Splitup and config file parsing

This commit is contained in:
Martin 2021-05-18 22:10:35 +02:00
parent e218eb9e5e
commit 8b89243a4a
Signed by: mawalu
GPG Key ID: BF556F989760A7C8
5 changed files with 92 additions and 81 deletions

10
config.json Normal file
View File

@ -0,0 +1,10 @@
{
"mount": [],
"romount": ["/etc", "/var", "/usr", "/opt", ".oh-my-zsh", ".zsh", ".zshrc"],
"symlinks": [
{"src": "usr/lib", "dst": "/lib"},
{"src": "usr/lib64", "dst": "/lib64"},
{"src": "usr/bin", "dst": "/bin"},
{"src": "usr/sbin", "dst": "/sbin"}
]
}

10
lib/config.nim Normal file
View File

@ -0,0 +1,10 @@
import options
type Link* = object
src*: string
dst*: string
type Config* = object
mount*: Option[seq[string]]
romount*: Option[seq[string]]
symlinks*: Option[seq[Link]]

55
lib/sandbox.nim Normal file
View File

@ -0,0 +1,55 @@
import os
import json
import bwrap
import config
import options
const CONFIG_LOCATION = "config.json"
proc homePath(p: string): string =
joinPath(getHomeDir(), p)
proc checkRelativePath(p: string): string =
if p[0] == '/':
return p
homePath(p)
proc applyConfig(call: var BwrapCall, config: Config) =
for mount in config.mount.get(@[]):
call.addMount("--bind", checkRelativePath(mount))
for mount in config.romount.get(@[]):
call.addMount("--ro-bind", checkRelativePath(mount))
for symlink in config.symlinks.get(@[]):
call.addArg("--symlink", symlink.src, symlink.dst)
proc loadConfig(path: string): Config =
return readFile(path).parseJson().to(Config)
proc sandboxExec*(name: string, command: string) =
let sandboxPath = homePath(joinPath(".sandboxes", name))
let sandboxFiles = joinPath(sandboxPath, "files")
let sandboxInfo = joinPath(sandboxPath, "info")
createDir(sandboxFiles)
var call = BwrapCall()
call
.addArg("--bind", sandboxFiles, getHomeDir())
.addMount("--dev-bind", "/dev")
.addArg("--dir", "/tmp")
.addArg("--proc", "/proc")
.addArg("--unshare-all")
.addArg("--share-net")
.addArg("--die-with-parent")
.addArg("--hostname", name)
.addArg("--chdir", getHomeDir())
.applyConfig(loadConfig(CONFIG_LOCATION))
let configPath = sandboxPath.joinPath("config.json")
echo configPath
if fileExists(configPath):
call.applyConfig(loadConfig(configPath))
call.addArg(command).exec()

View File

@ -1,10 +1,8 @@
import lib/sandbox
import strformat import strformat
import lib/bwrap
import os import os
proc homePath(p: string): string = proc main() =
joinPath(getHomeDir(), p)
let mode = splitPath(getAppFilename()).tail let mode = splitPath(getAppFilename()).tail
let args = commandLineParams() let args = commandLineParams()
let argc = paramCount() let argc = paramCount()
@ -14,75 +12,13 @@ if argc == 0:
quit(1) quit(1)
let name = args[0] let name = args[0]
var command = "" var command: string
if argc > 1: if argc > 1:
command = args[1] command = args[1]
else: else:
command = getEnv("SHELL", "/bin/sh") command = getEnv("SHELL", "/bin/sh")
let sandboxPath = homePath(joinPath("sandboxes", name)) sandboxExec(name, command)
let sandboxFiles = joinPath(sandboxPath, "files")
let sandboxInfo = joinPath(sandboxPath, "info")
createDir(sandboxFiles) main()
var call = BwrapCall()
call.addArg("--bind", sandboxFiles, getHomeDir())
for mount in ["/sys"]:
call.addMount("--bind", mount)
for mount in ["/etc", "/var", "/usr", "/opt", homePath(".oh-my-zsh"), homePath(".zsh"), homePath(".zshrc")]:
call.addMount("--ro-bind", mount)
call
.addMount("--dev-bind", "/dev")
.addArg("--dir", "/tmp")
.addArg("--symlink", "usr/lib", "/lib")
.addArg("--symlink", "usr/lib64", "/lib64")
.addArg("--symlink", "usr/bin", "/bin")
.addArg("--symlink", "usr/sbin", "/sbin")
.addArg("--proc", "/proc")
.addArg("--unshare-all")
.addArg("--share-net")
.addArg("--die-with-parent")
.addArg("--hostname", name)
.addArg("--chdir", getHomeDir())
.addArg(command)
.exec()
#[
(exec bwrap --bind $sandbox_files $HOME \
${cli_mode:+--bind $(pwd) $(pwd)} \
${cli_mode:+--bind $SSH_AUTH_SOCK $SSH_AUTH_SOCK} \
${gui_mode:+--bind /run/user/$(id -u)/pulse /run/user/$(id -u)/pulse} \
${gui_mode:+--bind /run/user/$(id -u)/wayland-0 /run/user/$(id -u)/wayland-0} \
--bind /sys /sys \
--ro-bind /etc /etc \
--ro-bind /var /var \
--ro-bind /usr /usr \
--ro-bind /opt /opt \
--ro-bind $HOME/.zshrc $HOME/.zshrc \
--ro-bind $HOME/.zsh $HOME/.zsh \
--ro-bind $HOME/.oh-my-zsh $HOME/.oh-my-zsh \
--ro-bind $HOME/.ssh/known_hosts $HOME/.ssh/known_hosts \
--dev-bind /dev /dev \
--dir /tmp \
--dir $HOME/.ssh \
--symlink usr/lib /lib \
--symlink usr/lib64 /lib64 \
--symlink usr/bin /bin \
--symlink usr/sbin /sbin \
--proc /proc \
--unshare-all \
--share-net \
--die-with-parent \
--setenv XDG_RUNTIME_DIR "/run/user/$(id -u)" \
--hostname "$name" \
--chdir "$run_chdir" \
--info-fd 11 \
"$run_command") \
11> "$sandbox_info"
]#