aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAvatar Ali Polatel <alip@exherbo.org> 2012-07-30 14:04:29 +0300
committerAvatar Ciaran McCreesh <ciaran.mccreesh@googlemail.com> 2012-08-13 10:42:04 +0100
commit73d060c18be8bcee430de0ce09c351670d2b91bf (patch)
treefed0145b6f442e83f65c7f4fd23e37e7396f624f
parent231ca6cd63602a8744be9975a447703ccfba76f4 (diff)
downloadpaludis-73d060c18be8bcee430de0ce09c351670d2b91bf.tar.gz
paludis-73d060c18be8bcee430de0ce09c351670d2b91bf.tar.xz
sydbox: Support magic command API 1
-rw-r--r--paludis/repositories/e/ebuild/sydbox.bash196
1 files changed, 188 insertions, 8 deletions
diff --git a/paludis/repositories/e/ebuild/sydbox.bash b/paludis/repositories/e/ebuild/sydbox.bash
index 69ad3ea..2c29955 100644
--- a/paludis/repositories/e/ebuild/sydbox.bash
+++ b/paludis/repositories/e/ebuild/sydbox.bash
@@ -1,7 +1,7 @@
#!/usr/bin/env bash
# vim: set sw=4 sts=4 et :
-# Copyright (c) 2009, 2010, 2011 Ali Polatel <alip@exherbo.org>
+# Copyright (c) 2009, 2010, 2011, 2012 Ali Polatel <alip@exherbo.org>
#
# Based in part upon ebuild.sh from Portage, which is Copyright 1995-2005
# Gentoo Foundation and distributed under the terms of the GNU General
@@ -20,6 +20,15 @@
# this program; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
+sydbox_internal_api()
+{
+ if [[ -e /dev/sydbox/1 ]]; then
+ echo -n 1
+ else
+ echo -n 0
+ fi
+}
+
sydbox_internal_cmd()
{
if [[ -e /dev/sydbox ]]; then
@@ -41,6 +50,27 @@ sydbox_internal_path()
done
}
+sydbox_internal_path_1()
+{
+ local cmd="${1}"
+ local op="${2}"
+
+ case "${op}" in
+ '+'|'-')
+ ;;
+ *)
+ die "${FUNCNAME}: invalid operation character '${op}'"
+ ;;
+ esac
+
+ shift 2
+
+ for path in "${@}"; do
+ [[ "${path:0:1}" == '/' ]] || die "${FUNCNAME} expects absolute path, got: ${path}"
+ [[ -e /dev/sydbox/"${cmd}${op}${path}" ]]
+ done
+}
+
sydbox_internal_net()
{
local cmd="${1}"
@@ -70,11 +100,146 @@ sydbox_internal_net()
done
}
-esandbox() {
+sydbox_internal_net_1()
+{
+ local cmd="${1}"
+ local op="${2}"
+
+ case "${op}" in
+ '+'|'-')
+ ;;
+ *)
+ die "${FUNCNAME}: invalid operation character '${op}'"
+ ;;
+ esac
+
+ shift 2
+
+ for addr in "${@}"; do
+ [[ -e /dev/sydbox/"${cmd}${op}${addr}" ]]
+ done
+}
+
+esandbox_1()
+{
local cmd="${1}"
shift
case "${cmd}" in
+ api)
+ echo -n 1
+ ;;
+ check)
+ [[ -e /dev/sydbox ]]
+ ;;
+ lock)
+ [[ -e "/dev/sydbox/core/trace/magic_lock:on" ]]
+ ;;
+ exec_lock)
+ [[ -e "/dev/sydbox/core/trace/magic_lock:exec" ]]
+ ;;
+ wait_all)
+ [[ -e "/dev/sydbox/core/trace/exit_wait_all:true" ]]
+ ;;
+ wait_eldest)
+ [[ -e "/dev/sydbox/core/trace/exit_wait_all:false" ]]
+ ;;
+ enabled|enabled_path)
+ [[ -e "/dev/sydbox/core/sandbox/write?" ]]
+ ;;
+ enable|enable_path)
+ [[ -e "/dev/sydbox/core/sandbox/write:deny" ]]
+ ;;
+ disable|disable_path)
+ [[ -e "/dev/sydbox/core/sandbox/write:off" ]]
+ ;;
+ enabled_exec)
+ [[ -e "/dev/sydbox/core/sandbox/exec?" ]]
+ ;;
+ enable_exec)
+ [[ -e "/dev/sydbox/core/sandbox/exec:deny" ]]
+ ;;
+ disable_exec)
+ [[ -e "/dev/sydbox/core/sandbox/exec:off" ]]
+ ;;
+ enabled_net)
+ [[ -e "/dev/sydbox/core/sandbox/network?" ]]
+ ;;
+ enable_net)
+ [[ -e "/dev/sydbox/core/sandbox/network:deny" ]]
+ ;;
+ disable_net)
+ [[ -e "/dev/sydbox/core/sandbox/network:off" ]]
+ ;;
+ allow|allow_path)
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
+ sydbox_internal_path_1 "whitelist/write" '+' "${@}"
+ ;;
+ disallow|disallow_path)
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
+ sydbox_internal_path_1 "whitelist/write" '-' "${@}"
+ ;;
+ allow_exec)
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
+ sydbox_internal_path_1 "whitelist/exec" '+' "${@}"
+ ;;
+ disallow_exec)
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
+ sydbox_internal_path_1 "whitelist/exec" '-' "${@}"
+ ;;
+ allow_net)
+ local c="whitelist/network/bind"
+ [[ "${1}" == "--connect" ]] && c="whitelist/network/connect" && shift
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
+ sydbox_internal_net_1 "${c}" '+' "${@}"
+ ;;
+ disallow_net)
+ local c="whitelist/network/bind"
+ [[ "${1}" == "--connect" ]] && c="whitelist/network/connect" && shift
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
+ sydbox_internal_net_1 "${c}" '-' "${@}"
+ ;;
+ addfilter|addfilter_path)
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
+ sydbox_internal_path_1 "filter/write" '+' "${@}"
+ ;;
+ rmfilter|rmfilter_path)
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
+ sydbox_internal_path_1 "filter/write" '-' "${@}"
+ ;;
+ addfilter_exec)
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
+ sydbox_internal_path_1 "filter/exec" '+' "${@}"
+ ;;
+ rmfilter_exec)
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
+ sydbox_internal_path_1 "filter/exec" '-' "${@}"
+ ;;
+ addfilter_net)
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
+ sydbox_internal_net_1 "filter/network" '+' "${@}"
+ ;;
+ rmfilter_net)
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
+ sydbox_internal_net_1 "filter/network" '-' "${@}"
+ ;;
+ hack_toolong|nohack_toolong)
+ ebuild_notice "warning" "${FUNCNAME} ${cmd} is not implemented for sydbox-1"
+ false;;
+ *)
+ die "${FUNCNAME} subcommand ${cmd} unrecognised"
+ ;;
+ esac
+}
+
+esandbox_0() {
+ local cmd="${1}"
+
+ shift
+ case "${cmd}" in
+ api)
+ echo -n 0
+ ;;
check)
[[ -e /dev/sydbox ]]
;;
@@ -152,27 +317,27 @@ esandbox() {
sydbox_internal_net "${c}" "${@}"
;;
addfilter|addfilter_path)
- [[ ${#} < 1 ]] && die "${FUNCTION} ${cmd} takes at least one extra argument"
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
sydbox_internal_path "addfilter" "${@}"
;;
rmfilter|rmfilter_path)
- [[ ${#} < 1 ]] && die "${FUNCTION} ${cmd} takes at least one extra argument"
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
sydbox_internal_path "rmfilter" "${@}"
;;
addfilter_exec)
- [[ ${#} < 1 ]] && die "${FUNCTION} ${cmd} takes at least one extra argument"
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
sydbox_internal_path "addfilter_exec" "${@}"
;;
rmfilter_exec)
- [[ ${#} < 1 ]] && die "${FUNCTION} ${cmd} takes at least one extra argument"
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
sydbox_internal_path "rmfilter_exec" "${@}"
;;
addfilter_net)
- [[ ${#} < 1 ]] && die "${FUNCTION} ${cmd} takes at least one extra argument"
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
sydbox_internal_net "addfilter_net" "${@}"
;;
rmfilter_net)
- [[ ${#} < 1 ]] && die "${FUNCTION} ${cmd} takes at least one extra argument"
+ [[ ${#} < 1 ]] && die "${FUNCNAME} ${cmd} takes at least one extra argument"
sydbox_internal_net "rmfilter_net" "${@}"
;;
*)
@@ -181,6 +346,21 @@ esandbox() {
esac
}
+esandbox() {
+ local api
+
+ api="$(sydbox_internal_api)"
+ case "${api}" in
+ 1)
+ esandbox_1 "${@}";;
+ 0)
+ esandbox_0 "${@}";;
+ *)
+ die "${FUNCNAME}: unrecognised sydbox API '${api}'"
+ ;;
+ esac
+}
+
sydboxcheck()
{
ebuild_notice "warning" "${FUNCNAME} is deprecated, use \"esandbox check\" instead"