59 lines
1.4 KiB
Nim
59 lines
1.4 KiB
Nim
import os
|
|
import args
|
|
import json
|
|
import utils
|
|
import bwrap
|
|
import config
|
|
import options
|
|
|
|
proc sandboxExec*(args: Args) =
|
|
var call = BwrapCall()
|
|
var configPath = none(string)
|
|
|
|
let hostname = args.name.get(getProfile(argst ))
|
|
|
|
if args.name.isSome:
|
|
let name = args.name.unsafeGet
|
|
let sandboxPath = getSandboxPath(name)
|
|
let sandboxFiles = sandboxPath.joinPath("files")
|
|
let userConfig = sandboxPath.joinPath("config.json")
|
|
|
|
|
|
createDir(sandboxFiles)
|
|
call.addArg("--bind", sandboxFiles, getHomeDir())
|
|
|
|
if not fileExists(userConfig):
|
|
let newConfig = %* {"extends": getProfile(args)}
|
|
writeFile(userConfig, $newConfig)
|
|
|
|
configPath = some(userConfig)
|
|
|
|
if configPath.isNone or not fileExists(configPath.unsafeGet):
|
|
configPath = some(getProfilePath(args))
|
|
|
|
var config = loadConfig(configPath.unsafeGet)
|
|
config.extendConfig()
|
|
|
|
call
|
|
.addMount("--dev-bind", "/dev/null")
|
|
.addMount("--dev-bind", "/dev/random")
|
|
.addMount("--dev-bind", "/dev/urandom")
|
|
.addArg("--tmpfs", "/tmp")
|
|
.addArg("--proc", "/proc")
|
|
.addArg("--unshare-all")
|
|
.addArg("--share-net")
|
|
.addArg("--die-with-parent")
|
|
.addArg("--setenv", "BWSANDBOX", "1")
|
|
.applyConfig(config)
|
|
|
|
if config.mountcwd.get(false):
|
|
call
|
|
.addMount("--bind", getCurrentDir())
|
|
.addArg("--chdir", getCurrentDir())
|
|
|
|
if config.sethostname.get(false):
|
|
call
|
|
.addArg("--hostname", hostname)
|
|
|
|
call.addArg(args.getCmd).exec()
|