From 75aa2b0fbf7f83141709dd39e26f0b5a49ba9069 Mon Sep 17 00:00:00 2001
From: hippoz <10706925-hippoz@users.noreply.gitlab.com>
Date: Sat, 4 Jun 2022 12:15:35 +0300
Subject: [PATCH] initial commit

---
 bwrap-generator.py | 80 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 bwrap-generator.py

diff --git a/bwrap-generator.py b/bwrap-generator.py
new file mode 100644
index 0000000..e3d376d
--- /dev/null
+++ b/bwrap-generator.py
@@ -0,0 +1,80 @@
+def generate_bwrap_command(user, app_home_path, app_binary, permissions):
+    command = [
+        "/usr/bin/bwrap",
+        "--ro-bind", "/bin", "/bin",
+        "--ro-bind", "/usr/bin", "/usr/bin",
+        "--ro-bind", "/lib", "/lib",
+        "--ro-bind-try", "/lib32", "/lib32",
+        "--ro-bind-try", "/lib64", "/lib64",
+        "--ro-bind", "/usr/lib", "/usr/lib",
+        "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
+        "--ro-bind", "/usr/share", "/usr/share",
+        "--ro-bind-try", "/usr/local/share", "/usr/local/share",
+        "--ro-bind", "/usr/include", "/usr/include",
+        "--ro-bind", "/etc", "/etc",
+        "--ro-bind-try", f"{app_home_path}/.machine-id", "/etc/machine-id",
+        "--ro-bind-try", f"{app_home_path}/.machine-id", "/var/lib/dbus/machine-id",
+        "--ro-bind", "/var/lib", "/var/lib",
+        "--tmpfs", "/var/lib/dbus",
+        "--dev", "/dev",
+        "--bind", app_home_path, f"/home/{user}",
+        "--proc", "/proc",
+        "--tmpfs", "/tmp",
+        "--tmpfs", "/var/tmp",
+        "--tmpfs", "/var/cache",
+        "--tmpfs", "/run",
+        "--symlink", "/run", "/var/run",
+        "--chdir", f"/home/{user}",
+        "--setenv", "HOME", f"/home/{user}",
+        "--setenv", "SHELL", "/sbin/nologin",
+        "--unsetenv", "SUDO_USER",
+        "--unsetenv", "SUDO_UID",
+        "--unsetenv", "SUDO_GID",
+        "--unsetenv", "SUDO_COMMAND",
+        "--unsetenv", "OLDPWD",
+        "--unsetenv", "MAIL",
+        "--unshare-all",
+        "--new-session",
+        "--cap-drop", "all",
+    ]
+
+    for p in permissions:
+        if p == "network":
+            command.append("--share-net")
+        elif p == "x11":
+            command.extend([
+                "--ro-bind-try", f"/home/{user}/.Xauthority", f"/home/{user}/.Xauthority",
+                "--ro-bind-try", "/tmp/.X11-unix", "/tmp/.X11-unix"
+            ])
+        elif p == "sys":
+            command.extend([
+                "--ro-bind", "/sys/dev", "/sys/dev",
+                "--ro-bind", "/sys/devices", "/sys/devices",
+                "--ro-bind", "/sys/class", "/sys/class",
+                "--ro-bind", "/sys/bus", "/sys/bus",
+                "--ro-bind", "/sys/fs/cgroup", "/sys/fs/cgroup",
+                "--dev-bind", "/dev/dri", "/dev/dri",
+            ])
+        elif p == "microphone":
+            command.extend([
+                "--dev-bind-try", "/dev/snd", "/dev/snd",
+            ])
+        else:
+            raise RuntimeError(f"unknown permission '{p}'")
+
+    command.append(app_binary)
+
+    return command
+
+bash_command = generate_command(
+    "hippoz",
+    "/home/hippoz/sandbox",
+    "/bin/bash",
+    [
+        "x11",
+        "network",
+        "microphone",
+        "sys"
+    ]
+)
+print(" ".join(bash_command))