diff options
| author | Andrew Leeming <andrew.leeming@codethink.co.uk> | 2016-09-16 12:07:18 +0100 |
|---|---|---|
| committer | Andrew Leeming <andrew.leeming@codethink.co.uk> | 2016-09-16 12:07:18 +0100 |
| commit | 3272b430b5505d74662614043ea96dd37b60ec6a (patch) | |
| tree | f44802cab1a1a4b65ea82683d9862fd85d3d48f2 | |
| parent | 9eed9d5d2ec16362a5f01d941f212ec6dc1a538a (diff) | |
| download | sandboxlib-3272b430b5505d74662614043ea96dd37b60ec6a.tar.gz | |
Thinking I finally get it
| -rw-r--r-- | sandboxlib/bubblewrap.py | 29 |
1 files changed, 23 insertions, 6 deletions
diff --git a/sandboxlib/bubblewrap.py b/sandboxlib/bubblewrap.py index f46cd7f..b1e1654 100644 --- a/sandboxlib/bubblewrap.py +++ b/sandboxlib/bubblewrap.py @@ -105,20 +105,22 @@ def run_sandbox(command, cwd=None, env=None, if cwd is not None: bwrap_command.extend(['--chdir', cwd]) - log.warn(bwrap_command) - #create_mount_points_if_missing(filesystem_root, filesystem_writable_paths) - for w_mnt in filesystem_writable_paths: - bwrap_command.extend(['--bind', w_mnt]) + #FIXME the following only deals with the 'all' or [] cases currently + # Also bwrap is writable by default(?) so we need to blacklist non + # writable mounts instead of whitelisting these + bwrap_command += process_writable_paths( + filesystem_root, filesystem_writable_paths) create_mount_points_if_missing(filesystem_root, extra_mounts) for ex_mnt in extra_mounts: - bwrap_command.extend(['--ro-bind', ex_mnt]) + bwrap_command.extend(['--ro-bind', ex_mnt, ex_mnt]) log.warn(bwrap_command) argv = bwrap_command + [filesystem_root] + command print("run_command({}, {}, {}, {})" .format(argv, stdout, stderr, env)) + #run_command(['/usr/bin/bwrap', '--bind', 'a', '--bind', 'l', '--bind', 'l', '/', 'echo', 'xyzzy'], -1, -1, None) exit, out, err = sandboxlib._run_command(argv, stdout, stderr, env=env) return exit, out, err @@ -162,4 +164,19 @@ def process_network_config(network): else: network_args = [] - return network_args
\ No newline at end of file + return network_args + +def process_writable_paths(fs_root, writable_paths): + if writable_paths == 'all': + extra_args = [] + else: + if type(writable_paths) != list: + assert writable_paths in [None, 'none'] + writable_paths = [] + + extra_args=[] + for paths in writable_paths: + extra_args.extend(['--bind', paths, paths]) + + + return extra_args
\ No newline at end of file |