modules/programs: sane-sandboxed: replace --sane-sandbox-keep-pidspace with --sane-sandbox-keep-namespace <pid|cgroup|ipc|uts>
This commit is contained in:
@@ -382,7 +382,7 @@ in
|
|||||||
forkstat.sandbox.method = "landlock"; #< doesn't seem to support bwrap
|
forkstat.sandbox.method = "landlock"; #< doesn't seem to support bwrap
|
||||||
forkstat.sandbox.wrapperType = "wrappedDerivation";
|
forkstat.sandbox.wrapperType = "wrappedDerivation";
|
||||||
forkstat.sandbox.extraConfig = [
|
forkstat.sandbox.extraConfig = [
|
||||||
"--sane-sandbox-keep-pidspace"
|
"--sane-sandbox-keep-namespace" "pid"
|
||||||
];
|
];
|
||||||
forkstat.sandbox.extraPaths = [
|
forkstat.sandbox.extraPaths = [
|
||||||
"/proc"
|
"/proc"
|
||||||
|
|||||||
@@ -173,7 +173,7 @@ in
|
|||||||
];
|
];
|
||||||
sandbox.extraConfig = [
|
sandbox.extraConfig = [
|
||||||
# systemctl calls seem to require same pid namespace
|
# systemctl calls seem to require same pid namespace
|
||||||
"--sane-sandbox-keep-pidspace"
|
"--sane-sandbox-keep-namespace" "pid"
|
||||||
];
|
];
|
||||||
|
|
||||||
# glib/gio applications support many notification backends ("portal", "gtk", "freedesktop", ...).
|
# glib/gio applications support many notification backends ("portal", "gtk", "freedesktop", ...).
|
||||||
|
|||||||
@@ -60,8 +60,9 @@ autodetect=
|
|||||||
paths=()
|
paths=()
|
||||||
# linux capabilities to provide to the sandbox, like `sys_admin` (no `cap_` prefix here)
|
# linux capabilities to provide to the sandbox, like `sys_admin` (no `cap_` prefix here)
|
||||||
capabilities=()
|
capabilities=()
|
||||||
# set non-empty if this process may want to query /proc/$PID/... of _other_ processes.
|
# keepNamespace:
|
||||||
keepPidspace=
|
# - "pid": if this process may wany to query /proc/$PID/... of parent/sibling processes.
|
||||||
|
keepNamespace=()
|
||||||
# name of some network device to make available to the sandbox, if any.
|
# name of some network device to make available to the sandbox, if any.
|
||||||
net=
|
net=
|
||||||
# list of IP addresses to use for DNS servers inside the sandbox (firejail only)
|
# list of IP addresses to use for DNS servers inside the sandbox (firejail only)
|
||||||
@@ -354,8 +355,10 @@ parseArgs() {
|
|||||||
net="$1"
|
net="$1"
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
(--sane-sandbox-keep-pidspace)
|
(--sane-sandbox-keep-namespace)
|
||||||
keepPidspace=1
|
_namespace="$1"
|
||||||
|
shift
|
||||||
|
keepNamespace+=("$_namespace")
|
||||||
;;
|
;;
|
||||||
(--sane-sandbox-path)
|
(--sane-sandbox-path)
|
||||||
_path="$1"
|
_path="$1"
|
||||||
@@ -406,8 +409,8 @@ firejailIngestNet() {
|
|||||||
firejailIngestDns() {
|
firejailIngestDns() {
|
||||||
firejailFlags+=("--dns=$1")
|
firejailFlags+=("--dns=$1")
|
||||||
}
|
}
|
||||||
firejailIngestKeepPidspace() {
|
firejailIngestKeepNamespace() {
|
||||||
debug "firejailIngestKeepPidspace: noop"
|
debug "firejailIngestKeepNamespace: noop"
|
||||||
}
|
}
|
||||||
firejailIngestProfile() {
|
firejailIngestProfile() {
|
||||||
if [ -z "$firejailName" ]; then
|
if [ -z "$firejailName" ]; then
|
||||||
@@ -442,8 +445,11 @@ firejailGetCli() {
|
|||||||
|
|
||||||
## BUBBLEWRAP BACKEND
|
## BUBBLEWRAP BACKEND
|
||||||
|
|
||||||
|
bwrapUnshareCgroup=(--unshare-cgroup)
|
||||||
|
bwrapUnshareIpc=(--unshare-ipc)
|
||||||
bwrapUnshareNet=(--unshare-net)
|
bwrapUnshareNet=(--unshare-net)
|
||||||
bwrapUnsharePid=(--unshare-pid)
|
bwrapUnsharePid=(--unshare-pid)
|
||||||
|
bwrapUnshareUts=(--unshare-uts)
|
||||||
bwrapVirtualizeDev=(--dev /dev)
|
bwrapVirtualizeDev=(--dev /dev)
|
||||||
bwrapVirtualizeProc=(--proc /proc)
|
bwrapVirtualizeProc=(--proc /proc)
|
||||||
bwrapVirtualizeTmp=(--tmpfs /tmp)
|
bwrapVirtualizeTmp=(--tmpfs /tmp)
|
||||||
@@ -485,8 +491,21 @@ bwrapIngestNet() {
|
|||||||
debug "bwrapIngestNet: enabling full net access for '$1' because don't know how to restrict it more narrowly"
|
debug "bwrapIngestNet: enabling full net access for '$1' because don't know how to restrict it more narrowly"
|
||||||
bwrapUnshareNet=()
|
bwrapUnshareNet=()
|
||||||
}
|
}
|
||||||
bwrapIngestKeepPidspace() {
|
bwrapIngestKeepNamespace() {
|
||||||
|
case "$1" in
|
||||||
|
(cgroup)
|
||||||
|
bwrapUnshareCgroup=()
|
||||||
|
;;
|
||||||
|
(ipc)
|
||||||
|
bwrapUnshareIpc=()
|
||||||
|
;;
|
||||||
|
(pid)
|
||||||
bwrapUnsharePid=()
|
bwrapUnsharePid=()
|
||||||
|
;;
|
||||||
|
(uts)
|
||||||
|
bwrapUnshareUts=()
|
||||||
|
;;
|
||||||
|
esac
|
||||||
}
|
}
|
||||||
bwrapIngestProfile() {
|
bwrapIngestProfile() {
|
||||||
debug "bwrapIngestProfile: stubbed"
|
debug "bwrapIngestProfile: stubbed"
|
||||||
@@ -506,8 +525,9 @@ bwrapGetCli() {
|
|||||||
# --unshare-user (implicit to every non-suid call to bwrap)
|
# --unshare-user (implicit to every non-suid call to bwrap)
|
||||||
locate _bwrap "bwrap" "@bubblewrap@/bin/bwrap"
|
locate _bwrap "bwrap" "@bubblewrap@/bin/bwrap"
|
||||||
cliArgs=(
|
cliArgs=(
|
||||||
"$_bwrap" --unshare-cgroup --unshare-ipc --unshare-user --unshare-uts
|
"$_bwrap" "${bwrapUnshareCgroup[@]}" "${bwrapUnshareIpc[@]}"
|
||||||
"${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}"
|
"${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}"
|
||||||
|
"${bwrapUnshareUser[@]}" "${bwrapUnshareUts[@]}"
|
||||||
"${bwrapVirtualizeDev[@]}" "${bwrapVirtualizeProc[@]}" "${bwrapVirtualizeTmp[@]}"
|
"${bwrapVirtualizeDev[@]}" "${bwrapVirtualizeProc[@]}" "${bwrapVirtualizeTmp[@]}"
|
||||||
"${bwrapFlags[@]}" --
|
"${bwrapFlags[@]}" --
|
||||||
env "${extraEnv[@]}" "${cliArgs[@]}"
|
env "${extraEnv[@]}" "${cliArgs[@]}"
|
||||||
@@ -560,8 +580,8 @@ landlockIngestPath() {
|
|||||||
landlockIngestNet() {
|
landlockIngestNet() {
|
||||||
debug "landlockIngestNet: '$1': stubbed (landlock network is always unrestricted)"
|
debug "landlockIngestNet: '$1': stubbed (landlock network is always unrestricted)"
|
||||||
}
|
}
|
||||||
landlockIngestKeepPidspace() {
|
landlockIngestKeepNamespace() {
|
||||||
debug "landlockIngestKeepPidspace: noop"
|
debug "landlockIngestKeepNamespace: noop"
|
||||||
}
|
}
|
||||||
landlockIngestProfile() {
|
landlockIngestProfile() {
|
||||||
debug "landlockIngestProfile: stubbed"
|
debug "landlockIngestProfile: stubbed"
|
||||||
@@ -598,8 +618,8 @@ capshonlyIngestPath() {
|
|||||||
capshonlyIngestNet() {
|
capshonlyIngestNet() {
|
||||||
debug "capshonlyIngestNet: '$1': stubbed (capsh network is always unrestricted)"
|
debug "capshonlyIngestNet: '$1': stubbed (capsh network is always unrestricted)"
|
||||||
}
|
}
|
||||||
capshonlyIngestKeepPidspace() {
|
capshonlyIngestKeepNamespace() {
|
||||||
debug "capshonlyIngestKeepPidspace: noop"
|
debug "capshonlyIngestKeepNamespace: noop"
|
||||||
}
|
}
|
||||||
capshonlyIngestProfile() {
|
capshonlyIngestProfile() {
|
||||||
debug "capshonlyIngestProfile: stubbed"
|
debug "capshonlyIngestProfile: stubbed"
|
||||||
@@ -644,7 +664,7 @@ noneIngestPath() {
|
|||||||
noneIngestNet() {
|
noneIngestNet() {
|
||||||
:
|
:
|
||||||
}
|
}
|
||||||
noneIngestKeepPidspace() {
|
noneIngestKeepNamespace() {
|
||||||
:
|
:
|
||||||
}
|
}
|
||||||
noneIngestProfile() {
|
noneIngestProfile() {
|
||||||
@@ -754,9 +774,9 @@ ingestForBackend() {
|
|||||||
"$method"IngestDns "$_addr"
|
"$method"IngestDns "$_addr"
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -n "$keepPidspace" ]; then
|
for _ns in "${keepNamespace[@]}"; do
|
||||||
"$method"IngestKeepPidspace
|
"$method"IngestKeepNamespace "$_ns"
|
||||||
fi
|
done
|
||||||
|
|
||||||
for _prof in "${profilesNamed[@]}"; do
|
for _prof in "${profilesNamed[@]}"; do
|
||||||
"$method"IngestProfile "$_prof"
|
"$method"IngestProfile "$_prof"
|
||||||
|
|||||||
Reference in New Issue
Block a user