sane-sandboxed: add new --sane-sandbox-keep-namespace all
option
This commit is contained in:
parent
bba149c670
commit
db89ac88f0
|
@ -61,7 +61,11 @@ paths=()
|
||||||
# linux capabilities to provide to the sandbox, like `sys_admin` (no `cap_` prefix here)
|
# linux capabilities to provide to the sandbox, like `sys_admin` (no `cap_` prefix here)
|
||||||
capabilities=()
|
capabilities=()
|
||||||
# keepNamespace:
|
# keepNamespace:
|
||||||
|
# - "cgroup"
|
||||||
|
# - "ipc"
|
||||||
# - "pid": if this process may wany to query /proc/$PID/... of parent/sibling processes.
|
# - "pid": if this process may wany to query /proc/$PID/... of parent/sibling processes.
|
||||||
|
# - "uts"
|
||||||
|
# - "all": as if all the above were specified
|
||||||
keepNamespace=()
|
keepNamespace=()
|
||||||
# name of some network device to make available to the sandbox, if any.
|
# name of some network device to make available to the sandbox, if any.
|
||||||
net=
|
net=
|
||||||
|
@ -358,7 +362,11 @@ parseArgs() {
|
||||||
(--sane-sandbox-keep-namespace)
|
(--sane-sandbox-keep-namespace)
|
||||||
_namespace="$1"
|
_namespace="$1"
|
||||||
shift
|
shift
|
||||||
keepNamespace+=("$_namespace")
|
if [ "$_namespace" = all ]; then
|
||||||
|
keepNamespace+=("cgroup" "ipc" "pid" "uts")
|
||||||
|
else
|
||||||
|
keepNamespace+=("$_namespace")
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
(--sane-sandbox-path)
|
(--sane-sandbox-path)
|
||||||
_path="$1"
|
_path="$1"
|
||||||
|
|
Loading…
Reference in New Issue
Block a user