initial commit

This commit is contained in:
hippoz 2022-06-04 12:15:35 +03:00
parent 7d4f16dd87
commit 75aa2b0fbf
No known key found for this signature in database
GPG key ID: 7C52899193467641

80
bwrap-generator.py Normal file
View file

@ -0,0 +1,80 @@
def generate_bwrap_command(user, app_home_path, app_binary, permissions):
command = [
"/usr/bin/bwrap",
"--ro-bind", "/bin", "/bin",
"--ro-bind", "/usr/bin", "/usr/bin",
"--ro-bind", "/lib", "/lib",
"--ro-bind-try", "/lib32", "/lib32",
"--ro-bind-try", "/lib64", "/lib64",
"--ro-bind", "/usr/lib", "/usr/lib",
"--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
"--ro-bind", "/usr/share", "/usr/share",
"--ro-bind-try", "/usr/local/share", "/usr/local/share",
"--ro-bind", "/usr/include", "/usr/include",
"--ro-bind", "/etc", "/etc",
"--ro-bind-try", f"{app_home_path}/.machine-id", "/etc/machine-id",
"--ro-bind-try", f"{app_home_path}/.machine-id", "/var/lib/dbus/machine-id",
"--ro-bind", "/var/lib", "/var/lib",
"--tmpfs", "/var/lib/dbus",
"--dev", "/dev",
"--bind", app_home_path, f"/home/{user}",
"--proc", "/proc",
"--tmpfs", "/tmp",
"--tmpfs", "/var/tmp",
"--tmpfs", "/var/cache",
"--tmpfs", "/run",
"--symlink", "/run", "/var/run",
"--chdir", f"/home/{user}",
"--setenv", "HOME", f"/home/{user}",
"--setenv", "SHELL", "/sbin/nologin",
"--unsetenv", "SUDO_USER",
"--unsetenv", "SUDO_UID",
"--unsetenv", "SUDO_GID",
"--unsetenv", "SUDO_COMMAND",
"--unsetenv", "OLDPWD",
"--unsetenv", "MAIL",
"--unshare-all",
"--new-session",
"--cap-drop", "all",
]
for p in permissions:
if p == "network":
command.append("--share-net")
elif p == "x11":
command.extend([
"--ro-bind-try", f"/home/{user}/.Xauthority", f"/home/{user}/.Xauthority",
"--ro-bind-try", "/tmp/.X11-unix", "/tmp/.X11-unix"
])
elif p == "sys":
command.extend([
"--ro-bind", "/sys/dev", "/sys/dev",
"--ro-bind", "/sys/devices", "/sys/devices",
"--ro-bind", "/sys/class", "/sys/class",
"--ro-bind", "/sys/bus", "/sys/bus",
"--ro-bind", "/sys/fs/cgroup", "/sys/fs/cgroup",
"--dev-bind", "/dev/dri", "/dev/dri",
])
elif p == "microphone":
command.extend([
"--dev-bind-try", "/dev/snd", "/dev/snd",
])
else:
raise RuntimeError(f"unknown permission '{p}'")
command.append(app_binary)
return command
bash_command = generate_command(
"hippoz",
"/home/hippoz/sandbox",
"/bin/bash",
[
"x11",
"network",
"microphone",
"sys"
]
)
print(" ".join(bash_command))