-
Notifications
You must be signed in to change notification settings - Fork 5
/
squilt
executable file
·162 lines (147 loc) · 2.96 KB
/
squilt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
#!/bin/sh
QUILT_USER_CONFIG="$HOME/.quiltrc"
QUILT_GLOBAL_CONFIG="/etc/quilt.quiltrc"
if ! which nsjail 2>/dev/null; then
echo "you need nsjail (security/nsjail in OBS) for this wrapper to work"
exit 1
fi
mount_dir=$(pwd)
if [ -L patches ]; then
# are we inside the already unpacked dir? If so mount the parent dir so we
# have access to the patches
mount_dir=$mount_dir/..
fi
# we need to create a temporary config file since mounts with
# : don't work on the command line
TMPFILE=`mktemp -t squilt.nsjail.XXXXXXXXXX` || exit 1
trap "rm -f -- '$TMPFILE'" EXIT
cat <<END_CONFIG > $TMPFILE
name: "quilt secure sandbox"
description: "This policy allows to run quilt in a secure way"
time_limit: 120
cwd: "$(pwd)"
envar: "HOME=$HOME"
envar: "PATH=$PATH"
# bind for read-only access
mount {
src: "/bin"
dst: "/bin"
rw: false
is_bind: true
}
mount {
src: "/lib"
dst: "/lib"
rw: false
is_bind: true
}
mount {
src: "/lib64"
dst: "/lib64"
rw: false
is_bind: true
}
mount {
src: "/usr"
dst: "/usr"
rw: false
is_bind: true
}
mount {
src: "/sbin"
dst: "/sbin"
rw: false
is_bind: true
}
mount {
src: "/etc/alternatives"
dst: "/etc/alternatives"
rw: false
is_bind: true
mandatory: false
}
mount {
src: "/etc/nsswitch.conf"
dst: "/etc/nsswitch.conf"
rw: false
is_bind: true
}
mount {
src: "/etc/ld.so.cache"
dst: "/etc/ld.so.cache"
rw: false
is_bind: true
}
mount {
src: "/etc/rpm"
dst: "/etc/rpm"
rw: false
is_bind: true
}
# rw access to real files
mount {
src: "$mount_dir"
dst: "$mount_dir"
rw: true
is_bind: true
}
mount {
src: "/dev/null"
dst: "/dev/null"
rw: true
is_bind: true
}
mount {
src: "/dev/urandom"
dst: "/dev/urandom"
rw: true
is_bind: true
}
# fake rw access to tmpfs versions
mount {
dst: "/tmp"
fstype: "tmpfs"
rw: true
is_bind: false
}
mount {
dst: "/var/tmp"
fstype: "tmpfs"
rw: true
is_bind: false
}
mount {
dst: "$HOME/rpmbuild"
fstype: "tmpfs"
rw: true
is_bind: false
}
rlimit_as_type: HARD
rlimit_core_type: HARD
rlimit_cpu_type: HARD
rlimit_fsize_type: HARD
rlimit_nofile_type: HARD
rlimit_nproc_type: HARD
rlimit_stack_type: HARD
END_CONFIG
if [ -e "$QUILT_USER_CONFIG" ]; then
cat <<END_CONFIG >> $TMPFILE
mount {
src: "$QUILT_USER_CONFIG"
dst: "$QUILT_USER_CONFIG"
rw: false
is_bind: true
}
END_CONFIG
fi
if [ -e "$QUILT_GLOBAL_CONFIG" ]; then
cat <<END_CONFIG >> $TMPFILE
mount {
src: "$QUILT_GLOBAL_CONFIG"
dst: "$QUILT_GLOBAL_CONFIG"
rw: false
is_bind: true
}
END_CONFIG
fi
nsjail -Mo -q --config $TMPFILE -- /usr/bin/quilt $@