From 7c6813ff376d1188afaaead013dea8ce14e43281 Mon Sep 17 00:00:00 2001 From: Colin Date: Sat, 25 May 2024 10:08:49 +0000 Subject: [PATCH] sanebox: add a new method `pastaonly` --- pkgs/additional/sanebox/sanebox | 98 +++++++++++++++++++++++---------- 1 file changed, 69 insertions(+), 29 deletions(-) diff --git a/pkgs/additional/sanebox/sanebox b/pkgs/additional/sanebox/sanebox index c6f9420f..1048fe4e 100755 --- a/pkgs/additional/sanebox/sanebox +++ b/pkgs/additional/sanebox/sanebox @@ -58,6 +58,7 @@ cliArgs=() # - "bwrap" # - "landlock" # - "capshonly" +# - "pastaonly" # - "firejail" # - "none" method= @@ -112,7 +113,7 @@ usage() { echo ' invoke the program directly, instead of inside a sandbox' echo ' --sanebox-dry-run' echo ' show what would be `exec`uted but do not perform any action' - echo ' --sanebox-method ' + echo ' --sanebox-method ' echo ' use a specific sandboxer' echo ' --sanebox-autodetect ' echo ' add files which appear later as CLI arguments into the sandbox' @@ -616,9 +617,7 @@ bwrapUnshareUts=(--unshare-uts) bwrapVirtualizeDev=(--dev /dev) bwrapVirtualizeProc=(--proc /proc) bwrapVirtualizeTmp=(--tmpfs /tmp) -# args to invoke `pasta` (user-mode network stack) with -bwrapPastaArgs=() -bwrapNetSetup= +bwrapUsePasta= bwrapSetup() { debug "bwrapSetup: noop" @@ -667,22 +666,20 @@ bwrapIngestPath() { esac } bwrapIngestNetDev() { - local dev=$1 + local dev="$1" bwrapUnshareNet=() - case $dev in - (all) - ;; - (*) - bwrapPastaArgs+=(--outbound-if4 "$dev") - ;; - esac + if [ "$dev" != "all" ]; then + bwrapUsePasta=1 + pastaonlyIngestNetDev "$dev" + fi } bwrapIngestNetGateway() { - bwrapPastaArgs+=(--gateway "$1") + bwrapUsePasta=1 + pastaonlyIngestNetGateway "$1" } bwrapIngestDns() { - # NAT DNS requests to localhost to the VPN's DNS resolver - bwrapNetSetup="ip addr del 127.0.0.1/8 dev lo; iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1 -j DNAT --to-destination $1:53; $bwrapNetSetup" + bwrapUsePasta=1 + pastaonlyIngestDns "$1" } bwrapIngestKeepNamespace() { case $1 in @@ -722,20 +719,8 @@ bwrapGetCli() { "${bwrapFlags[@]}" -- env "${portalEnv[@]}" "${cliArgs[@]}" ) - if [ ${#bwrapPastaArgs} -ne 0 ]; then - # if [ -n "$bwrapNetSetup" ]; then - cliArgs=( - "/bin/sh" "-c" - "$bwrapNetSetup exec"' "$0" "$@"' - "${cliArgs[@]}" - ) - # fi - locate _pasta "pasta" "$PASTA_FALLBACK" - cliArgs=( - "$_pasta" --ipv4-only -U none -T none --config-net - "${bwrapPastaArgs[@]}" -- - "${cliArgs[@]}" - ) + if [ -n "$bwrapUsePasta" ]; then + pastaonlyGetCli fi } @@ -864,6 +849,55 @@ capshonlyGetCli() { } +## PASTA-ONLY BACKEND +# this backend exists mostly as a helper for the bwrap backend + +pastaArgs=() +pastaNetSetup= +pastaonlySetup() { + debug "pastaonlySetup: noop" +} +pastaonlyIngestPath() { + debug "pastaonlyIngestPath: noop" +} +pastaonlyIngestNetDev() { + local dev=$1 + case $dev in + (all) + ;; + (*) + pastaArgs+=(--outbound-if4 "$dev") + ;; + esac +} +pastaonlyIngestNetGateway() { + pastaArgs+=(--gateway "$1") +} +pastaonlyIngestDns() { + # NAT DNS requests to localhost to the VPN's DNS resolver + pastaNetSetup="ip addr del 127.0.0.1/8 dev lo; iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1 -j DNAT --to-destination $1:53; $pastaNetSetup" +} +pastaonlyIngestKeepNamespace() { + : +} +pastaonlyIngestCapability() { + : +} +pastaonlyGetCli() { + cliArgs=( + "/bin/sh" "-c" + "$pastaNetSetup exec"' "$0" "$@"' + "${cliArgs[@]}" + ) + locate _pasta "pasta" "$PASTA_FALLBACK" + cliArgs=( + "$_pasta" --ipv4-only -U none -T none --config-net + "${pastaArgs[@]}" -- + "${cliArgs[@]}" + ) +} + + ## NONE BACKEND # this backend exists only to allow benchmarking noneSetup() { @@ -875,6 +909,12 @@ noneIngestPath() { noneIngestNetDev() { : } +noneIngestNetGateway() { + : +} +noneIngestDns() { + : +} noneIngestKeepNamespace() { : }