security/hakurei
6
3
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

helper/bwrap: implement file copy flags
All checks were successful
Test / Create distribution (push) Successful in 49s
Details
Test / Run NixOS test (push) Successful in 3m42s
Details

Browse Source 
These are significantly more efficient and less error-prone than mounting an external tmpfile. This should also reduce attack surface as the resulting files are private to its specific sandbox.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2025-02-15 03:12:28 +09:00
parent ea8d1c07df
commit 72b0160aad
4 changed files with 124 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
helper/bwrap/builder.go
View File

@@ -1,6 +1,8 @@
package bwrap
import "os"
import (
"os"
)
/*
Bind binds mount src on host to dest in sandbox.
@@ -61,6 +63,29 @@ func (c *Config) Bind(src, dest string, opts ...bool) *Config {
}
}
// Write copy from FD to destination DEST
// (--file FD DEST)
func (c *Config) Write(dest string, payload []byte) *Config {
c.Filesystem = append(c.Filesystem, &DataConfig{Dest: dest, Data: payload, Type: DataWrite})
return c
}
/*
CopyBind copy from FD to file which is readonly bind-mounted on DEST
(--ro-bind-data FD DEST)
CopyBind(dest, payload, true) copy from FD to file which is bind-mounted on DEST
(--bind-data FD DEST)
*/
func (c *Config) CopyBind(dest string, payload []byte, opts ...bool) *Config {
t := DataROBind
if len(opts) > 0 && opts[0] {
t = DataBind
}
c.Filesystem = append(c.Filesystem, &DataConfig{Dest: dest, Data: payload, Type: t})
return c
}
// Dir create dir in sandbox
// (--dir DEST)
func (c *Config) Dir(dest string) *Config {