diff options
Diffstat (limited to 'sandboxlib/bubblewrap.py')
-rw-r--r-- | sandboxlib/bubblewrap.py | 30 |
1 files changed, 18 insertions, 12 deletions
diff --git a/sandboxlib/bubblewrap.py b/sandboxlib/bubblewrap.py index a0c005e..e03b7a0 100644 --- a/sandboxlib/bubblewrap.py +++ b/sandboxlib/bubblewrap.py @@ -124,14 +124,15 @@ def run_sandbox(command, cwd=None, env=None, bwrap_command += process_mounts(filesystem_root, extra_mounts, filesystem_writable_paths) - + # Set UID and GUI + bwrap_command.extend(['--unshare-user', '--uid', '0', '--gid', '0']) argv = bwrap_command + command - log.info("bubblewrap.run_command({}, stdou:{}, stderr:{}, env:{})" + log.info("bubblewrap.run_command({}, stdout:{}, stderr:{}, env:{})" .format(" ".join(argv), stdout, stderr, env)) - + exit, out, err = sandboxlib._run_command(argv, stdout, stderr, env=env) - + return exit, out, err @@ -149,6 +150,9 @@ def run_sandbox_with_redirection(command, **sandbox_config): # out and err will be None return exit +def get_program(): + return bubblewrap_program() + # Non API methods below @@ -204,12 +208,12 @@ def process_mounts(fs_root, mounts, writable_paths): log.debug("process_mounts(fs_root={}, mounts={}, writable_paths={})".format(fs_root, mounts, writable_paths)) extra_args = [] fs_dict = {} - + for ex_mnt in mounts: mnt_src, mnt_target, mnt_type, mnt_options = ex_mnt # TODO # How to handle options? Can bwrap do this? - + if mnt_target not in fs_dict.keys(): fs_dict[mnt_target] = {'src': mnt_src, 'type': mnt_type, 'options': mnt_options} # already exists. should only upgrade some things @@ -255,14 +259,16 @@ def process_mounts(fs_root, mounts, writable_paths): # First is using the --dev option that mounts host /dev # Second is using --dev-bind for moutning a [src] to [dest] # while allowing device access. - # - # How do we diferentiate the two? - # extra_args.extend(['--dev', mnt_target]) - # Experiment to see if --dev-bind fixes permissions errors - log.info("Using --dev-bind instead") - extra_args.extend(['--dev-bind', mnt_src, mnt_target]) + # How do we diferentiate the two? + # Check if we are mounting host root to target + if "/" in fs_dict.keys() and fs_dict['/']['src'] == "/": + log.info("Using --dev to share host dev") + extra_args.extend(['--dev', mnt_target]) + else: + log.info("Using --dev-bind for local dev") + extra_args.extend(['--dev-bind', mnt_src, mnt_target]) else: if is_mount_writable(mnt_target, writable_paths): extra_args.extend(['--bind', mnt_src, mnt_target]) |