colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bunpen: simplify: share resources with the CLI parsing to avoid duplication

Browse Source
This commit is contained in:
Colin
2024-08-29 14:17:42 +00:00
parent 452ee68926
commit 7f5b55bc2a
2 changed files with 11 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
pkgs/additional/bunpen/config/translate_opts.ha
View File

@@ -5,6 +5,7 @@ use fs;
use log; use log;
use os; use os;
use path; use path;
use restrict;
use rt; use rt;
use rtext; use rtext;
@@ -19,12 +20,8 @@ export type cli_request = struct {
// path to the binary to be exec'd inside the sandbox. // path to the binary to be exec'd inside the sandbox.
// if the user requested `--bunpen-drop-shell`, this will be their shell (e.g. /bin/sh). // if the user requested `--bunpen-drop-shell`, this will be their shell (e.g. /bin/sh).
exec_bin: str, exec_bin: str,
keep_net: bool, // what to keep in the restricted environment (paths, network, etc)
keep_pid: bool, resources: restrict::resources,
// absolute paths to the resources which should be made available to the
// sandbox. these may not all actually exist, and could contain entries like
// `/proc/self`; how to interpret such paths is left to the sandbox impl.
paths: []path::buffer,
}; };
export fn ingest_cli_opts(opts: cli_opts) (cli_request | help) = { export fn ingest_cli_opts(opts: cli_opts) (cli_request | help) = {
@@ -52,26 +49,26 @@ export fn ingest_cli_opts(opts: cli_opts) (cli_request | help) = {
}; };
//---- ingest `home_paths` ----// //---- ingest `home_paths` ----//
ingest_paths(&req.paths, opts.home_paths, os::getenv("HOME")); ingest_paths(&req.resources.paths, opts.home_paths, os::getenv("HOME"));
//---- ingest `keep_net` ----// //---- ingest `keep_net` ----//
req.keep_net = opts.keep_net; req.resources.net = opts.keep_net;
//---- ingest `keep_pid` ----// //---- ingest `keep_pid` ----//
req.keep_pid = opts.keep_pid; req.resources.pid = opts.keep_pid;
//---- ingest `paths` ----// //---- ingest `paths` ----//
ingest_paths(&req.paths, opts.paths, os::getcwd(), true); ingest_paths(&req.resources.paths, opts.paths, os::getcwd(), true);
//---- ingest `run_paths` ----// //---- ingest `run_paths` ----//
ingest_paths(&req.paths, opts.run_paths, os::getenv("XDG_RUNTIME_DIR")); ingest_paths(&req.resources.paths, opts.run_paths, os::getenv("XDG_RUNTIME_DIR"));
//---- ingest `autodetect` (must be done after exec_args) ----// //---- ingest `autodetect` (must be done after exec_args) ----//
match (opts.autodetect) { match (opts.autodetect) {
case let method: autodetect => case let method: autodetect =>
// N.B.: skip first arg, since that's the name of the executable and // N.B.: skip first arg, since that's the name of the executable and
// surely not an argument // surely not an argument
ingest_autodetect(&req.paths, req.exec_args[1..], method); ingest_autodetect(&req.resources.paths, req.exec_args[1..], method);
case void => void; case void => void;
}; };

10
pkgs/additional/bunpen/main.ha
View File

@@ -45,14 +45,8 @@ export fn main() void = {
case let other: config::cli_request => yield other; case let other: config::cli_request => yield other;
}; };
let what = restrict::resources {
paths = req.paths,
net = req.keep_net,
pid = req.keep_pid,
};
rtext::no_new_privs()!; rtext::no_new_privs()!;
restrict::namespace_restrict(&what); restrict::namespace_restrict(&req.resources);
restrict::landlock_restrict(&what); restrict::landlock_restrict(&req.resources);
rtext::check_error("exec <user command>", do_exec(req.exec_bin, req.exec_args)); rtext::check_error("exec <user command>", do_exec(req.exec_bin, req.exec_args));
}; };