colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sanebox: rename --sanebox-net to --sanebox-net-dev

Browse Source
This commit is contained in:
Colin 2024-05-25 08:13:35 +00:00
parent fc52860dfc
commit ffe599e5cb
2 changed files with 22 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/programs/make-sandbox-args.nix
View File

@ -20,7 +20,7 @@ let
capabilityFlags = lib.flatten (builtins.map (c: [ "--sanebox-cap" c ]) capabilities);
netItems = lib.optionals (netDev != null) [
"--sanebox-net"
"--sanebox-net-dev"
netDev
] ++ lib.optionals (dns != null) (
lib.flatten (builtins.map

42
pkgs/additional/sanebox/sanebox
View File

@ -80,7 +80,7 @@ capabilities=()
# - "all": as if all the above were specified
keepNamespace=()
# name of some network device to make available to the sandbox, if any.
net=
netDev=
# list of IP addresses to use for DNS servers inside the sandbox (firejail only)
dns=()
# list of `VAR=VALUE` environment variables to add to the sandboxed program's environment
@ -118,10 +118,10 @@ usage() {
echo ' set environment variables so that the sandboxed program will attempt to use xdg-desktop-portal for operations like opening files'
echo ' --sanebox-no-portal'
echo ' undo a previous `--sanebox-portal` arg'
echo ' --sanebox-dns <server>'
echo ' --sanebox-firejail-arg <arg>'
echo ' --sanebox-bwrap-arg <arg>'
echo ' --sanebox-net <iface>'
echo ' --sanebox-net-dev <iface>'
echo ' --sanebox-dns <server>'
echo ' --sanebox-keep-namespace <cgroup|ipc|pid|uts|all>'
echo ' do not unshare the provided linux namespace'
echo ' --sanebox-path <path>'
@ -486,6 +486,7 @@ parseArgs() {
shift
;;
(--sanebox-cap)
# N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed
local cap=$1
shift
capabilities+=("$cap")
@ -501,12 +502,6 @@ parseArgs() {
# override a previous --sanebox-portal call
portalEnv=()
;;
(--sanebox-dns)
# N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed
local dns=$1
shift
dns+=("$dns")
;;
(--sanebox-firejail-arg)
local fjFlag=$1
shift
@ -517,10 +512,15 @@ parseArgs() {
shift
bwrapFlags+=("$bwrapFlag")
;;
(--sanebox-net)
net=$1
(--sanebox-net-dev)
netDev=$1
shift
;;
(--sanebox-dns)
local dns=$1
shift
dns+=("$dns")
;;
(--sanebox-keep-namespace)
local namespace=$1
shift
@ -573,7 +573,7 @@ firejailIngestPath() {
;;
esac
}
firejailIngestNet() {
firejailIngestNetDev() {
firejailFlags+=("--net=$1")
}
firejailIngestDns() {
@ -649,8 +649,8 @@ bwrapIngestPath() {
;;
esac
}
bwrapIngestNet() {
debug "bwrapIngestNet: enabling full net access for '$1' because don't know how to restrict it more narrowly"
bwrapIngestNetDev() {
debug "bwrapIngestNetDev: enabling full net access for '$1' because don't know how to restrict it more narrowly"
bwrapUnshareNet=()
}
bwrapIngestKeepNamespace() {
@ -736,8 +736,8 @@ landlockIngestPath() {
fi
fi
}
landlockIngestNet() {
debug "landlockIngestNet: '$1': stubbed (landlock network is always unrestricted)"
landlockIngestNetDev() {
debug "landlockIngestNetDev: '$1': stubbed (landlock network is always unrestricted)"
}
landlockIngestKeepNamespace() {
debug "landlockIngestKeepNamespace: noop"
@ -771,8 +771,8 @@ capshonlySetup() {
capshonlyIngestPath() {
debug "capshonlyIngestPath: stubbed"
}
capshonlyIngestNet() {
debug "capshonlyIngestNet: '$1': stubbed (capsh network is always unrestricted)"
capshonlyIngestNetDev() {
debug "capshonlyIngestNetDev: '$1': stubbed (capsh network is always unrestricted)"
}
capshonlyIngestKeepNamespace() {
debug "capshonlyIngestKeepNamespace: noop"
@ -814,7 +814,7 @@ noneSetup() {
noneIngestPath() {
:
}
noneIngestNet() {
noneIngestNetDev() {
:
}
noneIngestKeepNamespace() {
@ -941,8 +941,8 @@ ingestForBackend() {
"$method"IngestCapability "$cap"
done
if [ -n "$net" ]; then
"$method"IngestNet "$net"
if [ -n "$netDev" ]; then
"$method"IngestNetDev"$netDev"
fi
for addr in "${dns[@]}"; do