sanebox: rename --sanebox-net to --sanebox-net-dev
This commit is contained in:
parent
fc52860dfc
commit
ffe599e5cb
|
@ -20,7 +20,7 @@ let
|
|||
capabilityFlags = lib.flatten (builtins.map (c: [ "--sanebox-cap" c ]) capabilities);
|
||||
|
||||
netItems = lib.optionals (netDev != null) [
|
||||
"--sanebox-net"
|
||||
"--sanebox-net-dev"
|
||||
netDev
|
||||
] ++ lib.optionals (dns != null) (
|
||||
lib.flatten (builtins.map
|
||||
|
|
|
@ -80,7 +80,7 @@ capabilities=()
|
|||
# - "all": as if all the above were specified
|
||||
keepNamespace=()
|
||||
# name of some network device to make available to the sandbox, if any.
|
||||
net=
|
||||
netDev=
|
||||
# list of IP addresses to use for DNS servers inside the sandbox (firejail only)
|
||||
dns=()
|
||||
# list of `VAR=VALUE` environment variables to add to the sandboxed program's environment
|
||||
|
@ -118,10 +118,10 @@ usage() {
|
|||
echo ' set environment variables so that the sandboxed program will attempt to use xdg-desktop-portal for operations like opening files'
|
||||
echo ' --sanebox-no-portal'
|
||||
echo ' undo a previous `--sanebox-portal` arg'
|
||||
echo ' --sanebox-dns <server>'
|
||||
echo ' --sanebox-firejail-arg <arg>'
|
||||
echo ' --sanebox-bwrap-arg <arg>'
|
||||
echo ' --sanebox-net <iface>'
|
||||
echo ' --sanebox-net-dev <iface>'
|
||||
echo ' --sanebox-dns <server>'
|
||||
echo ' --sanebox-keep-namespace <cgroup|ipc|pid|uts|all>'
|
||||
echo ' do not unshare the provided linux namespace'
|
||||
echo ' --sanebox-path <path>'
|
||||
|
@ -486,6 +486,7 @@ parseArgs() {
|
|||
shift
|
||||
;;
|
||||
(--sanebox-cap)
|
||||
# N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed
|
||||
local cap=$1
|
||||
shift
|
||||
capabilities+=("$cap")
|
||||
|
@ -501,12 +502,6 @@ parseArgs() {
|
|||
# override a previous --sanebox-portal call
|
||||
portalEnv=()
|
||||
;;
|
||||
(--sanebox-dns)
|
||||
# N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed
|
||||
local dns=$1
|
||||
shift
|
||||
dns+=("$dns")
|
||||
;;
|
||||
(--sanebox-firejail-arg)
|
||||
local fjFlag=$1
|
||||
shift
|
||||
|
@ -517,10 +512,15 @@ parseArgs() {
|
|||
shift
|
||||
bwrapFlags+=("$bwrapFlag")
|
||||
;;
|
||||
(--sanebox-net)
|
||||
net=$1
|
||||
(--sanebox-net-dev)
|
||||
netDev=$1
|
||||
shift
|
||||
;;
|
||||
(--sanebox-dns)
|
||||
local dns=$1
|
||||
shift
|
||||
dns+=("$dns")
|
||||
;;
|
||||
(--sanebox-keep-namespace)
|
||||
local namespace=$1
|
||||
shift
|
||||
|
@ -573,7 +573,7 @@ firejailIngestPath() {
|
|||
;;
|
||||
esac
|
||||
}
|
||||
firejailIngestNet() {
|
||||
firejailIngestNetDev() {
|
||||
firejailFlags+=("--net=$1")
|
||||
}
|
||||
firejailIngestDns() {
|
||||
|
@ -649,8 +649,8 @@ bwrapIngestPath() {
|
|||
;;
|
||||
esac
|
||||
}
|
||||
bwrapIngestNet() {
|
||||
debug "bwrapIngestNet: enabling full net access for '$1' because don't know how to restrict it more narrowly"
|
||||
bwrapIngestNetDev() {
|
||||
debug "bwrapIngestNetDev: enabling full net access for '$1' because don't know how to restrict it more narrowly"
|
||||
bwrapUnshareNet=()
|
||||
}
|
||||
bwrapIngestKeepNamespace() {
|
||||
|
@ -736,8 +736,8 @@ landlockIngestPath() {
|
|||
fi
|
||||
fi
|
||||
}
|
||||
landlockIngestNet() {
|
||||
debug "landlockIngestNet: '$1': stubbed (landlock network is always unrestricted)"
|
||||
landlockIngestNetDev() {
|
||||
debug "landlockIngestNetDev: '$1': stubbed (landlock network is always unrestricted)"
|
||||
}
|
||||
landlockIngestKeepNamespace() {
|
||||
debug "landlockIngestKeepNamespace: noop"
|
||||
|
@ -771,8 +771,8 @@ capshonlySetup() {
|
|||
capshonlyIngestPath() {
|
||||
debug "capshonlyIngestPath: stubbed"
|
||||
}
|
||||
capshonlyIngestNet() {
|
||||
debug "capshonlyIngestNet: '$1': stubbed (capsh network is always unrestricted)"
|
||||
capshonlyIngestNetDev() {
|
||||
debug "capshonlyIngestNetDev: '$1': stubbed (capsh network is always unrestricted)"
|
||||
}
|
||||
capshonlyIngestKeepNamespace() {
|
||||
debug "capshonlyIngestKeepNamespace: noop"
|
||||
|
@ -814,7 +814,7 @@ noneSetup() {
|
|||
noneIngestPath() {
|
||||
:
|
||||
}
|
||||
noneIngestNet() {
|
||||
noneIngestNetDev() {
|
||||
:
|
||||
}
|
||||
noneIngestKeepNamespace() {
|
||||
|
@ -941,8 +941,8 @@ ingestForBackend() {
|
|||
"$method"IngestCapability "$cap"
|
||||
done
|
||||
|
||||
if [ -n "$net" ]; then
|
||||
"$method"IngestNet "$net"
|
||||
if [ -n "$netDev" ]; then
|
||||
"$method"IngestNetDev"$netDev"
|
||||
fi
|
||||
|
||||
for addr in "${dns[@]}"; do
|
||||
|
|
Loading…
Reference in New Issue
Block a user