colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

programs: sane-sandboxed: implement --sane-sandbox-cap for capabilities setting

Browse Source
This commit is contained in:
Colin 2024-01-24 06:34:11 +00:00
parent 79e2bd2913
commit 7f002b8718
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
modules/programs/sane-sandboxed
View File

@ -8,6 +8,7 @@ autodetect=
profilesNamed=() profilesNamed=()
rootPaths=() rootPaths=()
homePaths=() homePaths=()
capabilities=()
net= net=
dns=() dns=()
method= method=
@ -116,6 +117,11 @@ parseArgs() {
# e.g. first drop to the broadest path set of interest (Music,Videos,tmp, ...), then drop via autodetect. # e.g. first drop to the broadest path set of interest (Music,Videos,tmp, ...), then drop via autodetect.
autodetect=1 autodetect=1
;; ;;
(--sane-sandbox-cap)
_cap="$1"
shift
capabilities+=("$_cap")
;;
(--sane-sandbox-dns) (--sane-sandbox-dns)
# N.B.: these named temporary variables ensure that `set -x` causes $1 to be printed # N.B.: these named temporary variables ensure that `set -x` causes $1 to be printed
_dns="$1" _dns="$1"
@ -221,6 +227,9 @@ bwrapIngestHomePath() {
bwrapIngestProfile() { bwrapIngestProfile() {
debug "bwrap doesn't implement profiles" debug "bwrap doesn't implement profiles"
} }
bwrapIngestCapability() {
bwrapFlags+=("--cap-add" "cap_$1")
}
# WIP # WIP
bwrapExec() { bwrapExec() {
@ -257,6 +266,10 @@ if [ -n "$autodetect" ]; then
done done
fi fi
for _cap in "${capabilities[@]}"; do
"$method"IngestCapability "$_cap"
done
if [ -n "$net" ]; then if [ -n "$net" ]; then
"$method"IngestNet "$net" "$method"IngestNet "$net"
fi fi