sandbox: relative autoetc links
All checks were successful
Test / Create distribution (push) Successful in 26s
Test / Sandbox (push) Successful in 1m44s
Test / Fortify (push) Successful in 2m41s
Test / Sandbox (race detector) (push) Successful in 2m48s
Test / Fpkg (push) Successful in 3m35s
Test / Fortify (race detector) (push) Successful in 4m13s
Test / Flake checks (push) Successful in 1m3s
All checks were successful
Test / Create distribution (push) Successful in 26s
Test / Sandbox (push) Successful in 1m44s
Test / Fortify (push) Successful in 2m41s
Test / Sandbox (race detector) (push) Successful in 2m48s
Test / Fpkg (push) Successful in 3m35s
Test / Fortify (race detector) (push) Successful in 4m13s
Test / Flake checks (push) Successful in 1m3s
This allows nested containers to use autoetc, and increases compatibility with other implementations. Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
@@ -124,8 +124,7 @@ var testCasesNixos = []sealTestCase{
|
||||
Bind("/sys/devices", "/sys/devices", sandbox.BindOptional).
|
||||
Bind("/run/opengl-driver", "/run/opengl-driver", 0).
|
||||
Bind("/dev/dri", "/dev/dri", sandbox.BindDevice|sandbox.BindWritable|sandbox.BindOptional).
|
||||
Bind("/etc", fst.Tmp+"/etc", 0).
|
||||
Etc(fst.Tmp+"/etc").
|
||||
Etc("/etc", "8e2c76b066dabe574cf073bdb46eb5c1").
|
||||
Tmpfs("/run/user", 4096, 0755).
|
||||
Tmpfs("/run/user/1971", 8388608, 0700).
|
||||
Bind("/tmp/fortify.1971/tmpdir/1", "/tmp", sandbox.BindWritable).
|
||||
|
||||
@@ -63,8 +63,7 @@ var testCasesPd = []sealTestCase{
|
||||
Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
|
||||
Tmpfs("/run/user/1971", 8192, 0755).
|
||||
Tmpfs("/run/dbus", 8192, 0755).
|
||||
Bind("/etc", fst.Tmp+"/etc", 0).
|
||||
Etc(fst.Tmp+"/etc").
|
||||
Etc("/etc", "4a450b6596d7bc15bd01780eb9a607ac").
|
||||
Tmpfs("/run/user", 4096, 0755).
|
||||
Tmpfs("/run/user/65534", 8388608, 0700).
|
||||
Bind("/tmp/fortify.1971/tmpdir/0", "/tmp", sandbox.BindWritable).
|
||||
@@ -206,8 +205,7 @@ var testCasesPd = []sealTestCase{
|
||||
Bind("/dev/kvm", "/dev/kvm", sandbox.BindWritable|sandbox.BindDevice|sandbox.BindOptional).
|
||||
Tmpfs("/run/user/1971", 8192, 0755).
|
||||
Tmpfs("/run/dbus", 8192, 0755).
|
||||
Bind("/etc", fst.Tmp+"/etc", 0).
|
||||
Etc(fst.Tmp+"/etc").
|
||||
Etc("/etc", "ebf083d1b175911782d413369b64ce7c").
|
||||
Tmpfs("/run/user", 4096, 0755).
|
||||
Tmpfs("/run/user/65534", 8388608, 0700).
|
||||
Bind("/tmp/fortify.1971/tmpdir/9", "/tmp", sandbox.BindWritable).
|
||||
|
||||
@@ -301,6 +301,18 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
|
||||
}
|
||||
}
|
||||
|
||||
if !config.Confinement.Sandbox.AutoEtc {
|
||||
if config.Confinement.Sandbox.Etc != "" {
|
||||
seal.container.Bind(config.Confinement.Sandbox.Etc, "/etc", 0)
|
||||
}
|
||||
} else {
|
||||
etcPath := config.Confinement.Sandbox.Etc
|
||||
if etcPath == "" {
|
||||
etcPath = "/etc"
|
||||
}
|
||||
seal.container.Etc(etcPath, seal.id.String())
|
||||
}
|
||||
|
||||
// inner XDG_RUNTIME_DIR default formatting of `/run/user/%d` as mapped uid
|
||||
innerRuntimeDir := path.Join("/run/user", mapuid.String())
|
||||
seal.container.Tmpfs("/run/user", 1<<12, 0755)
|
||||
|
||||
Reference in New Issue
Block a user