initial commit

2022-06-04 12:15:35 +03:00 · 2022-06-04 12:15:35 +03:00 · 75aa2b0fbf
commit 75aa2b0fbf
parent 7d4f16dd87
1 changed files with 80 additions and 0 deletions
--- a/bwrap-generator.py
+++ b/bwrap-generator.py
@ -0,0 +1,80 @@
+def generate_bwrap_command(user, app_home_path, app_binary, permissions):
+    command = [
+        "/usr/bin/bwrap",
+        "--ro-bind", "/bin", "/bin",
+        "--ro-bind", "/usr/bin", "/usr/bin",
+        "--ro-bind", "/lib", "/lib",
+        "--ro-bind-try", "/lib32", "/lib32",
+        "--ro-bind-try", "/lib64", "/lib64",
+        "--ro-bind", "/usr/lib", "/usr/lib",
+        "--ro-bind-try", "/usr/local/lib", "/usr/local/lib",
+        "--ro-bind", "/usr/share", "/usr/share",
+        "--ro-bind-try", "/usr/local/share", "/usr/local/share",
+        "--ro-bind", "/usr/include", "/usr/include",
+        "--ro-bind", "/etc", "/etc",
+        "--ro-bind-try", f"{app_home_path}/.machine-id", "/etc/machine-id",
+        "--ro-bind-try", f"{app_home_path}/.machine-id", "/var/lib/dbus/machine-id",
+        "--ro-bind", "/var/lib", "/var/lib",
+        "--tmpfs", "/var/lib/dbus",
+        "--dev", "/dev",
+        "--bind", app_home_path, f"/home/{user}",
+        "--proc", "/proc",
+        "--tmpfs", "/tmp",
+        "--tmpfs", "/var/tmp",
+        "--tmpfs", "/var/cache",
+        "--tmpfs", "/run",
+        "--symlink", "/run", "/var/run",
+        "--chdir", f"/home/{user}",
+        "--setenv", "HOME", f"/home/{user}",
+        "--setenv", "SHELL", "/sbin/nologin",
+        "--unsetenv", "SUDO_USER",
+        "--unsetenv", "SUDO_UID",
+        "--unsetenv", "SUDO_GID",
+        "--unsetenv", "SUDO_COMMAND",
+        "--unsetenv", "OLDPWD",
+        "--unsetenv", "MAIL",
+        "--unshare-all",
+        "--new-session",
+        "--cap-drop", "all",
+    ]
+
+    for p in permissions:
+        if p == "network":
+            command.append("--share-net")
+        elif p == "x11":
+            command.extend([
+                "--ro-bind-try", f"/home/{user}/.Xauthority", f"/home/{user}/.Xauthority",
+                "--ro-bind-try", "/tmp/.X11-unix", "/tmp/.X11-unix"
+            ])
+        elif p == "sys":
+            command.extend([
+                "--ro-bind", "/sys/dev", "/sys/dev",
+                "--ro-bind", "/sys/devices", "/sys/devices",
+                "--ro-bind", "/sys/class", "/sys/class",
+                "--ro-bind", "/sys/bus", "/sys/bus",
+                "--ro-bind", "/sys/fs/cgroup", "/sys/fs/cgroup",
+                "--dev-bind", "/dev/dri", "/dev/dri",
+            ])
+        elif p == "microphone":
+            command.extend([
+                "--dev-bind-try", "/dev/snd", "/dev/snd",
+            ])
+        else:
+            raise RuntimeError(f"unknown permission '{p}'")
+
+    command.append(app_binary)
+
+    return command
+
+bash_command = generate_command(
+    "hippoz",
+    "/home/hippoz/sandbox",
+    "/bin/bash",
+    [
+        "x11",
+        "network",
+        "microphone",
+        "sys"
+    ]
+)
+print(" ".join(bash_command))