bunpen: add regex functionality to BUNPEN_DISABLE

pkgs/additional/bunpen/config/cli.ha

@@ -10,7 +10,7 @@ export type cli_opts = struct {
   cmd: []str,
   // `--bunpen-debug`
   debug: uint,
-  disable: bool,
+  disable: str,
   drop_shell: bool,
   // `--bunpen-help`
   help: bool,
@@ -53,6 +53,15 @@ export fn usage() void = {
   fmt::println("      allow access to the host <path>, relative to HOME")!;
   fmt::println("  --bunpen-run-path <path>")!;
   fmt::println("      allow access to the host <path>, relative to XDG_RUNTIME_DIR")!;
+  fmt::println("the following environment variables are also considered and propagated to children:")!;
+  fmt::println("  BUNPEN_DISABLE=1 or BUNPEN_DISABLE=all")!;
+  fmt::println("      disables all sandboxing; exec the wrapped program directly")!;
+  fmt::println("  BUNPEN_DISABLE=progname")!;
+  fmt::println("      disables sandboxing for the specific 'progname'")!;
+  fmt::println("      any regular expression can be used here, e.g. 'sane-.*' would disable sanboxing for sane-which, sane-open, and so on")!;
+  fmt::println("      note that this doesn't enforce a complete match:")!;
+  fmt::println("      BUNPEN_DISABLE=host would disable sandboxing for 'host', 'hostname', and so on")!;
+  fmt::println("      consider BUNPEN_DISABLE='host$' to be more targeted")!;
   // fmt::println("  --bunpen-add-pwd")!;
   // fmt::println("      shorthand for `--bunpen-path $PWD`")!;
   // fmt::println("")!;
@@ -67,9 +76,6 @@ export fn usage() void = {
   // fmt::println("  --bunpen-dns <server>|host")!;
   // fmt::println("  --bunpen-keep-namespace <all|cgroup|ipc|net|pid|uts>")!;
   // fmt::println("      do not unshare the provided linux namespace")!;
-  // fmt::println("the following environment variables are also considered and propagated to children:")!;
-  // fmt::println("  BUNPEN_DISABLE=1")!;
-  // fmt::println("      equivalent to `--bunpen-disable`")!;
   // fmt::println("  BUNPEN_DEBUG=1")!;
   // fmt::println("      equivalent to `--bunpen-debug`, but activates earlier")!;
   // fmt::println("  BUNPEN_PREPEND=...")!;
@@ -81,12 +87,10 @@ export fn usage() void = {
 export fn parse_args(args: []str) (cli_opts | errors::invalid) = {
   let parsed = cli_opts { autodetect = void, ... };
 
-  let dis = match (os::getenv("BUNPEN_DISABLE")) {
+  parsed.disable = match (os::getenv("BUNPEN_DISABLE")) {
     case let d: str => yield d;
     case void => yield "";
   };
-  if (dis != "" && dis != "0")
-    parsed.disable = true;
 
   for (let idx: size = 0; idx < len(args); idx += 1) {
     let arg = args[idx];

pkgs/additional/bunpen/config/translate_opts.ha

@@ -7,6 +7,7 @@ use fs;
 use log;
 use os;
 use path;
+use regex;
 use restrict;
 use rt;
 use rt::ext;
@@ -63,8 +64,20 @@ export fn ingest_cli_opts(opts: cli_opts) (cli_request | exec_params | help) = {
   req.exec_params = cli_opts_get_exec_params(opts);
 
   //---- ingest `disable` ----//
-  if (opts.disable)
+  if (opts.disable != "") {
-    return req.exec_params;
+    if (opts.disable == "1" || opts.disable == "all" || opts.disable == "ALL" || opts.disable == "*")
+      return req.exec_params;
+    match (regex::compile(opts.disable)) {
+      case let re: regex::regex =>
+        defer regex::finish(&re);
+        if (regex::test(&re, req.exec_params.bin))
+          return req.exec_params;
+        if (len(req.exec_params.args) > 0 && regex::test(&re, req.exec_params.args[0]))
+          return req.exec_params;
+      case let e: regex::error =>
+        log::printfln("[config] failed to parse BUNPEN_DISABLE regex {}: {}", opts.disable, e);
+    };
+  };
 
   //---- ingest `caps` ----//
   req.resources.caps = restrict::cap_array_to_caps(opts.keep_caps);