diff --git a/modules/programs/make-sandbox-args.nix b/modules/programs/make-sandbox-args.nix index 97d242ff..05186d33 100644 --- a/modules/programs/make-sandbox-args.nix +++ b/modules/programs/make-sandbox-args.nix @@ -20,7 +20,7 @@ let capabilityFlags = lib.flatten (builtins.map (c: [ "--sanebox-cap" c ]) capabilities); netItems = lib.optionals (netDev != null) [ - "--sanebox-net" + "--sanebox-net-dev" netDev ] ++ lib.optionals (dns != null) ( lib.flatten (builtins.map diff --git a/pkgs/additional/sanebox/sanebox b/pkgs/additional/sanebox/sanebox index fbea681f..fed00c3e 100755 --- a/pkgs/additional/sanebox/sanebox +++ b/pkgs/additional/sanebox/sanebox @@ -80,7 +80,7 @@ capabilities=() # - "all": as if all the above were specified keepNamespace=() # name of some network device to make available to the sandbox, if any. -net= +netDev= # list of IP addresses to use for DNS servers inside the sandbox (firejail only) dns=() # list of `VAR=VALUE` environment variables to add to the sandboxed program's environment @@ -118,10 +118,10 @@ usage() { echo ' set environment variables so that the sandboxed program will attempt to use xdg-desktop-portal for operations like opening files' echo ' --sanebox-no-portal' echo ' undo a previous `--sanebox-portal` arg' - echo ' --sanebox-dns ' echo ' --sanebox-firejail-arg ' echo ' --sanebox-bwrap-arg ' - echo ' --sanebox-net ' + echo ' --sanebox-net-dev ' + echo ' --sanebox-dns ' echo ' --sanebox-keep-namespace ' echo ' do not unshare the provided linux namespace' echo ' --sanebox-path ' @@ -486,6 +486,7 @@ parseArgs() { shift ;; (--sanebox-cap) + # N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed local cap=$1 shift capabilities+=("$cap") @@ -501,12 +502,6 @@ parseArgs() { # override a previous --sanebox-portal call portalEnv=() ;; - (--sanebox-dns) - # N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed - local dns=$1 - shift - dns+=("$dns") - ;; (--sanebox-firejail-arg) local fjFlag=$1 shift @@ -517,10 +512,15 @@ parseArgs() { shift bwrapFlags+=("$bwrapFlag") ;; - (--sanebox-net) - net=$1 + (--sanebox-net-dev) + netDev=$1 shift ;; + (--sanebox-dns) + local dns=$1 + shift + dns+=("$dns") + ;; (--sanebox-keep-namespace) local namespace=$1 shift @@ -573,7 +573,7 @@ firejailIngestPath() { ;; esac } -firejailIngestNet() { +firejailIngestNetDev() { firejailFlags+=("--net=$1") } firejailIngestDns() { @@ -649,8 +649,8 @@ bwrapIngestPath() { ;; esac } -bwrapIngestNet() { - debug "bwrapIngestNet: enabling full net access for '$1' because don't know how to restrict it more narrowly" +bwrapIngestNetDev() { + debug "bwrapIngestNetDev: enabling full net access for '$1' because don't know how to restrict it more narrowly" bwrapUnshareNet=() } bwrapIngestKeepNamespace() { @@ -736,8 +736,8 @@ landlockIngestPath() { fi fi } -landlockIngestNet() { - debug "landlockIngestNet: '$1': stubbed (landlock network is always unrestricted)" +landlockIngestNetDev() { + debug "landlockIngestNetDev: '$1': stubbed (landlock network is always unrestricted)" } landlockIngestKeepNamespace() { debug "landlockIngestKeepNamespace: noop" @@ -771,8 +771,8 @@ capshonlySetup() { capshonlyIngestPath() { debug "capshonlyIngestPath: stubbed" } -capshonlyIngestNet() { - debug "capshonlyIngestNet: '$1': stubbed (capsh network is always unrestricted)" +capshonlyIngestNetDev() { + debug "capshonlyIngestNetDev: '$1': stubbed (capsh network is always unrestricted)" } capshonlyIngestKeepNamespace() { debug "capshonlyIngestKeepNamespace: noop" @@ -814,7 +814,7 @@ noneSetup() { noneIngestPath() { : } -noneIngestNet() { +noneIngestNetDev() { : } noneIngestKeepNamespace() { @@ -941,8 +941,8 @@ ingestForBackend() { "$method"IngestCapability "$cap" done - if [ -n "$net" ]; then - "$method"IngestNet "$net" + if [ -n "$netDev" ]; then + "$method"IngestNetDev"$netDev" fi for addr in "${dns[@]}"; do