capability_restrict(&req.resources);
|
||||
// XXX: landlock prevents other sandboxers like `bwrap` from executing,
|
||||
// because it forbids all future `mount` syscalls. so don't landlock.
|
||||
// restrict::landlock_restrict(&req.resources);
|
||||
|
@@ -6,7 +6,6 @@ export type resources = struct {
|
||||
// paths to allow unrestricted access to (i.e. with whatever permissions the
|
||||
// user has naturally.
|
||||
paths: []path::buffer,
|
||||
all_caps: bool,
|
||||
caps: rt::ext::caps,
|
||||
// true to allow unrestricted net access.
|
||||
// false to maximally disable net access.
|
||||
|
Reference in New Issue
Block a user