sanebox: add a new method pastaonly

pkgs/additional/sanebox/sanebox

@@ -58,6 +58,7 @@ cliArgs=()
 # - "bwrap"
 # - "landlock"
 # - "capshonly"
+# - "pastaonly"
 # - "firejail"
 # - "none"
 method=
@@ -112,7 +113,7 @@ usage() {
   echo '      invoke the program directly, instead of inside a sandbox'
   echo '  --sanebox-dry-run'
   echo '      show what would be `exec`uted but do not perform any action'
-  echo '  --sanebox-method <bwrap|capshonly|firejail|landlock|none>'
+  echo '  --sanebox-method <bwrap|capshonly|pastaonly|firejail|landlock|none>'
   echo '      use a specific sandboxer'
   echo '  --sanebox-autodetect <existing|existingFile|existingFileOrParent|existingOrParent|parent>'
   echo '      add files which appear later as CLI arguments into the sandbox'
@@ -616,9 +617,7 @@ bwrapUnshareUts=(--unshare-uts)
 bwrapVirtualizeDev=(--dev /dev)
 bwrapVirtualizeProc=(--proc /proc)
 bwrapVirtualizeTmp=(--tmpfs /tmp)
-# args to invoke `pasta` (user-mode network stack) with
+bwrapUsePasta=
-bwrapPastaArgs=()
-bwrapNetSetup=
 
 bwrapSetup() {
   debug "bwrapSetup: noop"
@@ -667,22 +666,20 @@ bwrapIngestPath() {
   esac
 }
 bwrapIngestNetDev() {
-  local dev=$1
+  local dev="$1"
   bwrapUnshareNet=()
-  case $dev in
+  if [ "$dev" != "all" ]; then
-    (all)
+    bwrapUsePasta=1
-      ;;
+    pastaonlyIngestNetDev "$dev"
-    (*)
+  fi
-      bwrapPastaArgs+=(--outbound-if4 "$dev")
-      ;;
-  esac
 }
 bwrapIngestNetGateway() {
-  bwrapPastaArgs+=(--gateway "$1")
+  bwrapUsePasta=1
+  pastaonlyIngestNetGateway "$1"
 }
 bwrapIngestDns() {
-  # NAT DNS requests to localhost to the VPN's DNS resolver
+  bwrapUsePasta=1
-  bwrapNetSetup="ip addr del 127.0.0.1/8 dev lo; iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1 -j DNAT --to-destination $1:53; $bwrapNetSetup"
+  pastaonlyIngestDns "$1"
 }
 bwrapIngestKeepNamespace() {
   case $1 in
@@ -722,20 +719,8 @@ bwrapGetCli() {
       "${bwrapFlags[@]}" --
     env "${portalEnv[@]}" "${cliArgs[@]}"
   )
-  if [ ${#bwrapPastaArgs} -ne 0 ]; then
+  if [ -n "$bwrapUsePasta" ]; then
-    # if [ -n "$bwrapNetSetup" ]; then
+    pastaonlyGetCli
-      cliArgs=(
-        "/bin/sh" "-c"
-        "$bwrapNetSetup exec"' "$0" "$@"'
-        "${cliArgs[@]}"
-      )
-    # fi
-    locate _pasta "pasta" "$PASTA_FALLBACK"
-    cliArgs=(
-      "$_pasta" --ipv4-only -U none -T none --config-net
-        "${bwrapPastaArgs[@]}" --
-      "${cliArgs[@]}"
-    )
   fi
 }
 
@@ -864,6 +849,55 @@ capshonlyGetCli() {
 }
 
 
+## PASTA-ONLY BACKEND
+# this backend exists mostly as a helper for the bwrap backend
+
+pastaArgs=()
+pastaNetSetup=
+pastaonlySetup() {
+  debug "pastaonlySetup: noop"
+}
+pastaonlyIngestPath() {
+  debug "pastaonlyIngestPath: noop"
+}
+pastaonlyIngestNetDev() {
+  local dev=$1
+  case $dev in
+    (all)
+      ;;
+    (*)
+      pastaArgs+=(--outbound-if4 "$dev")
+      ;;
+  esac
+}
+pastaonlyIngestNetGateway() {
+  pastaArgs+=(--gateway "$1")
+}
+pastaonlyIngestDns() {
+  # NAT DNS requests to localhost to the VPN's DNS resolver
+  pastaNetSetup="ip addr del 127.0.0.1/8 dev lo; iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1 -j DNAT --to-destination $1:53; $pastaNetSetup"
+}
+pastaonlyIngestKeepNamespace() {
+  :
+}
+pastaonlyIngestCapability() {
+  :
+}
+pastaonlyGetCli() {
+  cliArgs=(
+    "/bin/sh" "-c"
+    "$pastaNetSetup exec"' "$0" "$@"'
+    "${cliArgs[@]}"
+  )
+  locate _pasta "pasta" "$PASTA_FALLBACK"
+  cliArgs=(
+    "$_pasta" --ipv4-only -U none -T none --config-net
+      "${pastaArgs[@]}" --
+    "${cliArgs[@]}"
+  )
+}
+
+
 ## NONE BACKEND
 # this backend exists only to allow benchmarking
 noneSetup() {
@@ -875,6 +909,12 @@ noneIngestPath() {
 noneIngestNetDev() {
   :
 }
+noneIngestNetGateway() {
+  :
+}
+noneIngestDns() {
+  :
+}
 noneIngestKeepNamespace() {
   :
 }