| 
									
										
										
										
											2021-05-18 22:10:35 +02:00
										 |  |  | import os | 
					
						
							| 
									
										
										
										
											2021-06-19 16:33:47 +02:00
										 |  |  | import args | 
					
						
							| 
									
										
										
										
											2021-06-20 14:09:30 +02:00
										 |  |  | import json | 
					
						
							| 
									
										
										
										
											2021-06-19 16:33:47 +02:00
										 |  |  | import utils | 
					
						
							| 
									
										
										
										
											2021-05-18 22:10:35 +02:00
										 |  |  | import bwrap | 
					
						
							|  |  |  | import config | 
					
						
							|  |  |  | import options | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-06-20 14:09:30 +02:00
										 |  |  | proc sandboxExec*(args: Args) = | 
					
						
							| 
									
										
										
										
											2021-06-19 16:33:47 +02:00
										 |  |  |   var call = BwrapCall() | 
					
						
							| 
									
										
										
										
											2021-06-20 14:09:30 +02:00
										 |  |  |   var configPath = none(string) | 
					
						
							| 
									
										
										
										
											2021-05-18 22:10:35 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-08-14 13:15:07 +02:00
										 |  |  |   let hostname = args.name.get(getProfile(args)) | 
					
						
							| 
									
										
										
										
											2021-05-18 22:10:35 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-06-19 16:33:47 +02:00
										 |  |  |   if args.name.isSome: | 
					
						
							|  |  |  |     let name = args.name.unsafeGet | 
					
						
							|  |  |  |     let sandboxPath = getSandboxPath(name) | 
					
						
							|  |  |  |     let sandboxFiles = sandboxPath.joinPath("files") | 
					
						
							| 
									
										
										
										
											2021-06-20 14:09:30 +02:00
										 |  |  |     let userConfig = sandboxPath.joinPath("config.json") | 
					
						
							| 
									
										
										
										
											2021-05-18 22:10:35 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-06-19 16:33:47 +02:00
										 |  |  |     createDir(sandboxFiles) | 
					
						
							|  |  |  |     call.addArg("--bind", sandboxFiles, getHomeDir()) | 
					
						
							| 
									
										
										
										
											2021-05-18 22:10:35 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-06-20 14:09:30 +02:00
										 |  |  |     if not fileExists(userConfig): | 
					
						
							|  |  |  |       let newConfig = %* {"extends": getProfile(args)} | 
					
						
							|  |  |  |       writeFile(userConfig, $newConfig) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     configPath = some(userConfig) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   if configPath.isNone or not fileExists(configPath.unsafeGet): | 
					
						
							|  |  |  |     configPath = some(getProfilePath(args)) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   var config = loadConfig(configPath.unsafeGet) | 
					
						
							|  |  |  |   config.extendConfig() | 
					
						
							| 
									
										
										
										
											2021-05-18 22:10:35 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  |   call | 
					
						
							| 
									
										
										
										
											2021-06-19 16:33:47 +02:00
										 |  |  |     .addMount("--dev-bind", "/dev/null") | 
					
						
							| 
									
										
										
										
											2021-06-20 14:09:30 +02:00
										 |  |  |     .addMount("--dev-bind", "/dev/random") | 
					
						
							|  |  |  |     .addMount("--dev-bind", "/dev/urandom") | 
					
						
							| 
									
										
										
										
											2021-06-16 19:48:13 +02:00
										 |  |  |     .addArg("--tmpfs", "/tmp") | 
					
						
							| 
									
										
										
										
											2021-05-18 22:10:35 +02:00
										 |  |  |     .addArg("--proc", "/proc") | 
					
						
							|  |  |  |     .addArg("--unshare-all") | 
					
						
							|  |  |  |     .addArg("--share-net") | 
					
						
							|  |  |  |     .addArg("--die-with-parent") | 
					
						
							| 
									
										
										
										
											2021-06-20 14:09:30 +02:00
										 |  |  |     .addArg("--setenv", "BWSANDBOX", "1") | 
					
						
							|  |  |  |     .applyConfig(config) | 
					
						
							| 
									
										
										
										
											2021-05-18 22:10:35 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-06-20 14:09:30 +02:00
										 |  |  |   if config.mountcwd.get(false): | 
					
						
							| 
									
										
										
										
											2021-06-16 19:48:13 +02:00
										 |  |  |     call | 
					
						
							|  |  |  |       .addMount("--bind", getCurrentDir()) | 
					
						
							|  |  |  |       .addArg("--chdir", getCurrentDir()) | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-06-20 14:09:30 +02:00
										 |  |  |   if config.sethostname.get(false): | 
					
						
							|  |  |  |     call | 
					
						
							|  |  |  |       .addArg("--hostname", hostname) | 
					
						
							| 
									
										
										
										
											2021-05-18 22:10:35 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-06-19 16:33:47 +02:00
										 |  |  |   call.addArg(args.getCmd).exec() |