bwbox/lib/sandbox.nim

import strutils
import options
import config
import utils
import bwrap
import args
import json
import dbus
import os

proc sandboxExec*(args: Args) =
  var call = BwrapCall()
  var configPath = none(string)

  let hostname = args.name.get(getProfile(args))

  if args.name.isSome:
    let name = args.name.unsafeGet
    let sandboxPath = getSandboxPath(name)
    let sandboxFiles = sandboxPath.joinPath("files")
    let userConfig = sandboxPath.joinPath("config.json")

    createDir(sandboxFiles)
    call.addArg("--bind", sandboxFiles, getHomeDir())

    if not fileExists(userConfig):
      let newConfig = %* {"extends": getProfile(args)}
      writeFile(userConfig, $newConfig)

    configPath = some(userConfig)

  if configPath.isNone or not fileExists(configPath.unsafeGet):
    configPath = some(getProfilePath(args))

  var config = loadConfig(configPath.unsafeGet)
  config.extendConfig()

  call
    .addArg("--dev", "/dev")
    .addMount("--dev-bind", "/dev/random")
    .addMount("--dev-bind", "/dev/urandom")
    .addMount("--ro-bind", "/sys/block")
    .addMount("--ro-bind", "/sys/bus")
    .addMount("--ro-bind", "/sys/class")
    .addMount("--ro-bind", "/sys/dev")
    .addMount("--ro-bind", "/sys/devices")
    .addArg("--tmpfs", "/tmp")
    .addArg("--tmpfs", "/dev/shm")
    .addArg("--proc", "/proc")
    .addArg("--unshare-all")
    .addArg("--share-net")
    .addArg("--die-with-parent")
    .addArg("--setenv", "BWSANDBOX", "1")
    .applyConfig(config)

  if config.sethostname.get(false):
    call
      .addArg("--hostname", hostname)

  if config.dbus.get(false):
    # todo: handle process and cleanup later
    let proxy = startDBusProxy(config, hostname)
    call.addArg("--ro-bind", proxy.socket,
      getEnv("DBUS_SESSION_BUS_ADDRESS").split('=')[1])

    # todo: use fd signaling instead of this
    sleep(100)

  if config.allowdri.get(false):
    enableDri(call)

  # resolve binary path outside of the sandbox
  var cmd = args.getCmd

  echo cmd
  cmd[0] = findExe(cmd[0])

  echo cmd

  call.addArg(cmd).exec()
add dbus and dri 2021-06-27 16:46:29 +02:00			`import strutils`
			`import options`
			`import config`
New arg parser and profile support 2021-06-19 16:33:47 +02:00			`import utils`
Splitup and config file parsing 2021-05-18 22:10:35 +02:00			`import bwrap`
add dbus and dri 2021-06-27 16:46:29 +02:00			`import args`
			`import json`
			`import dbus`
			`import os`
Splitup and config file parsing 2021-05-18 22:10:35 +02:00
Remove mode and improve profiles 2021-06-20 14:09:30 +02:00			`proc sandboxExec*(args: Args) =`
New arg parser and profile support 2021-06-19 16:33:47 +02:00			`var call = BwrapCall()`
Remove mode and improve profiles 2021-06-20 14:09:30 +02:00			`var configPath = none(string)`
Splitup and config file parsing 2021-05-18 22:10:35 +02:00
add dbus and dri 2021-06-27 16:46:29 +02:00			`let hostname = args.name.get(getProfile(args))`
Splitup and config file parsing 2021-05-18 22:10:35 +02:00
New arg parser and profile support 2021-06-19 16:33:47 +02:00			`if args.name.isSome:`
			`let name = args.name.unsafeGet`
			`let sandboxPath = getSandboxPath(name)`
			`let sandboxFiles = sandboxPath.joinPath("files")`
Remove mode and improve profiles 2021-06-20 14:09:30 +02:00			`let userConfig = sandboxPath.joinPath("config.json")`
Splitup and config file parsing 2021-05-18 22:10:35 +02:00
New arg parser and profile support 2021-06-19 16:33:47 +02:00			`createDir(sandboxFiles)`
			`call.addArg("--bind", sandboxFiles, getHomeDir())`
Splitup and config file parsing 2021-05-18 22:10:35 +02:00
Remove mode and improve profiles 2021-06-20 14:09:30 +02:00			`if not fileExists(userConfig):`
			`let newConfig = %* {"extends": getProfile(args)}`
			`writeFile(userConfig, $newConfig)`

			`configPath = some(userConfig)`

			`if configPath.isNone or not fileExists(configPath.unsafeGet):`
			`configPath = some(getProfilePath(args))`

			`var config = loadConfig(configPath.unsafeGet)`
			`config.extendConfig()`
Splitup and config file parsing 2021-05-18 22:10:35 +02:00
			`call`
add dbus and dri 2021-06-27 16:46:29 +02:00			`.addArg("--dev", "/dev")`
Remove mode and improve profiles 2021-06-20 14:09:30 +02:00			`.addMount("--dev-bind", "/dev/random")`
			`.addMount("--dev-bind", "/dev/urandom")`
Extend device support 2021-12-27 16:39:18 +01:00			`.addMount("--ro-bind", "/sys/block")`
			`.addMount("--ro-bind", "/sys/bus")`
			`.addMount("--ro-bind", "/sys/class")`
			`.addMount("--ro-bind", "/sys/dev")`
			`.addMount("--ro-bind", "/sys/devices")`
Add support for different modes based on argv[0] 2021-06-16 19:48:13 +02:00			`.addArg("--tmpfs", "/tmp")`
add dbus and dri 2021-06-27 16:46:29 +02:00			`.addArg("--tmpfs", "/dev/shm")`
Splitup and config file parsing 2021-05-18 22:10:35 +02:00			`.addArg("--proc", "/proc")`
			`.addArg("--unshare-all")`
			`.addArg("--share-net")`
			`.addArg("--die-with-parent")`
Remove mode and improve profiles 2021-06-20 14:09:30 +02:00			`.addArg("--setenv", "BWSANDBOX", "1")`
			`.applyConfig(config)`
Splitup and config file parsing 2021-05-18 22:10:35 +02:00
Extend device support 2021-12-27 16:39:18 +01:00			`if config.sethostname.get(false):`
			`call`
			`.addArg("--hostname", hostname)`

add dbus and dri 2021-06-27 16:46:29 +02:00			`if config.dbus.get(false):`
			`# todo: handle process and cleanup later`
			`let proxy = startDBusProxy(config, hostname)`
			`call.addArg("--ro-bind", proxy.socket,`
			`getEnv("DBUS_SESSION_BUS_ADDRESS").split('=')[1])`

			`# todo: use fd signaling instead of this`
			`sleep(100)`

			`if config.allowdri.get(false):`
			`enableDri(call)`

Try to rely less on hardcoded paths 2022-05-12 17:51:55 +02:00			`# resolve binary path outside of the sandbox`
			`var cmd = args.getCmd`

			`echo cmd`
			`cmd[0] = findExe(cmd[0])`

			`echo cmd`

			`call.addArg(cmd).exec()`