diff options
| author |  Ali Polatel <alip@exherbo.org>
| 2011-01-20 19:35:04 +0200 |
|---|---|---|
| committer |  Ciaran McCreesh <ciaran.mccreesh@googlemail.com>
| 2011-01-27 16:33:59 +0000 |
| commit | 64568b71d93d781002799f988fcf0470d4302bd2 (patch) | |
| tree | df73947a8ab74530dbbb122ea562e9ec92bddbab | |
| parent | d0fdff4b9c0a9a38c82e435f2e1324502ff72b56 (diff) | |
| download | paludis-64568b71d93d781002799f988fcf0470d4302bd2.tar.gz paludis-64568b71d93d781002799f988fcf0470d4302bd2.tar.xz | |
New wrapper function esandbox() for sydbox.bash
This function wraps raw sydbox commands, to make the transition easier
to other sandboxing tools, like pandora.
| -rw-r--r-- | paludis/repositories/e/ebuild/sydbox.bash | 202 |
1 files changed, 176 insertions, 26 deletions
diff --git a/paludis/repositories/e/ebuild/sydbox.bash b/paludis/repositories/e/ebuild/sydbox.bash index 777cb64..4d9aa48 100644 --- a/paludis/repositories/e/ebuild/sydbox.bash +++ b/paludis/repositories/e/ebuild/sydbox.bash @@ -1,7 +1,7 @@ #!/usr/bin/env bash # vim: set sw=4 sts=4 et : -# Copyright (c) 2009, 2010 Ali Polatel <alip@exherbo.org> +# Copyright (c) 2009, 2010, 2011 Ali Polatel <alip@exherbo.org> # # Based in part upon ebuild.sh from Portage, which is Copyright 1995-2005 # Gentoo Foundation and distributed under the terms of the GNU General @@ -20,68 +20,218 @@ # this program; if not, write to the Free Software Foundation, Inc., 59 Temple # Place, Suite 330, Boston, MA 02111-1307 USA -sydboxcheck() -{ - [[ -e /dev/sydbox ]] -} - -sydboxcmd() +sydbox_internal_cmd() { - if sydboxcheck; then + if [[ -e /dev/sydbox ]]; then if [[ -n "${2}" ]]; then - case "${1}" in - net/*) - # net/* commands don't take path arguments - [[ -e /dev/sydbox/${1}/"${2}" ]] - ;; - *) - [[ "/" != "${2:0:1}" ]] && die "${FUNCNAME} ${1}: non-absolute path" - [[ -e /dev/sydbox/${1}/"${2}" ]] - ;; - esac + [[ -e /dev/sydbox/${1}/"${2}" ]] else [[ -e /dev/sydbox/${1} ]] fi fi } +sydbox_internal_path() +{ + local cmd="${1}" + shift + for path in "${@}"; do + [[ "${path:0:1}" == '/' ]] || die "${FUNCNAME} expects absolute path, got: ${path}" + sydbox_internal_cmd "${cmd}" "${path}" + done +} + +sydbox_internal_net() +{ + local cmd="${1}" + + shift + while [[ ${#} > 0 ]] ; do + case "${1}" in + inet6:*) + sydbox_internal_cmd "${cmd}/inet6://${1##inet6:}" + ;; + inet:*) + sydbox_internal_cmd "${cmd}/inet://${1##inet:}" + ;; + unix-abstract:*) + sydbox_internal_cmd "${cmd}/unix-abstract://${1##unix-abstract:}" + ;; + unix:*) + sydbox_internal_cmd "${cmd}/unix://${1##unix:}" + ;; + *) + die "${FUNCNAME}: unexpected argument \"${1}\"" + ;; + esac + shift + done +} + +esandbox() { + local cmd="${1}" + + shift + case "${cmd}" in + check) + [[ -e /dev/sydbox ]] + ;; + lock) + sydbox_internal_cmd lock + ;; + exec_lock) + sydbox_internal_cmd exec_lock + ;; + wait_all) + sydbox_internal_cmd wait/all + ;; + wait_eldest) + sydbox_internal_cmd wait/eldest + ;; + hack_toolong) + sydbox_internal_cmd wrap/lstat + ;; + nohack_toolong) + sydbox_internal_cmd nowrap/lstat + ;; + enabled|enabled_path) + sydbox_internal_cmd enabled + ;; + enable|enable_path) + sydbox_internal_cmd on + ;; + disable|disable_path) + sydbox_internal_cmd off + ;; + enabled_exec) + ebuild_notice "warning" "${FUNCNAME} ${cmd} is not implemented for sydbox" + false;; + enable_exec) + sydbox_internal_cmd sandbox/exec + ;; + disable_exec) + sydbox_internal_cmd sandunbox/exec + ;; + enabled_net) + ebuild_notice "warning" "${FUNCNAME} ${cmd} is not implemented for sydbox" + false;; + enable_net) + sydbox_internal_cmd sandbox/net + ;; + disable_net) + sydbox_internal_cmd sandunbox/net + ;; + allow|allow_path) + [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument" + sydbox_internal_path "write" "${@}" + ;; + disallow|disallow_path) + [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument" + sydbox_internal_path "unwrite" "${@}" + ;; + allow_exec) + [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument" + sydbox_internal_path "addexec" "${@}" + ;; + disallow_exec) + [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument" + sydbox_internal_path "rmexec" "${@}" + ;; + allow_net) + local c="net/whitelist/bind" + [[ "${1}" == "--connect" ]] && c="net/whitelist/connect" && shift + [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument" + sydbox_internal_net "${c}" "${@}" + ;; + disallow_net) + local c="net/unwhitelist/bind" + [[ "${1}" == "--connect" ]] && c="net/unwhitelist/connect" && shift + [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument" + sydbox_internal_net "${c}" "${@}" + ;; + addfilter|addfilter_path) + [[ ${#} < 1 ]] && die "${FUNCTION} ${cmd} takes at least one extra argument" + sydbox_internal_path "addfilter" "${@}" + ;; + rmfilter|rmfilter_path) + [[ ${#} < 1 ]] && die "${FUNCTION} ${cmd} takes at least one extra argument" + sydbox_internal_path "rmfilter" "${@}" + ;; + addfilter_exec) + [[ ${#} < 1 ]] && die "${FUNCTION} ${cmd} takes at least one extra argument" + sydbox_internal_path "addfilter_exec" "${@}" + ;; + rmfilter_exec) + [[ ${#} < 1 ]] && die "${FUNCTION} ${cmd} takes at least one extra argument" + sydbox_internal_path "rmfilter_exec" "${@}" + ;; + addfilter_net) + [[ ${#} < 1 ]] && die "${FUNCTION} ${cmd} takes at least one extra argument" + sydbox_internal_net "addfilter_net" "${@}" + ;; + rmfilter_net) + [[ ${#} < 1 ]] && die "${FUNCTION} ${cmd} takes at least one extra argument" + sydbox_internal_net "rmfilter_net" "${@}" + ;; + *) + die "${FUNCNAME} subcommand ${cmd} unrecognised" + ;; + esac +} + +sydboxcheck() +{ + ebuild_notice "warning" "${FUNCNAME} is deprecated, use \"esandbox check\" instead" + esandbox check +} + +sydboxcmd() +{ + ebuild_notice "warning" "${FUNCNAME} is deprecated, use \"esandbox <command>\" instead" + sydbox_internal_cmd "${@}" +} + addread() { - die_unless_nonfatal "${FUNCNAME} not implemented for sydbox yet" + die "${FUNCNAME} not implemented for sydbox yet" } addwrite() { - sydboxcmd write "${1}" + ebuild_notice "warning" "${FUNCNAME} is deprecated, use \"esandbox allow\" instead" + esandbox allow "${1}" } adddeny() { - die_unless_nonfatal "${FUNCNAME} not implemented for sydbox yet" + die "${FUNCNAME} not implemented for sydbox yet" } addpredict() { - die "${FUNCNAME} is dead! Use addfilter instead!" + die "${FUNCNAME} is dead, use \"esandbox addfilter\" instead" } rmwrite() { - sydboxcmd unwrite "${1}" + ebuild_notice "warning" "${FUNCNAME} is deprecated, use \"esandbox disallow\" instead" + esandbox disallow "${1}" } rmpredict() { - die "${FUNCNAME} is dead! Use rmfilter instead!" + die "${FUNCNAME} is dead, use \"esandbox rmfilter\" instead" } addfilter() { - sydboxcmd addfilter "${1}" + ebuild_notice "warning" "${FUNCNAME} is deprecated, use \"esandbox addfilter\" instead" + esandbox addfilter "${1}" } rmfilter() { - sydboxcmd rmfilter "${1}" + ebuild_notice "warning" "${FUNCNAME} is deprecated, use \"esandbox rmfilter\" instead" + esandbox rmfilter "${1}" } |