sanebox: add a new method pastaonly

2024-05-25 10:08:49 +00:00 · 2024-05-25 10:08:49 +00:00 · 7c6813ff37
commit 7c6813ff37
parent 7b1bc210fd
1 changed files with 69 additions and 29 deletions
--- a/pkgs/additional/sanebox/sanebox
+++ b/pkgs/additional/sanebox/sanebox
@ -58,6 +58,7 @@ cliArgs=()
 # - "bwrap"
 # - "landlock"
 # - "capshonly"
+# - "pastaonly"
 # - "firejail"
 # - "none"
 method=
@ -112,7 +113,7 @@ usage() {
  echo '      invoke the program directly, instead of inside a sandbox'
  echo '  --sanebox-dry-run'
  echo '      show what would be `exec`uted but do not perform any action'
-  echo '  --sanebox-method <bwrap|capshonly|firejail|landlock|none>'
+  echo '  --sanebox-method <bwrap|capshonly|pastaonly|firejail|landlock|none>'
  echo '      use a specific sandboxer'
  echo '  --sanebox-autodetect <existing|existingFile|existingFileOrParent|existingOrParent|parent>'
  echo '      add files which appear later as CLI arguments into the sandbox'
@ -616,9 +617,7 @@ bwrapUnshareUts=(--unshare-uts)
 bwrapVirtualizeDev=(--dev /dev)
 bwrapVirtualizeProc=(--proc /proc)
 bwrapVirtualizeTmp=(--tmpfs /tmp)
-# args to invoke `pasta` (user-mode network stack) with
-bwrapPastaArgs=()
-bwrapNetSetup=
+bwrapUsePasta=

 bwrapSetup() {
  debug "bwrapSetup: noop"
@ -667,22 +666,20 @@ bwrapIngestPath() {
  esac
 }
 bwrapIngestNetDev() {
-  local dev=$1
+  local dev="$1"
  bwrapUnshareNet=()
-  case $dev in
-    (all)
-      ;;
-    (*)
-      bwrapPastaArgs+=(--outbound-if4 "$dev")
-      ;;
-  esac
+  if [ "$dev" != "all" ]; then
+    bwrapUsePasta=1
+    pastaonlyIngestNetDev "$dev"
+  fi
 }
 bwrapIngestNetGateway() {
-  bwrapPastaArgs+=(--gateway "$1")
+  bwrapUsePasta=1
+  pastaonlyIngestNetGateway "$1"
 }
 bwrapIngestDns() {
-  # NAT DNS requests to localhost to the VPN's DNS resolver
-  bwrapNetSetup="ip addr del 127.0.0.1/8 dev lo; iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1 -j DNAT --to-destination $1:53; $bwrapNetSetup"
+  bwrapUsePasta=1
+  pastaonlyIngestDns "$1"
 }
 bwrapIngestKeepNamespace() {
  case $1 in
@ -722,20 +719,8 @@ bwrapGetCli() {
      "${bwrapFlags[@]}" --
    env "${portalEnv[@]}" "${cliArgs[@]}"
  )
-  if [ ${#bwrapPastaArgs} -ne 0 ]; then
-    # if [ -n "$bwrapNetSetup" ]; then
-      cliArgs=(
-        "/bin/sh" "-c"
-        "$bwrapNetSetup exec"' "$0" "$@"'
-        "${cliArgs[@]}"
-      )
-    # fi
-    locate _pasta "pasta" "$PASTA_FALLBACK"
-    cliArgs=(
-      "$_pasta" --ipv4-only -U none -T none --config-net
-        "${bwrapPastaArgs[@]}" --
-      "${cliArgs[@]}"
-    )
+  if [ -n "$bwrapUsePasta" ]; then
+    pastaonlyGetCli
  fi
 }

@ -864,6 +849,55 @@ capshonlyGetCli() {
 }


+## PASTA-ONLY BACKEND
+# this backend exists mostly as a helper for the bwrap backend
+
+pastaArgs=()
+pastaNetSetup=
+pastaonlySetup() {
+  debug "pastaonlySetup: noop"
+}
+pastaonlyIngestPath() {
+  debug "pastaonlyIngestPath: noop"
+}
+pastaonlyIngestNetDev() {
+  local dev=$1
+  case $dev in
+    (all)
+      ;;
+    (*)
+      pastaArgs+=(--outbound-if4 "$dev")
+      ;;
+  esac
+}
+pastaonlyIngestNetGateway() {
+  pastaArgs+=(--gateway "$1")
+}
+pastaonlyIngestDns() {
+  # NAT DNS requests to localhost to the VPN's DNS resolver
+  pastaNetSetup="ip addr del 127.0.0.1/8 dev lo; iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1 -j DNAT --to-destination $1:53; $pastaNetSetup"
+}
+pastaonlyIngestKeepNamespace() {
+  :
+}
+pastaonlyIngestCapability() {
+  :
+}
+pastaonlyGetCli() {
+  cliArgs=(
+    "/bin/sh" "-c"
+    "$pastaNetSetup exec"' "$0" "$@"'
+    "${cliArgs[@]}"
+  )
+  locate _pasta "pasta" "$PASTA_FALLBACK"
+  cliArgs=(
+    "$_pasta" --ipv4-only -U none -T none --config-net
+      "${pastaArgs[@]}" --
+    "${cliArgs[@]}"
+  )
+}
+
+
 ## NONE BACKEND
 # this backend exists only to allow benchmarking
 noneSetup() {
@ -875,6 +909,12 @@ noneIngestPath() {
 noneIngestNetDev() {
  :
 }
+noneIngestNetGateway() {
+  :
+}
+noneIngestDns() {
+  :
+}
 noneIngestKeepNamespace() {
  :
 }