sanebox: add a new method pastaonly
This commit is contained in:
parent
7b1bc210fd
commit
7c6813ff37
|
@ -58,6 +58,7 @@ cliArgs=()
|
|||
# - "bwrap"
|
||||
# - "landlock"
|
||||
# - "capshonly"
|
||||
# - "pastaonly"
|
||||
# - "firejail"
|
||||
# - "none"
|
||||
method=
|
||||
|
@ -112,7 +113,7 @@ usage() {
|
|||
echo ' invoke the program directly, instead of inside a sandbox'
|
||||
echo ' --sanebox-dry-run'
|
||||
echo ' show what would be `exec`uted but do not perform any action'
|
||||
echo ' --sanebox-method <bwrap|capshonly|firejail|landlock|none>'
|
||||
echo ' --sanebox-method <bwrap|capshonly|pastaonly|firejail|landlock|none>'
|
||||
echo ' use a specific sandboxer'
|
||||
echo ' --sanebox-autodetect <existing|existingFile|existingFileOrParent|existingOrParent|parent>'
|
||||
echo ' add files which appear later as CLI arguments into the sandbox'
|
||||
|
@ -616,9 +617,7 @@ bwrapUnshareUts=(--unshare-uts)
|
|||
bwrapVirtualizeDev=(--dev /dev)
|
||||
bwrapVirtualizeProc=(--proc /proc)
|
||||
bwrapVirtualizeTmp=(--tmpfs /tmp)
|
||||
# args to invoke `pasta` (user-mode network stack) with
|
||||
bwrapPastaArgs=()
|
||||
bwrapNetSetup=
|
||||
bwrapUsePasta=
|
||||
|
||||
bwrapSetup() {
|
||||
debug "bwrapSetup: noop"
|
||||
|
@ -667,22 +666,20 @@ bwrapIngestPath() {
|
|||
esac
|
||||
}
|
||||
bwrapIngestNetDev() {
|
||||
local dev=$1
|
||||
local dev="$1"
|
||||
bwrapUnshareNet=()
|
||||
case $dev in
|
||||
(all)
|
||||
;;
|
||||
(*)
|
||||
bwrapPastaArgs+=(--outbound-if4 "$dev")
|
||||
;;
|
||||
esac
|
||||
if [ "$dev" != "all" ]; then
|
||||
bwrapUsePasta=1
|
||||
pastaonlyIngestNetDev "$dev"
|
||||
fi
|
||||
}
|
||||
bwrapIngestNetGateway() {
|
||||
bwrapPastaArgs+=(--gateway "$1")
|
||||
bwrapUsePasta=1
|
||||
pastaonlyIngestNetGateway "$1"
|
||||
}
|
||||
bwrapIngestDns() {
|
||||
# NAT DNS requests to localhost to the VPN's DNS resolver
|
||||
bwrapNetSetup="ip addr del 127.0.0.1/8 dev lo; iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1 -j DNAT --to-destination $1:53; $bwrapNetSetup"
|
||||
bwrapUsePasta=1
|
||||
pastaonlyIngestDns "$1"
|
||||
}
|
||||
bwrapIngestKeepNamespace() {
|
||||
case $1 in
|
||||
|
@ -722,20 +719,8 @@ bwrapGetCli() {
|
|||
"${bwrapFlags[@]}" --
|
||||
env "${portalEnv[@]}" "${cliArgs[@]}"
|
||||
)
|
||||
if [ ${#bwrapPastaArgs} -ne 0 ]; then
|
||||
# if [ -n "$bwrapNetSetup" ]; then
|
||||
cliArgs=(
|
||||
"/bin/sh" "-c"
|
||||
"$bwrapNetSetup exec"' "$0" "$@"'
|
||||
"${cliArgs[@]}"
|
||||
)
|
||||
# fi
|
||||
locate _pasta "pasta" "$PASTA_FALLBACK"
|
||||
cliArgs=(
|
||||
"$_pasta" --ipv4-only -U none -T none --config-net
|
||||
"${bwrapPastaArgs[@]}" --
|
||||
"${cliArgs[@]}"
|
||||
)
|
||||
if [ -n "$bwrapUsePasta" ]; then
|
||||
pastaonlyGetCli
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -864,6 +849,55 @@ capshonlyGetCli() {
|
|||
}
|
||||
|
||||
|
||||
## PASTA-ONLY BACKEND
|
||||
# this backend exists mostly as a helper for the bwrap backend
|
||||
|
||||
pastaArgs=()
|
||||
pastaNetSetup=
|
||||
pastaonlySetup() {
|
||||
debug "pastaonlySetup: noop"
|
||||
}
|
||||
pastaonlyIngestPath() {
|
||||
debug "pastaonlyIngestPath: noop"
|
||||
}
|
||||
pastaonlyIngestNetDev() {
|
||||
local dev=$1
|
||||
case $dev in
|
||||
(all)
|
||||
;;
|
||||
(*)
|
||||
pastaArgs+=(--outbound-if4 "$dev")
|
||||
;;
|
||||
esac
|
||||
}
|
||||
pastaonlyIngestNetGateway() {
|
||||
pastaArgs+=(--gateway "$1")
|
||||
}
|
||||
pastaonlyIngestDns() {
|
||||
# NAT DNS requests to localhost to the VPN's DNS resolver
|
||||
pastaNetSetup="ip addr del 127.0.0.1/8 dev lo; iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1 -j DNAT --to-destination $1:53; $pastaNetSetup"
|
||||
}
|
||||
pastaonlyIngestKeepNamespace() {
|
||||
:
|
||||
}
|
||||
pastaonlyIngestCapability() {
|
||||
:
|
||||
}
|
||||
pastaonlyGetCli() {
|
||||
cliArgs=(
|
||||
"/bin/sh" "-c"
|
||||
"$pastaNetSetup exec"' "$0" "$@"'
|
||||
"${cliArgs[@]}"
|
||||
)
|
||||
locate _pasta "pasta" "$PASTA_FALLBACK"
|
||||
cliArgs=(
|
||||
"$_pasta" --ipv4-only -U none -T none --config-net
|
||||
"${pastaArgs[@]}" --
|
||||
"${cliArgs[@]}"
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
## NONE BACKEND
|
||||
# this backend exists only to allow benchmarking
|
||||
noneSetup() {
|
||||
|
@ -875,6 +909,12 @@ noneIngestPath() {
|
|||
noneIngestNetDev() {
|
||||
:
|
||||
}
|
||||
noneIngestNetGateway() {
|
||||
:
|
||||
}
|
||||
noneIngestDns() {
|
||||
:
|
||||
}
|
||||
noneIngestKeepNamespace() {
|
||||
:
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user