134 lines
2.8 KiB
Plaintext
134 lines
2.8 KiB
Plaintext
#!@runtimeShell@
|
|
|
|
test -n "$SANE_SANDBOX_DEBUG" && set -x
|
|
|
|
cliArgs=()
|
|
name=
|
|
firejailProfile=
|
|
rootPaths=()
|
|
homePaths=()
|
|
net=
|
|
dns=()
|
|
firejailFlags=()
|
|
|
|
debug() {
|
|
[ -n "$SANE_SANDBOX_DEBUG" ] && printf "[debug] %s" "$1" >&2
|
|
}
|
|
|
|
loadProfileByPath() {
|
|
_profArgs="$(cat $1)"
|
|
parseArgs $_profArgs
|
|
}
|
|
|
|
tryLoadProfileByName() {
|
|
if [ -z "$name" ]; then
|
|
name="$1"
|
|
fi
|
|
|
|
_profileDirs=(@profileDirs@)
|
|
for _profileDir in "${_profileDirs[@]}"; do
|
|
_profile="$_profileDir/$1.profile"
|
|
debug "try profile at path: '$_profile'"
|
|
if [ -f "$_profile" ]; then
|
|
loadProfileByPath "$_profile"
|
|
break
|
|
fi
|
|
done
|
|
|
|
if [ -z "$firejailProfile" ]; then
|
|
_fjProfileDirs=(@firejailProfileDirs@)
|
|
for _fjProfileDir in "${_fjProfileDirs[@]}"; do
|
|
_fjProfile="$_fjProfileDir/$1.profile"
|
|
debug "try firejail profile at path: '$_fjProfile'"
|
|
if [ -f "$_fjProfile" ]; then
|
|
firejailProfile="$_fjProfile"
|
|
fi
|
|
done
|
|
fi
|
|
}
|
|
|
|
## parse CLI args into the variables declared above
|
|
## args not intended for this helper are put into $parseArgsExtra
|
|
parseArgs() {
|
|
parseArgsExtra=()
|
|
while [ "$#" -ne 0 ]; do
|
|
_arg="$1"
|
|
shift
|
|
case "$_arg" in
|
|
(--)
|
|
# rest of args are for the CLI
|
|
parseArgsExtra+=$@
|
|
break
|
|
;;
|
|
(--sane-sandbox-debug)
|
|
SANE_SANDBOX_DEBUG=1
|
|
set -x
|
|
;;
|
|
(--sane-sandbox-disable)
|
|
SANE_SANDBOX_DISABLE=1
|
|
;;
|
|
(--sane-sandbox-dns)
|
|
dns+=("$1")
|
|
shift
|
|
;;
|
|
(--sane-sandbox-firejail-arg)
|
|
firejailFlags+=("$1")
|
|
shift
|
|
;;
|
|
(--sane-sandbox-net)
|
|
net="$1"
|
|
shift
|
|
;;
|
|
(--sane-sandbox-home-path)
|
|
homePaths+=("$1")
|
|
shift
|
|
;;
|
|
(--sane-sandbox-path)
|
|
rootPaths+=("$1")
|
|
shift
|
|
;;
|
|
(--sane-sandbox-profile)
|
|
tryLoadProfileByName "$1"
|
|
shift
|
|
;;
|
|
(*)
|
|
parseArgsExtra+=("$_arg")
|
|
;;
|
|
esac
|
|
done
|
|
}
|
|
|
|
parseArgs "$@"
|
|
cliArgs+="${parseArgsExtra[@]}"
|
|
|
|
test -n "$SANE_SANDBOX_DISABLE" && exec "${cliArgs[@]}"
|
|
|
|
## construct firejail flags from sane-sandbox flags
|
|
|
|
for _path in "${rootPaths[@]}"; do
|
|
firejailFlags+=("--noblacklist=$_path" "--whitelist=$_path")
|
|
done
|
|
|
|
for _path in "${homePaths[@]}"; do
|
|
firejailFlags+=("--noblacklist="'${HOME}/'"$_path" "--whitelist="'${HOME}/'"$_path")
|
|
done
|
|
|
|
if [ -n "$net" ]; then
|
|
firejailFlags+=("--net=$net")
|
|
fi
|
|
|
|
for _addr in "${dns[@]}"; do
|
|
firejailFlags+=("--dns=$_addr")
|
|
done
|
|
|
|
if [ -n "$name" ]; then
|
|
firejailFlags+=("--join-or-start=$name")
|
|
fi
|
|
|
|
# order matters: customizations (i.e. the above) must be before --profile
|
|
if [ -n "$firejailProfile" ]; then
|
|
firejailFlags+=("--profile=$firejailProfile")
|
|
fi
|
|
|
|
PATH="$PATH:@firejail@" exec firejail "${firejailFlags[@]}" -- "${cliArgs[@]}"
|