2021-06-27 16:46:29 +02:00
|
|
|
import strutils
|
2024-07-13 20:17:45 +02:00
|
|
|
import sequtils
|
2021-06-27 16:46:29 +02:00
|
|
|
import options
|
|
|
|
import config
|
2021-06-19 16:33:47 +02:00
|
|
|
import utils
|
2021-05-18 22:10:35 +02:00
|
|
|
import bwrap
|
2021-06-27 16:46:29 +02:00
|
|
|
import args
|
|
|
|
import json
|
|
|
|
import dbus
|
|
|
|
import os
|
2021-05-18 22:10:35 +02:00
|
|
|
|
2021-06-20 14:09:30 +02:00
|
|
|
proc sandboxExec*(args: Args) =
|
2021-06-19 16:33:47 +02:00
|
|
|
var call = BwrapCall()
|
2021-06-20 14:09:30 +02:00
|
|
|
var configPath = none(string)
|
2021-05-18 22:10:35 +02:00
|
|
|
|
2021-06-27 16:46:29 +02:00
|
|
|
let hostname = args.name.get(getProfile(args))
|
2021-05-18 22:10:35 +02:00
|
|
|
|
2021-06-19 16:33:47 +02:00
|
|
|
if args.name.isSome:
|
|
|
|
let name = args.name.unsafeGet
|
|
|
|
let sandboxPath = getSandboxPath(name)
|
|
|
|
let sandboxFiles = sandboxPath.joinPath("files")
|
2021-06-20 14:09:30 +02:00
|
|
|
let userConfig = sandboxPath.joinPath("config.json")
|
2021-05-18 22:10:35 +02:00
|
|
|
|
2021-06-19 16:33:47 +02:00
|
|
|
createDir(sandboxFiles)
|
|
|
|
call.addArg("--bind", sandboxFiles, getHomeDir())
|
2021-05-18 22:10:35 +02:00
|
|
|
|
2021-06-20 14:09:30 +02:00
|
|
|
if not fileExists(userConfig):
|
|
|
|
let newConfig = %* {"extends": getProfile(args)}
|
|
|
|
writeFile(userConfig, $newConfig)
|
|
|
|
|
|
|
|
configPath = some(userConfig)
|
|
|
|
|
|
|
|
if configPath.isNone or not fileExists(configPath.unsafeGet):
|
|
|
|
configPath = some(getProfilePath(args))
|
|
|
|
|
|
|
|
var config = loadConfig(configPath.unsafeGet)
|
|
|
|
config.extendConfig()
|
2021-05-18 22:10:35 +02:00
|
|
|
|
|
|
|
call
|
2024-07-13 20:17:45 +02:00
|
|
|
.addArg("--new-session")
|
2021-06-27 16:46:29 +02:00
|
|
|
.addArg("--dev", "/dev")
|
2021-06-20 14:09:30 +02:00
|
|
|
.addMount("--dev-bind", "/dev/random")
|
|
|
|
.addMount("--dev-bind", "/dev/urandom")
|
2021-12-27 16:39:18 +01:00
|
|
|
.addMount("--ro-bind", "/sys/block")
|
|
|
|
.addMount("--ro-bind", "/sys/bus")
|
|
|
|
.addMount("--ro-bind", "/sys/class")
|
|
|
|
.addMount("--ro-bind", "/sys/dev")
|
|
|
|
.addMount("--ro-bind", "/sys/devices")
|
2021-06-16 19:48:13 +02:00
|
|
|
.addArg("--tmpfs", "/tmp")
|
2021-06-27 16:46:29 +02:00
|
|
|
.addArg("--tmpfs", "/dev/shm")
|
2021-05-18 22:10:35 +02:00
|
|
|
.addArg("--proc", "/proc")
|
|
|
|
.addArg("--unshare-all")
|
|
|
|
.addArg("--share-net")
|
|
|
|
.addArg("--die-with-parent")
|
2021-06-20 14:09:30 +02:00
|
|
|
.addArg("--setenv", "BWSANDBOX", "1")
|
|
|
|
.applyConfig(config)
|
2021-05-18 22:10:35 +02:00
|
|
|
|
2021-12-27 16:39:18 +01:00
|
|
|
if config.sethostname.get(false):
|
|
|
|
call
|
|
|
|
.addArg("--hostname", hostname)
|
|
|
|
|
2021-06-27 16:46:29 +02:00
|
|
|
if config.dbus.get(false):
|
|
|
|
# todo: handle process and cleanup later
|
|
|
|
let proxy = startDBusProxy(config, hostname)
|
|
|
|
call.addArg("--ro-bind", proxy.socket,
|
|
|
|
getEnv("DBUS_SESSION_BUS_ADDRESS").split('=')[1])
|
|
|
|
|
|
|
|
# todo: use fd signaling instead of this
|
|
|
|
sleep(100)
|
|
|
|
|
|
|
|
if config.allowdri.get(false):
|
|
|
|
enableDri(call)
|
|
|
|
|
2022-05-12 17:51:55 +02:00
|
|
|
# resolve binary path outside of the sandbox
|
|
|
|
var cmd = args.getCmd
|
|
|
|
cmd[0] = findExe(cmd[0])
|
|
|
|
|
2024-07-13 20:17:45 +02:00
|
|
|
echo call.args.join(" ")
|
|
|
|
echo cmd
|
|
|
|
|
2022-05-12 17:51:55 +02:00
|
|
|
call.addArg(cmd).exec()
|