sanebox: add a new method pastaonly
This commit is contained in:
parent
7b1bc210fd
commit
7c6813ff37
|
@ -58,6 +58,7 @@ cliArgs=()
|
||||||
# - "bwrap"
|
# - "bwrap"
|
||||||
# - "landlock"
|
# - "landlock"
|
||||||
# - "capshonly"
|
# - "capshonly"
|
||||||
|
# - "pastaonly"
|
||||||
# - "firejail"
|
# - "firejail"
|
||||||
# - "none"
|
# - "none"
|
||||||
method=
|
method=
|
||||||
|
@ -112,7 +113,7 @@ usage() {
|
||||||
echo ' invoke the program directly, instead of inside a sandbox'
|
echo ' invoke the program directly, instead of inside a sandbox'
|
||||||
echo ' --sanebox-dry-run'
|
echo ' --sanebox-dry-run'
|
||||||
echo ' show what would be `exec`uted but do not perform any action'
|
echo ' show what would be `exec`uted but do not perform any action'
|
||||||
echo ' --sanebox-method <bwrap|capshonly|firejail|landlock|none>'
|
echo ' --sanebox-method <bwrap|capshonly|pastaonly|firejail|landlock|none>'
|
||||||
echo ' use a specific sandboxer'
|
echo ' use a specific sandboxer'
|
||||||
echo ' --sanebox-autodetect <existing|existingFile|existingFileOrParent|existingOrParent|parent>'
|
echo ' --sanebox-autodetect <existing|existingFile|existingFileOrParent|existingOrParent|parent>'
|
||||||
echo ' add files which appear later as CLI arguments into the sandbox'
|
echo ' add files which appear later as CLI arguments into the sandbox'
|
||||||
|
@ -616,9 +617,7 @@ bwrapUnshareUts=(--unshare-uts)
|
||||||
bwrapVirtualizeDev=(--dev /dev)
|
bwrapVirtualizeDev=(--dev /dev)
|
||||||
bwrapVirtualizeProc=(--proc /proc)
|
bwrapVirtualizeProc=(--proc /proc)
|
||||||
bwrapVirtualizeTmp=(--tmpfs /tmp)
|
bwrapVirtualizeTmp=(--tmpfs /tmp)
|
||||||
# args to invoke `pasta` (user-mode network stack) with
|
bwrapUsePasta=
|
||||||
bwrapPastaArgs=()
|
|
||||||
bwrapNetSetup=
|
|
||||||
|
|
||||||
bwrapSetup() {
|
bwrapSetup() {
|
||||||
debug "bwrapSetup: noop"
|
debug "bwrapSetup: noop"
|
||||||
|
@ -667,22 +666,20 @@ bwrapIngestPath() {
|
||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
bwrapIngestNetDev() {
|
bwrapIngestNetDev() {
|
||||||
local dev=$1
|
local dev="$1"
|
||||||
bwrapUnshareNet=()
|
bwrapUnshareNet=()
|
||||||
case $dev in
|
if [ "$dev" != "all" ]; then
|
||||||
(all)
|
bwrapUsePasta=1
|
||||||
;;
|
pastaonlyIngestNetDev "$dev"
|
||||||
(*)
|
fi
|
||||||
bwrapPastaArgs+=(--outbound-if4 "$dev")
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
}
|
}
|
||||||
bwrapIngestNetGateway() {
|
bwrapIngestNetGateway() {
|
||||||
bwrapPastaArgs+=(--gateway "$1")
|
bwrapUsePasta=1
|
||||||
|
pastaonlyIngestNetGateway "$1"
|
||||||
}
|
}
|
||||||
bwrapIngestDns() {
|
bwrapIngestDns() {
|
||||||
# NAT DNS requests to localhost to the VPN's DNS resolver
|
bwrapUsePasta=1
|
||||||
bwrapNetSetup="ip addr del 127.0.0.1/8 dev lo; iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1 -j DNAT --to-destination $1:53; $bwrapNetSetup"
|
pastaonlyIngestDns "$1"
|
||||||
}
|
}
|
||||||
bwrapIngestKeepNamespace() {
|
bwrapIngestKeepNamespace() {
|
||||||
case $1 in
|
case $1 in
|
||||||
|
@ -722,20 +719,8 @@ bwrapGetCli() {
|
||||||
"${bwrapFlags[@]}" --
|
"${bwrapFlags[@]}" --
|
||||||
env "${portalEnv[@]}" "${cliArgs[@]}"
|
env "${portalEnv[@]}" "${cliArgs[@]}"
|
||||||
)
|
)
|
||||||
if [ ${#bwrapPastaArgs} -ne 0 ]; then
|
if [ -n "$bwrapUsePasta" ]; then
|
||||||
# if [ -n "$bwrapNetSetup" ]; then
|
pastaonlyGetCli
|
||||||
cliArgs=(
|
|
||||||
"/bin/sh" "-c"
|
|
||||||
"$bwrapNetSetup exec"' "$0" "$@"'
|
|
||||||
"${cliArgs[@]}"
|
|
||||||
)
|
|
||||||
# fi
|
|
||||||
locate _pasta "pasta" "$PASTA_FALLBACK"
|
|
||||||
cliArgs=(
|
|
||||||
"$_pasta" --ipv4-only -U none -T none --config-net
|
|
||||||
"${bwrapPastaArgs[@]}" --
|
|
||||||
"${cliArgs[@]}"
|
|
||||||
)
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -864,6 +849,55 @@ capshonlyGetCli() {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
## PASTA-ONLY BACKEND
|
||||||
|
# this backend exists mostly as a helper for the bwrap backend
|
||||||
|
|
||||||
|
pastaArgs=()
|
||||||
|
pastaNetSetup=
|
||||||
|
pastaonlySetup() {
|
||||||
|
debug "pastaonlySetup: noop"
|
||||||
|
}
|
||||||
|
pastaonlyIngestPath() {
|
||||||
|
debug "pastaonlyIngestPath: noop"
|
||||||
|
}
|
||||||
|
pastaonlyIngestNetDev() {
|
||||||
|
local dev=$1
|
||||||
|
case $dev in
|
||||||
|
(all)
|
||||||
|
;;
|
||||||
|
(*)
|
||||||
|
pastaArgs+=(--outbound-if4 "$dev")
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
pastaonlyIngestNetGateway() {
|
||||||
|
pastaArgs+=(--gateway "$1")
|
||||||
|
}
|
||||||
|
pastaonlyIngestDns() {
|
||||||
|
# NAT DNS requests to localhost to the VPN's DNS resolver
|
||||||
|
pastaNetSetup="ip addr del 127.0.0.1/8 dev lo; iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1 -j DNAT --to-destination $1:53; $pastaNetSetup"
|
||||||
|
}
|
||||||
|
pastaonlyIngestKeepNamespace() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
pastaonlyIngestCapability() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
pastaonlyGetCli() {
|
||||||
|
cliArgs=(
|
||||||
|
"/bin/sh" "-c"
|
||||||
|
"$pastaNetSetup exec"' "$0" "$@"'
|
||||||
|
"${cliArgs[@]}"
|
||||||
|
)
|
||||||
|
locate _pasta "pasta" "$PASTA_FALLBACK"
|
||||||
|
cliArgs=(
|
||||||
|
"$_pasta" --ipv4-only -U none -T none --config-net
|
||||||
|
"${pastaArgs[@]}" --
|
||||||
|
"${cliArgs[@]}"
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
## NONE BACKEND
|
## NONE BACKEND
|
||||||
# this backend exists only to allow benchmarking
|
# this backend exists only to allow benchmarking
|
||||||
noneSetup() {
|
noneSetup() {
|
||||||
|
@ -875,6 +909,12 @@ noneIngestPath() {
|
||||||
noneIngestNetDev() {
|
noneIngestNetDev() {
|
||||||
:
|
:
|
||||||
}
|
}
|
||||||
|
noneIngestNetGateway() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
noneIngestDns() {
|
||||||
|
:
|
||||||
|
}
|
||||||
noneIngestKeepNamespace() {
|
noneIngestKeepNamespace() {
|
||||||
:
|
:
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user