colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

modules/programs: sane-sandboxed: factor out the actual execution of the sandbox/program into the toplevel

Browse Source 
this will make it easier to intercept
This commit is contained in:
Colin
2024-02-24 11:57:42 +00:00
parent 88a70b41f1
commit 8e3eed7d51
1 changed files with 26 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
modules/programs/sane-sandboxed
View File

@@ -407,7 +407,7 @@ firejailIngestProfile() {
fi fi
} }
firejailExec() { firejailGetCli() {
if [ -n "$firejailName" ]; then if [ -n "$firejailName" ]; then
firejailFlags+=("--join-or-start=$firejailName") firejailFlags+=("--join-or-start=$firejailName")
fi fi
@@ -415,9 +415,10 @@ firejailExec() {
firejailFlags+=("--profile=$firejailProfile") firejailFlags+=("--profile=$firejailProfile")
fi fi
locate _firejail "firejail" "@firejail@/bin/firejail" locate _firejail "firejail" "@firejail@/bin/firejail"
exec \ cliArgs=(
"$_firejail" "${firejailFlags[@]}" -- \ "$_firejail" "${firejailFlags[@]}" --
env "${extraEnv[@]}" "${cliArgs[@]}" env "${extraEnv[@]}" "${cliArgs[@]}"
)
} }
@@ -458,7 +459,7 @@ bwrapIngestCapability() {
bwrapFlags+=("--cap-add" "cap_$1") bwrapFlags+=("--cap-add" "cap_$1")
} }
bwrapExec() { bwrapGetCli() {
# --unshare-all implies the following: # --unshare-all implies the following:
# --unshare-pid: mean that the /proc mount does not expose /proc/$PID/ for every other process on the machine. # --unshare-pid: mean that the /proc mount does not expose /proc/$PID/ for every other process on the machine.
# --unshare-net creates a new net namespace with only the loopback interface. # --unshare-net creates a new net namespace with only the loopback interface.
@@ -468,9 +469,10 @@ bwrapExec() {
# --unshare-uts # --unshare-uts
# --unshare-user (implicit to every non-suid call to bwrap) # --unshare-user (implicit to every non-suid call to bwrap)
locate _bwrap "bwrap" "@bubblewrap@/bin/bwrap" locate _bwrap "bwrap" "@bubblewrap@/bin/bwrap"
exec \ cliArgs=(
"$_bwrap" --unshare-cgroup --unshare-ipc --unshare-user --unshare-uts "${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}" --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \ "$_bwrap" --unshare-cgroup --unshare-ipc --unshare-user --unshare-uts "${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}" --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" --
env "${extraEnv[@]}" "${cliArgs[@]}" env "${extraEnv[@]}" "${cliArgs[@]}"
)
} }
@@ -528,16 +530,17 @@ landlockIngestProfile() {
landlockIngestCapability() { landlockIngestCapability() {
capshonlyIngestCapability "$1" capshonlyIngestCapability "$1"
} }
landlockExec() { landlockGetCli() {
# landlock sandboxer has no native support for capabilities (except that it sets nonewprivs), # landlock sandboxer has no native support for capabilities (except that it sets nonewprivs),
# so trampoline through `capsh` as well, to drop privs. # so trampoline through `capsh` as well, to drop privs.
# N.B: capsh passes its arg to bash (via /nix/store/.../bash), which means you have to `-c "my command"` to # N.B: capsh passes its arg to bash (via /nix/store/.../bash), which means you have to `-c "my command"` to
# invoke the actual user command. # invoke the actual user command.
locate _sandboxer "sandboxer" "@landlockSandboxer@/bin/sandboxer" locate _sandboxer "sandboxer" "@landlockSandboxer@/bin/sandboxer"
locate _capsh "capsh" "@libcap@/bin/capsh" locate _capsh "capsh" "@libcap@/bin/capsh"
LL_FS_RO= LL_FS_RW="$landlockPaths" exec \ cliArgs=(env LL_FS_RO= LL_FS_RW="$landlockPaths"
"$_sandboxer" \ "$_sandboxer"
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}" "$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
)
} }
@@ -583,10 +586,11 @@ capshonlyIngestCapability() {
fi fi
} }
capshonlyExec() { capshonlyGetCli() {
locate _capsh "capsh" "@libcap@/bin/capsh" locate _capsh "capsh" "@libcap@/bin/capsh"
exec \ cliArgs=(
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}" "$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
)
} }
@@ -610,8 +614,8 @@ noneIngestProfile() {
noneIngestCapability() { noneIngestCapability() {
: :
} }
noneExec() { noneGetCli() {
exec "${cliArgs[@]}" :
} }
@@ -736,15 +740,17 @@ export SANE_SANDBOX_DISABLE="$SANE_SANDBOX_DISABLE"
export SANE_SANDBOX_PREPEND="$SANE_SANDBOX_PREPEND" export SANE_SANDBOX_PREPEND="$SANE_SANDBOX_PREPEND"
export SANE_SANDBOX_APPEND="$SANE_SANDBOX_APPEND" export SANE_SANDBOX_APPEND="$SANE_SANDBOX_APPEND"
test -n "$isDisable" && exec "${cliArgs[@]}" if [ -z "$isDisable" ]; then
# method-specific setup could add additional paths that need binding, so do that before canonicalization
"$method"Setup
maybeAutodetectPaths
canonicalizePaths
# method-specific setup could add additional paths that need binding, so do that before canonicalization ingestForBackend
"$method"Setup "$method"GetCli
maybeAutodetectPaths fi
canonicalizePaths
ingestForBackend exec "${cliArgs[@]}"
"$method"Exec
echo "sandbox glue failed for method='$method'" echo "sandbox glue failed for method='$method'"
exit 1 exit 1