colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sanebox: rename --sanebox-net to --sanebox-net-dev

Browse Source
This commit is contained in:
Colin
2024-05-25 08:13:35 +00:00
parent fc52860dfc
commit ffe599e5cb
2 changed files with 22 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
modules/programs/make-sandbox-args.nix
View File

@@ -20,7 +20,7 @@ let
capabilityFlags = lib.flatten (builtins.map (c: [ "--sanebox-cap" c ]) capabilities); capabilityFlags = lib.flatten (builtins.map (c: [ "--sanebox-cap" c ]) capabilities);
netItems = lib.optionals (netDev != null) [ netItems = lib.optionals (netDev != null) [
"--sanebox-net" "--sanebox-net-dev"
netDev netDev
] ++ lib.optionals (dns != null) ( ] ++ lib.optionals (dns != null) (
lib.flatten (builtins.map lib.flatten (builtins.map

42
pkgs/additional/sanebox/sanebox
View File

@@ -80,7 +80,7 @@ capabilities=()
# - "all": as if all the above were specified # - "all": as if all the above were specified
keepNamespace=() keepNamespace=()
# name of some network device to make available to the sandbox, if any. # name of some network device to make available to the sandbox, if any.
net= netDev=
# list of IP addresses to use for DNS servers inside the sandbox (firejail only) # list of IP addresses to use for DNS servers inside the sandbox (firejail only)
dns=() dns=()
# list of `VAR=VALUE` environment variables to add to the sandboxed program's environment # list of `VAR=VALUE` environment variables to add to the sandboxed program's environment
@@ -118,10 +118,10 @@ usage() {
echo ' set environment variables so that the sandboxed program will attempt to use xdg-desktop-portal for operations like opening files' echo ' set environment variables so that the sandboxed program will attempt to use xdg-desktop-portal for operations like opening files'
echo ' --sanebox-no-portal' echo ' --sanebox-no-portal'
echo ' undo a previous `--sanebox-portal` arg' echo ' undo a previous `--sanebox-portal` arg'
echo ' --sanebox-dns <server>'
echo ' --sanebox-firejail-arg <arg>' echo ' --sanebox-firejail-arg <arg>'
echo ' --sanebox-bwrap-arg <arg>' echo ' --sanebox-bwrap-arg <arg>'
echo ' --sanebox-net <iface>' echo ' --sanebox-net-dev <iface>'
echo ' --sanebox-dns <server>'
echo ' --sanebox-keep-namespace <cgroup|ipc|pid|uts|all>' echo ' --sanebox-keep-namespace <cgroup|ipc|pid|uts|all>'
echo ' do not unshare the provided linux namespace' echo ' do not unshare the provided linux namespace'
echo ' --sanebox-path <path>' echo ' --sanebox-path <path>'
@@ -486,6 +486,7 @@ parseArgs() {
shift shift
;; ;;
(--sanebox-cap) (--sanebox-cap)
# N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed
local cap=$1 local cap=$1
shift shift
capabilities+=("$cap") capabilities+=("$cap")
@@ -501,12 +502,6 @@ parseArgs() {
# override a previous --sanebox-portal call # override a previous --sanebox-portal call
portalEnv=() portalEnv=()
;; ;;
(--sanebox-dns)
# N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed
local dns=$1
shift
dns+=("$dns")
;;
(--sanebox-firejail-arg) (--sanebox-firejail-arg)
local fjFlag=$1 local fjFlag=$1
shift shift
@@ -517,10 +512,15 @@ parseArgs() {
shift shift
bwrapFlags+=("$bwrapFlag") bwrapFlags+=("$bwrapFlag")
;; ;;
(--sanebox-net) (--sanebox-net-dev)
net=$1 netDev=$1
shift shift
;; ;;
(--sanebox-dns)
local dns=$1
shift
dns+=("$dns")
;;
(--sanebox-keep-namespace) (--sanebox-keep-namespace)
local namespace=$1 local namespace=$1
shift shift
@@ -573,7 +573,7 @@ firejailIngestPath() {
;; ;;
esac esac
} }
firejailIngestNet() { firejailIngestNetDev() {
firejailFlags+=("--net=$1") firejailFlags+=("--net=$1")
} }
firejailIngestDns() { firejailIngestDns() {
@@ -649,8 +649,8 @@ bwrapIngestPath() {
;; ;;
esac esac
} }
bwrapIngestNet() { bwrapIngestNetDev() {
debug "bwrapIngestNet: enabling full net access for '$1' because don't know how to restrict it more narrowly" debug "bwrapIngestNetDev: enabling full net access for '$1' because don't know how to restrict it more narrowly"
bwrapUnshareNet=() bwrapUnshareNet=()
} }
bwrapIngestKeepNamespace() { bwrapIngestKeepNamespace() {
@@ -736,8 +736,8 @@ landlockIngestPath() {
fi fi
fi fi
} }
landlockIngestNet() { landlockIngestNetDev() {
debug "landlockIngestNet: '$1': stubbed (landlock network is always unrestricted)" debug "landlockIngestNetDev: '$1': stubbed (landlock network is always unrestricted)"
} }
landlockIngestKeepNamespace() { landlockIngestKeepNamespace() {
debug "landlockIngestKeepNamespace: noop" debug "landlockIngestKeepNamespace: noop"
@@ -771,8 +771,8 @@ capshonlySetup() {
capshonlyIngestPath() { capshonlyIngestPath() {
debug "capshonlyIngestPath: stubbed" debug "capshonlyIngestPath: stubbed"
} }
capshonlyIngestNet() { capshonlyIngestNetDev() {
debug "capshonlyIngestNet: '$1': stubbed (capsh network is always unrestricted)" debug "capshonlyIngestNetDev: '$1': stubbed (capsh network is always unrestricted)"
} }
capshonlyIngestKeepNamespace() { capshonlyIngestKeepNamespace() {
debug "capshonlyIngestKeepNamespace: noop" debug "capshonlyIngestKeepNamespace: noop"
@@ -814,7 +814,7 @@ noneSetup() {
noneIngestPath() { noneIngestPath() {
: :
} }
noneIngestNet() { noneIngestNetDev() {
: :
} }
noneIngestKeepNamespace() { noneIngestKeepNamespace() {
@@ -941,8 +941,8 @@ ingestForBackend() {
"$method"IngestCapability "$cap" "$method"IngestCapability "$cap"
done done
if [ -n "$net" ]; then if [ -n "$netDev" ]; then
"$method"IngestNet "$net" "$method"IngestNetDev"$netDev"
fi fi
for addr in "${dns[@]}"; do for addr in "${dns[@]}"; do