diff options
| author | Alexander Larsson <alexl@redhat.com> | 2016-03-07 14:36:35 +0100 |
|---|---|---|
| committer | Alexander Larsson <alexl@redhat.com> | 2016-03-07 14:36:35 +0100 |
| commit | 05435925aee45c3745d0defca5044820174887e1 (patch) | |
| tree | ed5c061726eee80bd1642a4249297ec561f6a7e6 /demos | |
| parent | 3e2366813c0c89952855c64cdb993e745bc309de (diff) | |
| download | bubblewrap-05435925aee45c3745d0defca5044820174887e1.tar.gz | |
Clean up demo shells using bash redirection features
Diffstat (limited to 'demos')
| -rwxr-xr-x | demos/bubblewrap-shell.sh | 43 | ||||
| -rwxr-xr-x | demos/xdg-app-run.sh | 42 |
2 files changed, 32 insertions, 53 deletions
diff --git a/demos/bubblewrap-shell.sh b/demos/bubblewrap-shell.sh index e04a6bc..da06d49 100755 --- a/demos/bubblewrap-shell.sh +++ b/demos/bubblewrap-shell.sh @@ -1,28 +1,21 @@ #!/usr/bin/env bash # Use bubblewrap to run /bin/sh in the host's rootfs. set -euo pipefail -PASSWD=`mktemp` -getent passwd `id -u` 65534 > ${PASSWD} - -GROUP=`mktemp` -getent group `id -g` 65534 > ${GROUP} - -( # Remove temporary files before calling bwrap, they are open in the fds anyway - rm $GROUP - rm $PASSWD - bwrap --ro-bind /usr /usr \ - --dir /tmp \ - --proc /proc \ - --dev /dev \ - --ro-bind /etc/resolv.conf /etc/resolv.conf \ - --file 11 /etc/passwd \ - --file 12 /etc/group \ - --symlink usr/lib /lib \ - --symlink usr/lib64 /lib64 \ - --symlink usr/bin /bin \ - --symlink usr/sbin /sbin \ - --chdir / \ - --unshare-pid \ - --dir /run/user/$(id -u) \ - --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \ - /bin/sh) 11< ${PASSWD} 12< ${GROUP} +(exec bwrap --ro-bind /usr /usr \ + --dir /tmp \ + --proc /proc \ + --dev /dev \ + --ro-bind /etc/resolv.conf /etc/resolv.conf \ + --symlink usr/lib /lib \ + --symlink usr/lib64 /lib64 \ + --symlink usr/bin /bin \ + --symlink usr/sbin /sbin \ + --chdir / \ + --unshare-pid \ + --dir /run/user/$(id -u) \ + --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \ + --file 11 /etc/passwd \ + --file 12 /etc/group \ + /bin/sh) \ + 11< <(getent passwd $UID 65534) \ + 12< <(getent group $(id -g) 65534) diff --git a/demos/xdg-app-run.sh b/demos/xdg-app-run.sh index 41fbc8d..02295cd 100755 --- a/demos/xdg-app-run.sh +++ b/demos/xdg-app-run.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # For this to work you first have to run these commands: # curl -O http://sdk.gnome.org/nightly/keys/nightly.gpg # xdg-app --user remote-add --gpg-key=nightly.gpg gnome-nightly http://sdk.gnome.org/nightly/repo/ @@ -7,25 +7,8 @@ mkdir -p ~/.var/app/org.gnome.Weather/cache ~/.var/app/org.gnome.Weather/config ~/.var/app/org.gnome.Weather/data -APPINFO=`mktemp` -cat > ${APPINFO} <<EOF -[Application] -name=org.gnome.Weather -runtime=runtime/org.gnome.Platform/x86_64/master -EOF - -PASSWD=`mktemp` -getent passwd `id -u` 65534 > ${PASSWD} - -GROUP=`mktemp` -getent group `id -g` 65534 > ${GROUP} - ( - # Remove all temporary files before calling bwrap, they are open in the fds anyway - rm $APPINFO - rm $GROUP - rm $PASSWD - bwrap \ + exec bwrap \ --ro-bind ~/.local/share/xdg-app/runtime/org.gnome.Platform/x86_64/master/active/files /usr \ --lock-file /usr/.ref \ --ro-bind ~/.local/share/xdg-app/app/org.gnome.Weather/x86_64/master/active/files/ /app \ @@ -41,11 +24,8 @@ getent group `id -g` 65534 > ${GROUP} --symlink usr/sbin /sbin \ --symlink usr/etc /etc \ --dir /run/user/`id -u` \ - --bind-data 11 /usr/etc/passwd \ - --bind-data 12 /usr/etc/group \ --ro-bind /etc/machine-id /usr/etc/machine-id \ --ro-bind /etc/resolv.conf /run/host/monitor/resolv.conf \ - --file 10 /run/user/`id -u`/xdg-app-info \ --ro-bind /sys/block /sys/block \ --ro-bind /sys/bus /sys/bus \ --ro-bind /sys/class /sys/class \ @@ -70,10 +50,16 @@ getent group `id -g` 65534 > ${GROUP} --setenv XDG_CACHE_HOME ~/.var/app/org.gnome.Weather/cache \ --setenv XDG_CONFIG_HOME ~/.var/app/org.gnome.Weather/config \ --setenv XDG_DATA_HOME ~/.var/app/org.gnome.Weather/data \ + --file 10 /run/user/`id -u`/xdg-app-info \ + --bind-data 11 /usr/etc/passwd \ + --bind-data 12 /usr/etc/group \ --seccomp 13 \ - gnome-weather) 10< ${APPINFO} 11< ${PASSWD} 12< ${GROUP} 13< `dirname $0`/xdg-app.bpf - - -# TODO: -# clean commandlines (pass args via file/fd?) -# seccomp + /bin/sh) \ + 11< <(getent passwd $UID 65534 ) \ + 12< <(getent group $(id -g) 65534) \ + 13< `dirname $0`/xdg-app.bpf \ + 10<<EOF +[Application] +name=org.gnome.Weather +runtime=runtime/org.gnome.Platform/x86_64/master +EOF |