Class: Bwrap::Config

Inherits:

Object

• Object
• Bwrap::Config

Defined in:

lib/bwrap/config.rb,
lib/bwrap/config/features.rb

Overview

TODO:

Add some documentation about syntax where necessary, like for #binaries_from.

Represents configuration used to tailor bwrap execution.

Note that all attributes also have writers, even though they are not documented.

TODO: I don’t remember if I made bash feature, but maybe it should be done.

It should automatically bind /bin and /usr/bin, with a flag to bind relevant sbin dirs.
That is because most scripts needs stuff from there. Maybe my fish profile would give some
useful basic stuff?

TODO: Maybe I should have something like second-level configuration in variable “advanced” or similar,

which allows controlling features that more directly maps to bwrap cli args? That way it would be easier
to use only high-level features.

Defined Under Namespace

Classes: Features

Instance Attribute Summary

• #audio ⇒ Object

  Array of audio schemes usable inside chroot.

• #binaries_from ⇒ Array

  Array of directories to be bind mounted in sandbox.

• #command_inside_root ⇒ Boolean

  Set to ‘true` if command given to Bwrap#run is expected to be inside sandbox, and not bound from host.

• #dev_mount ⇒ Boolean

  ‘true` if dummy devtmpfs should be mounted inside sandbox.

• #env_paths ⇒ Object readonly

  Paths to be added to sandbox instance’s PATH environment variable.

• #extra_executables ⇒ #each

  Additional executables to bind to target.

• #full_system_mounts ⇒ Boolean

  Causes libraries required by the executable given to Bwrap#run to be mounted inside sandbox.

• #graphics_acceleration ⇒ Object

  If set to ‘true`, things like /dev/dri is bound to sandbox to enable usage of hardware video acceleration, for example.

• #hostname ⇒ Object

  Returns the value of attribute hostname.

• #libdir_mounts ⇒ Boolean

  Set to true if basic system directories, like /usr/lib and /usr/lib64, should be bound inside chroot.

• #machine_id ⇒ Object

  What should be used as /etc/machine_id file.

• #resolv_conf ⇒ Object

  If set to truthy, /etc/resolv.conf will be bound to target.

• #ro_binds ⇒ Object
• #root ⇒ Object

  Use given directory as root.

• #sandbox_directory ⇒ Object

  TODO: Document this.

• #share_net ⇒ Boolean

  True if network should be shared from host.

• #tmpdir ⇒ Object
• #unshare_all ⇒ Boolean

  Set to truthy to remove (see bwrap’s –unshare-all) all namespaces from target chroot.

• #user ⇒ Object

  Name of the user inside chroot.

• #xorg_application ⇒ Boolean

  Set to true to indicate we’re running a X.org application, meaning we need to do some extra holes, like binding .Xauthority.

Instance Method Summary

• #add_env_path(path) ⇒ Object

  Add a path to sandbox instance’s PATH environment variable.

• #features ⇒ Features

  Enable or disable feature sets to control various aspects of sandboxing.

• #initialize ⇒ Config constructor

  A new instance of Config.

Constructor Details

#initialize ⇒ Config

Returns a new instance of Config.

# File 'lib/bwrap/config.rb', line 178

def initialize
  @audio = []
  @binaries_from = []
  @env_paths = []
  @ro_binds = {}
  @tmpdir = Dir.tmpdir
  @unshare_all = true
end

Instance Attribute Details

#audio ⇒ Object

Array of audio schemes usable inside chroot.

Currently supports:

- :pulseaudio

# File 'lib/bwrap/config.rb', line 35

def audio
  @audio
end

#binaries_from ⇒ Array

Array of directories to be bind mounted in sandbox.

Given paths are also added to PATH environment variable inside sandbox.

Hint: At least on SUSE, many executables are symlinks to /etc/alternatives/*, which in turn symlinks to versioned executable under the same bindir. To use these executables, /etc/alternatives should also be bound:

config.ro_binds["/etc/alternatives"] = "/etc/alternatives"

Returns:

• (Array) —

  Paths to directories where binaries are looked from.

# File 'lib/bwrap/config.rb', line 141

def binaries_from
  @binaries_from
end

#command_inside_root ⇒ Boolean

Set to ‘true` if command given to Bwrap#run is expected to be inside sandbox, and not bound from host.

Returns:

• (Boolean) —

  ‘true` if executed command is inside sandbox

# File 'lib/bwrap/config.rb', line 41

def command_inside_root
  @command_inside_root
end

#dev_mount ⇒ Boolean

Returns ‘true` if dummy devtmpfs should be mounted inside sandbox.

Returns:

• (Boolean) —

  ‘true` if dummy devtmpfs should be mounted inside sandbox

# File 'lib/bwrap/config.rb', line 44

def dev_mount
  @dev_mount
end

#env_paths ⇒ Object (readonly)

Paths to be added to sandbox instance’s PATH environment variable.

See Also:

• #add_env_path

# File 'lib/bwrap/config.rb', line 146

def env_paths
  @env_paths
end

#extra_executables ⇒ #each

Additional executables to bind to target.

TODO: Implement this paragraph: If an executable given here is found from directory given to #binaries_from=, it is not bound to target, but only dependent libraries.

Returns:

• (#each) —

  Array of executables to bind

# File 'lib/bwrap/config.rb', line 54

def extra_executables
  @extra_executables
end

#full_system_mounts ⇒ Boolean

Causes libraries required by the executable given to Bwrap#run to be mounted inside sandbox.

Often it is enough to use this flag instead of binding all system libraries using #libdir_mounts=

TODO: Since this only causes given executable be scanned for dependencies,

and not ”--bind / /”, this one should be deprecated and something like
”@config.bind_dependents = true” should be added as alias of this.

Returns:

• (Boolean) —

  true if Linux library loaders are mounted inside chroot

# File 'lib/bwrap/config.rb', line 67

def full_system_mounts
  @full_system_mounts
end

#graphics_acceleration ⇒ Object

If set to ‘true`, things like /dev/dri is bound to sandbox to enable usage of hardware video acceleration, for example.

# File 'lib/bwrap/config.rb', line 71

def graphics_acceleration
  @graphics_acceleration
end

#hostname ⇒ Object

Returns the value of attribute hostname.

# File 'lib/bwrap/config.rb', line 73

def hostname
  @hostname
end

#libdir_mounts ⇒ Boolean

Set to true if basic system directories, like /usr/lib and /usr/lib64, should be bound inside chroot.

/usr/bin can be mounted using #binaries_from=.

Often it is enough to use #full_system_mounts= instead of binding all system libraries using this flag.

It may also make sense to bind specific library directories using #ro_binds=.

Returns:

• (Boolean) —

  true if libdirs are mounted to the chroot

# File 'lib/bwrap/config.rb', line 87

def libdir_mounts
  @libdir_mounts
end

#machine_id ⇒ Object

What should be used as /etc/machine_id file.

If not specified, no /etc/machine_id handling is done.

machine_id == :random

Generates random machine id for each launch and sets it as /etc/machine_id.

machine_id == :dummy

Uses 10000000000000000000000000000000 as dummy machine id and sets it as /etc/machine_id.

machine_id == true

A file from #{sandbox_directory}/machine_id is bound as /etc/machine_id.

machine_id.is_a? String

Given file as bound as /etc/machine_id.

# File 'lib/bwrap/config.rb', line 101

def machine_id
  @machine_id
end

#resolv_conf ⇒ Object

If set to truthy, /etc/resolv.conf will be bound to target.

# File 'lib/bwrap/config.rb', line 104

def resolv_conf
  @resolv_conf
end

#ro_binds ⇒ Object #ro_binds=(binds) ⇒ Object

Overloads:

• #ro_binds ⇒ Object

  ‘Hash` => `Pathname` containing custom read-only binds.
• #ro_binds=(binds) ⇒ Object

  Set given Hash of paths to be bound with –ro-bind.

  Key of ‘binds` is source path, value is destination path.

  Given source paths must exist.

# File 'lib/bwrap/config.rb', line 164

def ro_binds
  @ro_binds
end

#root ⇒ Object

Use given directory as root. End result is similar to classic chroot.

# File 'lib/bwrap/config.rb', line 154

def root
  @root
end

#sandbox_directory ⇒ Object

TODO: Document this. TODO: I wonder if this should just be removed. I don’t know, this is a bit … Well, I can see it can have some merit, but very hard to say.

# File 'lib/bwrap/config.rb', line 151

def sandbox_directory
  @sandbox_directory
end

#share_net ⇒ Boolean

Returns true if network should be shared from host.

Returns:

• (Boolean) —

  true if network should be shared from host.

# File 'lib/bwrap/config.rb', line 107

def share_net
  @share_net
end

#tmpdir ⇒ Object #tmpdir=(dir) ⇒ Object

Overloads:

• #tmpdir ⇒ Object

  Path to temporary directory.

  Defaults to Dir.tmpdir.
• #tmpdir=(dir) ⇒ Object
  Note:

  Requires ‘dir` to be path to existing directory.

  Sets given directory as temporary directory for certain operations.

  Parameters:

  • dir —

    Path to temporary directory

  Raises:

  • (RuntimeError) —

    If given directory does not exist

# File 'lib/bwrap/config.rb', line 176

def tmpdir
  @tmpdir
end

#unshare_all ⇒ Boolean

Set to truthy to remove (see bwrap’s –unshare-all) all namespaces from target chroot.

Defaults to true.

TODO: Create more fine grained control for sharing logic than this one.

Returns:

• (Boolean) —

  true if all namespaces are tried to be removed from target.

# File 'lib/bwrap/config.rb', line 117

def unshare_all
  @unshare_all
end

#user ⇒ Object

Name of the user inside chroot.

This is optional and defaults to no user.

# File 'lib/bwrap/config.rb', line 122

def user
  @user
end

#xorg_application ⇒ Boolean

Set to true to indicate we’re running a X.org application, meaning we need to do some extra holes, like binding .Xauthority.

Returns:

• (Boolean) —

  Whether Xorg specific binds are used.

# File 'lib/bwrap/config.rb', line 128

def xorg_application
  @xorg_application
end

Instance Method Details

#add_env_path(path) ⇒ Object

Add a path to sandbox instance’s PATH environment variable.

Parameters:

• path (String) —

  Path to be added added to PATH environment variable

# File 'lib/bwrap/config.rb', line 254

def add_env_path path
  @env_paths << path
end

#features ⇒ Features

Enable or disable feature sets to control various aspects of sandboxing.

Examples:

To enable Ruby feature set

@config.features.ruby = true

Returns:

• (Features) —

  Object used to toggle features

See Also:

• List of available features

# File 'lib/bwrap/config.rb', line 205

def features
  @features ||= ::Bwrap::Config::Features.new
end