colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

modules/programs: sane-sandboxed: bwrap: don't virtualize {/dev,/proc,/tmp} if explicitly asked to bind them instead

Browse Source 
this is necessary for some programs which want a near-maximial sandbox, like
launchers or shells, or more specifically, `sane-private-do`.
This commit is contained in:
Colin
2024-02-25 08:11:05 +00:00
parent 6ab5dd8a8f
commit f807d7c0a2
1 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
modules/programs/sane-sandboxed
View File

@@ -444,6 +444,9 @@ firejailGetCli() {
bwrapUnshareNet=(--unshare-net) bwrapUnshareNet=(--unshare-net)
bwrapUnsharePid=(--unshare-pid) bwrapUnsharePid=(--unshare-pid)
bwrapVirtualizeDev=(--dev /dev)
bwrapVirtualizeProc=(--proc /proc)
bwrapVirtualizeTmp=(--tmpfs /tmp)
bwrapSetup() { bwrapSetup() {
debug "bwrapSetup: noop" debug "bwrapSetup: noop"
@@ -462,6 +465,21 @@ bwrapIngestPath() {
# or maybe configure remote mounts to somehow never hang. # or maybe configure remote mounts to somehow never hang.
# test -r "$1" && bwrapFlags+=("--dev-bind-try" "$1" "$1") # test -r "$1" && bwrapFlags+=("--dev-bind-try" "$1" "$1")
bwrapFlags+=("--dev-bind-try" "$1" "$1") bwrapFlags+=("--dev-bind-try" "$1" "$1")
# default to virtualizing a few directories in a way that's safe (doesn't impact outside environment)
# and maximizes compatibility with apps. but if explicitly asked for the directory, then remove the virtual
# device and bind it as normal.
if [ "$1" = / ]; then
bwrapVirtualizeDev=()
bwrapVirtualizeProc=()
bwrapVirtualizeTmp=()
elif [ "$1" = /dev ]; then
bwrapVirtualizeDev=()
elif [ "$1" = /proc ]; then
bwrapVirtualizeProc=()
elif [ "$1" = /tmp ]; then
bwrapVirtualizeTmp=()
fi
} }
bwrapIngestNet() { bwrapIngestNet() {
debug "bwrapIngestNet: enabling full net access for '$1' because don't know how to restrict it more narrowly" debug "bwrapIngestNet: enabling full net access for '$1' because don't know how to restrict it more narrowly"
@@ -488,7 +506,10 @@ bwrapGetCli() {
# --unshare-user (implicit to every non-suid call to bwrap) # --unshare-user (implicit to every non-suid call to bwrap)
locate _bwrap "bwrap" "@bubblewrap@/bin/bwrap" locate _bwrap "bwrap" "@bubblewrap@/bin/bwrap"
cliArgs=( cliArgs=(
"$_bwrap" --unshare-cgroup --unshare-ipc --unshare-user --unshare-uts "${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}" --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- "$_bwrap" --unshare-cgroup --unshare-ipc --unshare-user --unshare-uts
"${bwrapUnshareNet[@]}" "${bwrapUnsharePid[@]}"
"${bwrapVirtualizeDev[@]}" "${bwrapVirtualizeProc[@]}" "${bwrapVirtualizeTmp[@]}"
"${bwrapFlags[@]}" --
env "${extraEnv[@]}" "${cliArgs[@]}" env "${extraEnv[@]}" "${cliArgs[@]}"
) )
} }