colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bunpen: expose a new /tmp to the sandbox

Browse Source
This commit is contained in:
Colin
2024-08-29 20:13:20 +00:00
parent 4f6b1b0a69
commit 9c69666646
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
pkgs/additional/bunpen/restrict/namespace.ha
View File

@@ -130,6 +130,11 @@ fn isolate_paths(paths: []path::buffer) void = {
"proc", "new/proc", "proc", rtext::MS_NOSUID | rtext::MS_NOEXEC | rtext::MS_NODEV, null "proc", "new/proc", "proc", rtext::MS_NOSUID | rtext::MS_NOEXEC | rtext::MS_NODEV, null
)); ));
// provide a new `/tmp` too.
rtext::swallow_error("[namespace] mkdir new/tmp", rt::mkdir("new/tmp", 0o777));
rtext::swallow_error("[namespace] mount -t tmpfs tmpfs new/tmp", rtext::mount("tmpfs", "new/tmp", "tmpfs", 0, null));
// bind all the user-requested paths from `old/$p` into `new/$p`. // bind all the user-requested paths from `old/$p` into `new/$p`.
// use the `dirfd` abstraction so that paths meant for `old` can't crawl out // use the `dirfd` abstraction so that paths meant for `old` can't crawl out
// of that virtual fs. // of that virtual fs.