modules/programs: sane-sandboxed: add --sane-sandbox-keep-pidspace flag
This commit is contained in:
parent
9d706df5b5
commit
8d20dcadd1
|
@ -11,13 +11,18 @@ profilesNamed=()
|
|||
paths=()
|
||||
capabilities=()
|
||||
net=
|
||||
keepPidspace=
|
||||
dns=()
|
||||
method=
|
||||
extraEnv=()
|
||||
|
||||
# backend-specific state:
|
||||
firejailFlags=()
|
||||
bwrapUnshareNet=(--unshare-net)
|
||||
bwrapUnsharePid=(--unshare-pid)
|
||||
bwrapFlags=()
|
||||
landlockPaths=
|
||||
capshCapsArg=
|
||||
extraEnv=()
|
||||
|
||||
enableDebug() {
|
||||
isDebug=1
|
||||
|
@ -219,6 +224,9 @@ parseArgs() {
|
|||
net="$1"
|
||||
shift
|
||||
;;
|
||||
(--sane-sandbox-keep-pidspace)
|
||||
keepPidspace=1
|
||||
;;
|
||||
(--sane-sandbox-path)
|
||||
_path="$1"
|
||||
shift
|
||||
|
@ -268,6 +276,9 @@ firejailIngestNet() {
|
|||
firejailIngestDns() {
|
||||
firejailFlags+=("--dns=$1")
|
||||
}
|
||||
firejailIngestKeepPidspace() {
|
||||
debug "firejailIngestKeepPidspace: noop"
|
||||
}
|
||||
firejailIngestProfile() {
|
||||
if [ -z "$firejailName" ]; then
|
||||
firejailName="$1"
|
||||
|
@ -316,8 +327,10 @@ bwrapIngestPath() {
|
|||
}
|
||||
bwrapIngestNet() {
|
||||
debug "bwrapIngestNet: enabling full net access for '$1' because don't know how to restrict it more narrowly"
|
||||
# N.B.: `--share-net` will override any earlier call to `--unshare-net`
|
||||
bwrapFlags+=("--share-net")
|
||||
bwrapUnshareNet=()
|
||||
}
|
||||
bwrapIngestKeepPidspace() {
|
||||
bwrapUnsharePid=()
|
||||
}
|
||||
bwrapIngestProfile() {
|
||||
debug "bwrapIngestProfile: stubbed"
|
||||
|
@ -337,7 +350,7 @@ bwrapExec() {
|
|||
# --unshare-uts
|
||||
# --unshare-user (implicit to every non-suid call to bwrap)
|
||||
PATH="$PATH:@bubblewrap@/bin" exec \
|
||||
bwrap --unshare-all --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
|
||||
bwrap --unshare-cgroup --unshare-ipc --unshare-user --unshare-uts "${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}" --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
|
||||
env "${extraEnv[@]}" "${cliArgs[@]}"
|
||||
}
|
||||
|
||||
|
@ -384,6 +397,9 @@ landlockIngestPath() {
|
|||
landlockIngestNet() {
|
||||
debug "landlockIngestNet: '$1': stubbed (landlock network is always unrestricted)"
|
||||
}
|
||||
landlockIngestKeepPidspace() {
|
||||
debug "landlockIngestKeepPidspace: noop"
|
||||
}
|
||||
landlockIngestProfile() {
|
||||
debug "landlockIngestProfile: stubbed"
|
||||
}
|
||||
|
@ -414,6 +430,9 @@ capshonlyIngestPath() {
|
|||
capshonlyIngestNet() {
|
||||
debug "capshonlyIngestNet: '$1': stubbed (capsh network is always unrestricted)"
|
||||
}
|
||||
capshonlyIngestKeepPidspace() {
|
||||
debug "capshonlyIngestKeepPidspace: noop"
|
||||
}
|
||||
capshonlyIngestProfile() {
|
||||
debug "capshonlyIngestProfile: stubbed"
|
||||
}
|
||||
|
@ -447,6 +466,9 @@ noneIngestPath() {
|
|||
noneIngestNet() {
|
||||
:
|
||||
}
|
||||
noneIngestKeepPidspace() {
|
||||
:
|
||||
}
|
||||
noneIngestProfile() {
|
||||
:
|
||||
}
|
||||
|
@ -555,6 +577,10 @@ ingestForBackend() {
|
|||
"$method"IngestDns "$_addr"
|
||||
done
|
||||
|
||||
if [ -n "$keepPidspace" ]; then
|
||||
"$method"IngestKeepPidspace
|
||||
fi
|
||||
|
||||
for _prof in "${profilesNamed[@]}"; do
|
||||
"$method"IngestProfile "$_prof"
|
||||
done
|
||||
|
|
Loading…
Reference in New Issue
Block a user