bwrap 1.0.0.pre.alpha1 → 1.0.0.pre.alpha5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4193a0724aceb154c2e9be0809366ed2998837beeeb577dc101a58e20dca97d
-  data.tar.gz: a927a6a6b8cb415f3983440ca0437b852582227f5b163f34143ffb375dc96a40
+  metadata.gz: dfb5f9bdbcf68df6068aebca204e72ef9272829b1f8db11c34e5a4da469cc2c7
+  data.tar.gz: 5f19c25ecad9b7f4923f80a6d61c87c6382671667f6b39eed0198befbb8eccd2
 SHA512:
-  metadata.gz: f2f49d20cf15a331d34439d71ef038645bc2a5520407cdb519ea8f5e9e32db526dd7524ad35939acd8098a328d6a3c1c2542d5fde44d0adcfd8ae26f2313d5fb
-  data.tar.gz: ee295629e684ef280652e38a94e7731b6e3227a2bac1150a79da268f3d2972eaac889ac1928103edf9d022c84430898ebc53d008a6f181d412d3f1ede441d0a9
+  metadata.gz: c9682aff2b43180fee0e8d7b2b7234d4bb516e86c85dcabc5b40a1047284f9f5bf9e0641dff80483e4645b8aa4bd06c9b9de8ba1b43cd78af3b77de1060c8ad6
+  data.tar.gz: cadd731077ff175b86cf0d56f17dd1c2cb3123e5d9b1dcff17156da5d706d7da12274bc59297ae925c1f07ea5b3a325c999c942048c2c5b165755934ae16d2f8

data/CHANGELOG.md

@@ -1,7 +1,37 @@
 # Changes
 
+## 1.0.0-alpha5 (29.11.2021)
+
+* Execution#command_available?: support absolute paths
+* Execution#which: support absolute paths
+* Many miscellaneous fixes
+
+## 1.0.0-alpha4 (22.11.2021)
+
+* Allow use without home directory set
+* Bwrap#parse_command_line_arguments is no longer run when Bwrap is initialized
+* Made pulseaudio optional
+* Changed --share-net to be added only if requested
+* Added Config#root= to specify path used as writable root
+* Added Config#full_system_mounts to control whether library loaders are mounted inside chroot
+* Added Config#libdir_mounts
+* Added Config#features
+
+## 1.0.0-alpha3 (14.11.2021)
+
+* Avoid frozen string literal modification
+
+## 1.0.0-alpha2 (14.11.2021)
+
+* Made gem to tell its license (ISC)
+* Gem building now allows newer bundler versions than 1.17
+* Added Config#xorg_application option
+* Properly resolve /etc/resolv.conf
+
 ## 1.0.0-alpha1 (10.11.2021)
 
+* First working version
+
 ## 0.1.0 (unreleased)
 
 * First, currently unfinished and unreleased version. Work in Progress.

data/README.md

@@ -31,3 +31,5 @@ Please see [API documentation](https://www.rubydoc.info/gems/bwrap) for usage in
 ## Contributing
 
 Bug reports and pull requests are welcome at https://git.sr.ht/~smar/ruby-bwrap.
+
+Gerrit instance https://gerrit.smar.fi/admin/repos/ruby-bwrap can also be used.

data/lib/bwrap/args/bind.rb

@@ -1,32 +1,90 @@
 # frozen_string_literal: true
 
+require "bwrap/execution"
+require "bwrap/output"
 require_relative "args"
+require_relative "library"
 
 # Bind arguments for bwrap.
-module Bwrap::Args::Bind
+class Bwrap::Args::Bind
+  include Bwrap::Execution
+  include Bwrap::Output
+
+  # Array of parameters passed to bwrap.
+  attr_writer :args
+
+  # @see Bwrap::Args::Construct#command=
+  #
+  # @see (see Bwrap::Args::Construct#command=)
+  attr_writer :command
+
+  # Instance of {Config}.
+  attr_writer :config
+
+  # Instance of {Bwrap::Args::Environment}.
+  attr_writer :environment
+
+  # Inner class to clean up namespace for implementation specific reasons.
+  #
+  # @api internal
+  class Mime
+    include Bwrap::Execution
+    include Bwrap::Output
+
+    # Name given to {#initialize}.
+    attr_reader :executable_name
+
+    # Either path given to {#initialize} or one parsed from shebang.
+    attr_reader :executable_path
+
+    def initialize executable_name, executable_path
+      @executable_name = executable_name
+      @executable_path = executable_path
+    end
+
+    # Used by {Bwrap::Args::Bind#libs_command_requires}.
+    #
+    # @return false if caller should also return
+    def resolve_mime_type
+      mime_type = execvalue %W{ file --brief --mime-type #{@executable_path} }
+      return true unless mime_type[0..6] == "text/x-"
+
+      shebang = File.open @executable_path, &:readline
+      if shebang[0..1] != "#!"
+        warn "Executable #{@executable_name} was recognized as #{mime_type} but does not have " \
+             "proper shebang line. Skipping automatic library mounts."
+        return false
+      end
+
+      shebang = shebang.delete_prefix("#!").strip
+      real_executable, _args = shebang.split " ", 2
+      @executable_path = real_executable
+
+      true
+    end
+  end
+
   # Arguments to bind /dev/dri from host to sandbox.
-  private def bind_dev_dri
-    %w{ --dev-bind /dev/dri /dev/dri }
+  def bind_dev_dri
+    @args.append %w{ --dev-bind /dev/dri /dev/dri }
   end
 
   # Arguments to bind /sys/dev/char from host to sandbox.
-  private def bind_sys_dev_char
-    %w{ --ro-bind /sys/dev/char /sys/dev/char }
+  def bind_sys_dev_char
+    @args.append %w{ --ro-bind /sys/dev/char /sys/dev/char }
   end
 
   # Arguments to bind /sys/devices/pci0000:00 from host to sandbox.
-  private def bind_pci_devices
-    %w{ --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 }
+  def bind_pci_devices
+    @args.append %w{ --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 }
   end
 
   # Arguments to bind home directory from sandbox directory (`#{@config.sandbox_directory}/home`)
   # as `/home/#{@config.user}`.
   #
   # @note Requires @config.user to be set.
-  private def bind_home_directory
-    unless @config.user
-      raise "Tried to bind user directory without user being set."
-    end
+  def bind_home_directory
+    return unless @config.user
 
     home_directory = "#{@config.sandbox_directory}/home"
 
@@ -36,11 +94,12 @@ module Bwrap::Args::Bind
 
     @environment["HOME"] = "/home/#{@config.user}"
 
-    %W{ --bind #{home_directory} /home/#{@config.user} }
+    debug "Using #{home_directory} as /home/#{@config.user}"
+    @args.append %W{ --bind #{home_directory} /home/#{@config.user} }
   end
 
   # Arguments to read-only bind whole system inside sandbox.
-  private def full_system_mounts
+  def full_system_mounts
     bindir_mounts = []
     binaries_from = @config.binaries_from
     binaries_from.each do |path|
@@ -48,6 +107,38 @@ module Bwrap::Args::Bind
     end
     @environment["PATH"] = binaries_from.join(":")
 
+    @args.append bindir_mounts
+
+    if debug?
+      debug "Using following bindir mounts:\n" \
+            "#{bindir_mounts}\n" \
+            "(Odd is key, even is value)"
+    end
+
+    libdir_mounts
+
+    return unless @config.full_system_mounts
+
+    loader_binds
+    libs_command_requires
+  end
+
+  # These are something user can specify to do custom --ro-bind binds.
+  def custom_read_only_binds
+    return unless @config.ro_binds
+
+    binds = []
+    @config.ro_binds.each do |source_path, destination_path|
+      binds << "--ro-bind" << source_path.to_s << destination_path.to_s
+    end
+
+    @args.append binds
+  end
+
+  # Used by {#full_system_mounts}.
+  private def libdir_mounts
+    return unless @config.libdir_mounts
+
     libdir_mounts = %w{
       --ro-bind /lib /lib
       --ro-bind /lib64 /lib64
@@ -55,24 +146,58 @@ module Bwrap::Args::Bind
       --ro-bind /usr/lib64 /usr/lib64
     }
 
-    system_mounts = bindir_mounts + libdir_mounts
     if debug?
-      debug "Using following system mounts:\n" \
-            "#{system_mounts}\n" \
+      debug "Using following libdir mounts:\n" \
+            "#{libdir_mounts}\n" \
             "(Odd is key, even is value)"
     end
-    system_mounts
+
+    @args.append libdir_mounts
   end
 
-  # These are something user can specify to do custom --ro-bind binds.
-  private def custom_read_only_binds
-    return [] unless @config.ro_binds
+  # Used by {#full_system_mounts}.
+  private def loader_binds
+    loader_mounts = []
+    path = "/lib64/ld-linux-x86-64.so.2"
+    loader_mounts << "--ro-bind" << path << path if File.exist? path
+    path = "/lib/ld-linux.so.2"
+    loader_mounts << "--ro-bind" << path << path if File.exist? path
 
-    binds = []
-    @config.ro_binds.each do |source_path, destination_path|
-      binds << "--ro-bind" << source_path.to_s << destination_path.to_s
+    @args.append loader_mounts
+  end
+
+  # Does some inspection to find out libraries given executable needs in order to work.
+  #
+  # Used by {#full_system_mounts}.
+  #
+  # @warning scanelf does not play with spaces in names well. This method assumes that libraries
+  #   have no spaces in names, though binaries can have.
+  #
+  # @todo Ensure scanelf is available (and throw proper error if it is not, telling to not use
+  #   full_system_mounts option.)
+  private def libs_command_requires
+    executable_name = @command.is_a?(String) && @command || @command[0]
+    executable_path = which executable_name
+
+    # TODO: Put this behind additional flag for extra control/sanity.
+    # Some executables are shell scripts and similar. For them we need to use the interpreter.
+
+    mime = Mime.new executable_name, executable_path
+    return unless mime.resolve_mime_type
+
+    # Then find out required libraries
+
+    library_mounts = []
+
+    library_object = Bwrap::Args::Library.new
+    libraries = library_object.libraries_needed_by mime.executable_path
+
+    # TODO: following is bad?
+    #library_object.needed_libraries(mime.executable_path).each do |library|
+    libraries.each do |library|
+      library_mounts << "--ro-bind" << library << library
     end
 
-    binds
+    @args.append library_mounts
   end
-end
+end

data/lib/bwrap/args/construct.rb

@@ -5,46 +5,56 @@ require "tempfile"
 require "bwrap/output"
 require_relative "bind"
 require_relative "environment"
+require_relative "features"
 require_relative "machine_id"
 require_relative "mount"
 
 # Constructs arguments for bwrap execution.
 class Bwrap::Args::Construct
   include Bwrap::Output
-  include Bwrap::Args::Bind
   include Bwrap::Args::Mount
 
   attr_writer :config
 
+  # Command that is executed inside bwrap sandbox.
+  #
+  # @note This is not used for anything vital, but some things, like
+  #   setting {Config#full_system_mounts=} uses this to resolve some
+  #   additional data.
+  #
+  # @param command [Array, String] Command with arguments
+  attr_writer :command
+
   # Constructs arguments for bwrap execution.
   def construct_bwrap_args
-    @environment = Bwrap::Args::Environment.new
-    @environment.config = @config
-    @machine_id = Bwrap::Args::MachineId.new
-    @machine_id.config = @config
+    @args = []
+    create_objects
 
-    [
-      xauthority_args,
-      @machine_id.machine_id,
-      resolv_conf,
-      full_system_mounts,
-      custom_read_only_binds,
-      create_user_dir,
-      read_only_pulseaudio,
-      dev_mount,
-      bind_dev_dri,
-      bind_sys_dev_char,
-      bind_pci_devices,
-      proc_mount,
-      tmp_as_tmpfs,
-      bind_home_directory,
-      "--unshare-all",
-      share_net,
-      hostname,
-      @environment.environment_variables,
-      "--die-with-parent",
-      "--new-session"
-    ]
+    root_mount
+    xauthority_args
+    machine_id = @machine_id.machine_id
+    @args.append machine_id if machine_id
+    resolv_conf
+    @bind.full_system_mounts
+    @features.feature_binds
+    @bind.custom_read_only_binds
+    create_user_dir
+    read_only_pulseaudio
+    dev_mount
+    @bind.bind_dev_dri
+    @bind.bind_sys_dev_char
+    @bind.bind_pci_devices
+    proc_mount
+    tmp_as_tmpfs
+    @bind.bind_home_directory
+    @args.append "--unshare-all"
+    share_net
+    hostname
+    @args.append @environment.environment_variables
+    @args.append "--die-with-parent"
+    @args.append "--new-session"
+
+    @args.compact
   end
 
   # Performs cleanup operations after execution.
@@ -52,37 +62,64 @@ class Bwrap::Args::Construct
     @machine_id&.cleanup
   end
 
+  # Used by {#construct_bwrap_args}.
+  private def create_objects
+    @bind = Bwrap::Args::Bind.new
+    @bind.args = @args
+    @bind.command = @command
+    @bind.config = @config
+
+    @environment = Bwrap::Args::Environment.new
+    @environment.config = @config
+    @bind.environment = @environment
+
+    @features = Bwrap::Args::Features.new
+    @features.args = @args
+    @features.config = @config
+
+    @machine_id = Bwrap::Args::MachineId.new
+    @machine_id.config = @config
+  end
+
   # Arguments for generating .Xauthority file.
   private def xauthority_args
+    return unless @config.xorg_application
+
     xauth_args = %W{ --ro-bind #{Dir.home}/.Xauthority #{Dir.home}/.Xauthority }
     debug "Binding following .Xauthority file: #{Dir.home}/.Xauthority"
-    xauth_args
+    @args.append xauth_args
   end
 
   # Arguments to read-only bind /etc/resolv.conf.
   private def resolv_conf
-    #source_resolv_conf = "/etc/resolv.conf"
-    source_resolv_conf = "/run/netconfig/resolv.conf"
+    # We can’t really bind symlinks, so let’s resolve real path to resolv.conf, in case it is symlinked.
+    source_resolv_conf = Pathname.new "/etc/resolv.conf"
+    source_resolv_conf = source_resolv_conf.realpath
+
     debug "Binding #{source_resolv_conf} as /etc/resolv.conf"
-    %w{ --ro-bind /run/netconfig/resolv.conf /etc/resolv.conf }
+    @args.append %W{ --ro-bind #{source_resolv_conf} /etc/resolv.conf }
   end
 
   # Arguments to create `/run/user/#{uid}`.
   private def create_user_dir
     trace "Creating directory /run/user/#{uid}"
-    %W{ --dir /run/user/#{uid} }
+    @args.append %W{ --dir /run/user/#{uid} }
   end
 
   # Arguments to bind necessary pulseaudio data for audio support.
   private def read_only_pulseaudio
+    return unless @config.audio.include? :pulseaudio
+
     debug "Binding pulseaudio"
-    %W{ --ro-bind /run/user/#{uid}/pulse /run/user/#{uid}/pulse }
+    @args.append %W{ --ro-bind /run/user/#{uid}/pulse /run/user/#{uid}/pulse }
   end
 
   # Arguments to allow network connection inside sandbox.
   private def share_net
+    return unless @config.share_net
+
     verb "Sharing network"
-    %w{ --share-net }
+    @args.append %w{ --share-net }
   end
 
   # Arguments to set hostname to whatever is configured.
@@ -90,7 +127,7 @@ class Bwrap::Args::Construct
     return unless @config.hostname
 
     debug "Setting hostname to #{@config.hostname}"
-    %W{ --hostname #{@config.hostname} }
+    @args.append %W{ --hostname #{@config.hostname} }
   end
 
   # Returns current user id.

data/lib/bwrap/args/features.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require "bwrap/output"
+require_relative "args"
+require_relative "library"
+
+# Feature parameter construction.
+#
+# @see Config::Features
+class Bwrap::Args::Features < Hash
+  include Bwrap::Output
+
+  # @api internal
+  class RubyBinds
+    attr_reader :mounts
+
+    # Bind system paths so scripts works inside sandbox.
+    def sitedir_mounts
+      mounts = []
+      mounts << "--ro-bind" << RbConfig::CONFIG["sitedir"] << RbConfig::CONFIG["sitedir"]
+      mounts << "--ro-bind" << RbConfig::CONFIG["rubyhdrdir"] << RbConfig::CONFIG["rubyhdrdir"]
+      mounts << "--ro-bind" << RbConfig::CONFIG["rubylibdir"] << RbConfig::CONFIG["rubylibdir"]
+      mounts << "--ro-bind" << RbConfig::CONFIG["vendordir"] << RbConfig::CONFIG["vendordir"]
+
+      mounts
+    end
+
+    # Create binds for required system libraries.
+    #
+    # These are in path like /usr/lib64/ruby/2.5.0/x86_64-linux-gnu/,
+    # and as they are mostly shared libraries, they may have some extra
+    # dependencies that also need to be bound inside the sandbox.
+    def stdlib_mounts stdlib
+      library_mounts = []
+      library = Bwrap::Args::Library.new
+      stdlib.each do |lib|
+        path = "#{RbConfig::CONFIG["rubyarchdir"]}/#{lib}.so"
+
+        library.needed_libraries(path).each do |requisite_library|
+          library_mounts << "--ro-bind" << requisite_library << requisite_library
+        end
+      end
+    end
+  end
+
+  # {Array} of parameters passed to bwrap.
+  attr_writer :args
+
+  # Instance of {Config}.
+  attr_writer :config
+
+  def feature_binds
+    ruby_binds
+  end
+
+  # @note This does not allow development headers needed for compilation for now.
+  #   I’ll look at it after I have an use for it.
+  private def ruby_binds
+    return unless @config.features.ruby.enabled?
+
+    binds = RubyBinds.new
+
+    @args.append binds.sitedir_mounts
+    @args.append binds.stdlib_mounts @config.features.ruby.stdlib
+  end
+end

data/lib/bwrap/args/library.rb

@@ -0,0 +1,130 @@
+# frozen_string_literal: true
+
+require "bwrap/execution"
+require "bwrap/output"
+require_relative "args"
+
+# Class to clean up namespace for implementation specific reasons.
+#
+# @api internal
+class Bwrap::Args::Library
+  include Bwrap::Execution
+  include Bwrap::Output
+
+  # NOTE: This caching can be made more efficient, but need to look at it later, what to do about it.
+  @@needed_libraries_cache ||= []
+
+  # Otherwise similar to {#needed_libraries}, but checks used libc to handle musl executables.
+  #
+  # @param executable [String] Path to the executable to find dependencies for
+  def libraries_needed_by executable
+    # %i == interpreter, the library used to load the executable by kernel.
+    # %F == Path to given file.
+    output_format = "%i::SEPARATOR::%F"
+    scanelf_command = %W{ scanelf --nobanner --quiet --format #{output_format} }
+    scanelf_command << executable
+
+    data = execvalue scanelf_command
+    data = data.strip
+    interpreter, _executable_path = data.split "::SEPARATOR::"
+    interpreter = Pathname.new interpreter
+
+    if interpreter.basename.to_s[0..6] == "ld-musl"
+      musl_needed_libraries executable
+    else
+      # For glibc, scanelf can return full paths for us most of time.
+      needed_libraries executable
+    end
+  end
+
+  # @param binary_paths [String, Array] one or more paths to be resolved
+  #
+  # @todo Maybe caching should be done here too?
+  def musl_needed_libraries binary_paths
+    trace "Finding musl libraries #{binary_paths} requires"
+    @needed_libraries = []
+
+    if binary_paths.is_a? String
+      binary_paths = [ binary_paths ]
+    end
+
+    binary_paths.each do |binary_path|
+      output = execvalue %W{ ldd #{binary_path} }
+      lines = output.split "\n"
+      _interpreter_line = lines.shift
+
+      lines.each do |line|
+        parse_ldd_line line
+      end
+    end
+
+    @needed_libraries
+  end
+
+  # Used by {Bwrap::Args::Bind#libs_command_requires}.
+  #
+  # @param binary_paths [String, Array] one or more paths to be resolved
+  def needed_libraries binary_paths
+    trace "Finding libraries #{binary_paths} requires"
+    @needed_libraries = []
+
+    # %i == interpreter, the library used to load the executable by kernel.
+    output_format = "%F::SEPARATOR::%n"
+    scanelf_command = %W{ scanelf --nobanner --quiet --format #{output_format} --ldcache --needed }
+
+    if binary_paths.is_a? String
+      binary_paths = [ binary_paths ]
+    end
+
+    # Check if the exe is already resolved.
+    binary_paths.delete_if do |binary_path|
+      @@needed_libraries_cache.include? binary_path
+    end
+
+    return [] if binary_paths.empty?
+
+    data = execvalue(scanelf_command + binary_paths)
+    trace "scanelf found following libraries: #{data}"
+
+    lines = data.split "\n"
+    lines.each do |line|
+      parse_scanelf_line line
+    end
+
+    @needed_libraries
+  end
+
+  # Used by {#needed_libraries}.
+  private def parse_scanelf_line line
+    binary_path, libraries_line = line.split "::SEPARATOR::"
+    libraries = libraries_line.split ","
+
+    @needed_libraries += libraries
+
+    # Also check if requisite libraries needs some libraries.
+    inner = Bwrap::Args::Library.new
+    @needed_libraries += inner.needed_libraries libraries
+
+    # Mark library cached only after its dependencies have been also handled.
+    libraries.each do |library|
+      verb "Binding #{library} as dependency of #{binary_path}"
+      @@needed_libraries_cache << library
+    end
+  end
+
+  # Used by {#musl_needed_libraries}.
+  private def parse_ldd_line line
+    line = line.strip
+    _library_name, library_data = line.split " => "
+
+    matches = library_data.match(/(.*) \(0x[0-9a-f]+\)/)
+    library_path = matches[1]
+
+    @needed_libraries << library_path
+
+    # Also check if requisite libraries needs some libraries.
+    inner = Bwrap::Args::Library.new
+    @needed_libraries += inner.musl_needed_libraries library_path
+  end
+end
+# class Library ended

data/lib/bwrap/args/machine_id.rb

@@ -24,7 +24,7 @@ class Bwrap::Args::MachineId
     # Returning [] means that execute() will ignore this fully.
     # Nil would be converted to empty string, causing spawn() to pass it as argument, causing
     # bwrap to misbehave.
-    return [] unless @config.machine_id
+    return unless @config.machine_id
 
     machine_id = @config.machine_id
 

data/lib/bwrap/args/mount.rb

@@ -4,21 +4,29 @@ require_relative "args"
 
 # Bind arguments for bwrap.
 module Bwrap::Args::Mount
+  # Arguments for readwrite-binding {Config#root} as /.
+  private def root_mount
+    return unless @config.root
+
+    debug "Binding #{@config.root} as /"
+    @args.append %W{ --bind #{@config.root} / }
+  end
+
   # Arguments for mounting devtmpfs to /dev.
   private def dev_mount
     debug "Mounting new devtmpfs to /dev"
-    %w{ --dev /dev }
+    @args.append %w{ --dev /dev }
   end
 
   # Arguments for mounting procfs to /proc.
   private def proc_mount
     debug "Mounting new procfs to /proc"
-    %w{ --proc /proc }
+    @args.append %w{ --proc /proc }
   end
 
   # Arguments for mounting tmpfs to /tmp.
   private def tmp_as_tmpfs
     debug "Mounting tmpfs to /tmp"
-    %w{ --tmpfs /tmp }
+    @args.append %w{ --tmpfs /tmp }
   end
 end

data/lib/bwrap/config.rb

@@ -24,13 +24,54 @@ class Bwrap::Config
   #   Given file as bound as /etc/machine_id.
   attr_accessor :machine_id
 
+  # Name of the user inside chroot.
+  #
+  # This is optional and defaults to no user.
   attr_accessor :user
 
+  # Set to true to indicate we’re running a X.org application, meaning we need to do some extra holes,
+  # like binding .Xauthority.
+  #
+  # @return [Boolean] Whether Xorg specific binds are used.
+  attr_accessor :xorg_application
+
+  # Array of audio schemes usable inside chroot.
+  #
+  # Currently supports:
+  #   - :pulseaudio
+  #
+  attr_accessor :audio
+
+  # @return [Boolean] true if network should be shared from host.
+  attr_accessor :share_net
+
+  # TODO: This should cause Bind#full_system_mounts to mount /lib64/ld-linux-x86-64.so.2 and so on,
+  # probably according executable type of specified command. But that needs some magic.
+  #
+  # For now this just mounts all relevant files it can find.
+  #
+  # @return [Boolean] true if Linux library loaders are mounted inside chroot
+  attr_accessor :full_system_mounts
+
+  # Set to true if basic system directories, like /usr/lib and /usr/lib64,
+  # should be bound inside chroot.
+  #
+  # /usr/bin can be mounted using {Config#binaries_from=}.
+  #
+  # @return [Boolean] true if libdirs are mounted to the chroot
+  attr_accessor :libdir_mounts
+
   # Array of directories to be bind mounted and used to construct PATH environment variable.
   attr_reader :binaries_from
 
+  # TODO: Document this.
+  # TODO: I wonder if this should just be removed. I don’t know, this is a bit ...
+  # Well, I can see it can have some merit, but very hard to say.
   attr_reader :sandbox_directory
 
+  # Use given directory as root. End result is similar to classic chroot.
+  attr_reader :root
+
   # `Hash`[`Pathname`] => `Pathname` containing custom read-only binds.
   attr_reader :ro_binds
 
@@ -39,9 +80,63 @@ class Bwrap::Config
   # Defaults to Dir.tmpdir.
   attr_reader :tmpdir
 
+  # Methods to enable or disable feature sets to control various aspects of sandboxing.
+  class Features
+    # Defines Ruby feature set.
+    class Ruby
+      # @return [Array] list of needed libraries.
+      attr_reader :stdlib
+
+      def initialize
+        @stdlib = []
+      end
+
+      # @see enabled=
+      def enabled?
+        @enabled
+      end
+
+      # Enable Ruby feature set.
+      #
+      # Among others, binds RbConfig::CONFIG["sitedir"] so scripts works.
+      #
+      # @note This does not allow development headers needed for compilation for now.
+      #   I’ll look at it after I have an use for it.
+      def enable
+        @enabled = true
+      end
+
+      # Disable Ruby feature set.
+      def disable
+        @enabled = false
+      end
+
+      # Extra libraries to be loaded from `RbConfig::CONFIG["rubyarchdir"]`.
+      #
+      # @note This is only required to be called if extra dependencies are necessary.
+      #     For example, psych.so requires libyaml.so.
+      def stdlib= libs
+        # Just a little check to have error earlier.
+        libs.each do |lib|
+          unless File.exist? "#{RbConfig::CONFIG["rubyarchdir"]}/#{lib}.so"
+            raise "Library “#{lib}” passed to Bwrap::Config::Ruby.stdlib= does not exist."
+          end
+        end
+
+        @stdlib = libs
+      end
+    end
+
+    # @return [Ruby] Instance of feature class for Ruby
+    def ruby
+      @ruby ||= Ruby.new
+    end
+  end
+
   def initialize
     @binaries_from = []
     @tmpdir = Dir.tmpdir
+    @audio = []
   end
 
   def binaries_from= array
@@ -55,6 +150,17 @@ class Bwrap::Config
     end
   end
 
+  # Enable or disable feature sets to control various aspects of sandboxing.
+  #
+  # @example To enable Ruby feature set
+  #     @config.features.ruby = true
+  #
+  # @see {Features} List of available features
+  # @return [Features] Object used to toggle features
+  def features
+    @features ||= ::Bwrap::Config::Features.new
+  end
+
   def sandbox_directory= directory
     unless Dir.exist? directory
       raise "Given sandbox directory #{directory} does not exist. Please create it beforehand and setup to your needs."
@@ -63,6 +169,15 @@ class Bwrap::Config
     @sandbox_directory = directory
   end
 
+  # Directory used as writable root, akin to classic chroot.
+  def root= directory
+    unless Dir.exist? directory
+      raise "Given root directory #{directory} does not exist. Please create it beforehand and set up to your needs."
+    end
+
+    @root = directory
+  end
+
   # Set given hash of paths to be bound with --ro-bind.
   #
   # Key is source path, value is destination path.

data/lib/bwrap/execution/execute.rb

@@ -95,7 +95,7 @@ class Bwrap::Execution::Execute
   # Stub to instruct implementation in subclass.
   def self.prepend_rootcmd command, rootcmd:
     raise NotImplementedError, "If rootcmd execution is necessary, monkey patch Bwrap::Execution::Execute " \
-          "to add “self.prepend_rootcmd(command, rootcmd:)” method."
+                               "to add “self.prepend_rootcmd(command, rootcmd:)” method."
   end
 
   # Used by `#handle_logging`.

data/lib/bwrap/execution/path.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require "bwrap/output"
+
+# Path checking methods.
+module Bwrap::Execution::Path
+  # @api internal
+  class Environment
+    def self.each_env_path command
+      exts = ENV["PATHEXT"] ? ENV["PATHEXT"].split(";") : [ "" ]
+
+      ENV["PATH"].split(File::PATH_SEPARATOR).each do |env_path|
+        exts.each do |ext|
+          exe = File.join(env_path, "#{command}#{ext}")
+          yield exe
+        end
+      end
+    end
+  end
+
+  # Check if requested program can be found.
+  #
+  # Should work cross-platform and in restricted environents pretty well.
+  private def command_available? command
+    # Special handling for absolute paths.
+    path = Pathname.new command
+    if path.absolute?
+      if path.executable? && !path.directory?
+        return true
+      end
+
+      return false
+    end
+
+    Bwrap::Execution::Path::Environment.each_env_path command do |exe|
+      return true if File.executable?(exe) && !File.directory?(exe)
+    end
+
+    false
+  end
+
+  # Returns path to given executable.
+  private def which command, fail: true
+    # Special handling for absolute paths.
+    path = Pathname.new command
+    if path.absolute?
+      if path.executable?
+        return command
+      end
+
+      raise CommandNotFound.new command: command if fail
+
+      return nil
+    end
+
+    Bwrap::Execution::Path::Environment.each_env_path command do |exe|
+      return exe if File.executable?(exe) && !File.directory?(exe)
+    end
+
+    return nil unless fail
+
+    raise CommandNotFound.new command: command
+  end
+end

data/lib/bwrap/execution.rb

@@ -3,12 +3,14 @@
 require "bwrap/version"
 require "bwrap/output"
 require_relative "execution/execute"
+require_relative "execution/path"
 
 # @abstract Module to be included in a class that needs to execute commands.
 #
 # Methods to execute processes.
 module Bwrap::Execution
   include Bwrap::Output
+  include Bwrap::Execution::Path
 
   # Unspecified execution related error.
   class CommandError < StandardError
@@ -18,6 +20,19 @@ module Bwrap::Execution
   class ExecutionFailed < CommandError
   end
 
+  # Thrown if given command was not found.
+  class CommandNotFound < CommandError
+    # Command that was looked at.
+    attr_reader :command
+
+    def initialize command:
+      @command = command
+      msg = "Failed to find #{command} from PATH."
+
+      super msg
+    end
+  end
+
   # Actual implementation of execution command. Can be used when static method is needed.
   #
   # @note When an array is given as a command, empty strings are passed as empty arguments.
@@ -83,33 +98,6 @@ module Bwrap::Execution
     @last_status
   end
 
-  # Check if requested program can be found.
-  #
-  # Should work cross-platform and in restricted environents pretty well.
-  private def command_available? command
-    exts = ENV["PATHEXT"] ? ENV["PATHEXT"].split(";") : [ "" ]
-    ENV["PATH"].split(File::PATH_SEPARATOR).each do |path|
-      exts.each do |ext|
-        exe = File.join(path, "#{command}#{ext}")
-        return true if File.executable?(exe) && !File.directory?(exe)
-      end
-    end
-    false
-  end
-
-  # Returns path to given executable.
-  private def which command, fail: true
-    exts = ENV["PATHEXT"] ? ENV["PATHEXT"].split(";") : [ "" ]
-    ENV["PATH"].split(File::PATH_SEPARATOR).each do |path|
-      exts.each do |ext|
-        exe = File.join(path, "#{command}#{ext}")
-        return exe if File.executable?(exe) && !File.directory?(exe)
-      end
-    end
-    error "Failed to find #{command} from PATH." if fail
-    nil
-  end
-
   # Execute a command.
   #
   # This method can be used by including Execution module in a class that should be able to

data/lib/bwrap/output/log.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 
 # force_encoding modifies string, so can’t freeze strings.
 
@@ -15,12 +15,12 @@ class Bwrap::Output::Log
 
   # Writes given string to log.
   def self.write_to_log str
-    @@log_file&.write str.force_encoding("UTF-8")
+    @@log_file&.write str.dup.force_encoding("UTF-8")
   end
 
   # Writes given string to log.
   def self.puts_to_log str
-    @@log_file&.puts str.force_encoding("UTF-8")
+    @@log_file&.puts str.dup.force_encoding("UTF-8")
   end
 
   # Closes an open log file.

data/lib/bwrap/output.rb

@@ -81,13 +81,16 @@ module Bwrap::Output
   # Aborts current process.
   #
   # Use this instead of Ruby’s #exit in order to filter out dummy #exit calls from the code.
-  def self.error_output str = nil, label: :unspecified, log_callback: 1
+  def self.error_output str = nil, label: :unspecified, log_callback: 1, raise_exception: false
     unless str.nil?
       out = Bwrap::Output::Levels.error_print_formatted str, log_callback: (log_callback + 1)
       Bwrap::Output::Log.puts_to_log out
     end
 
-    exit Bwrap::Execution::Labels.resolve_exit_code(label)
+    exit_code = Bwrap::Execution::Labels.resolve_exit_code(label)
+    raise str if raise_exception
+
+    exit exit_code
   end
 
   # @return true if --verbose, --debug or --trace has been passed, false if not.
@@ -147,7 +150,8 @@ module Bwrap::Output
   #
   # @param str String to be outputted
   # @param label [Symbol] Exit label accepted by {Bwrap::Execution.resolve_exit_code}
-  private def error str = nil, label: :unspecified
-    Bwrap::Output.error_output(str, label: label, log_callback: 2)
+  # @param raise [Boolean] if true, an exception is raised instead of just existing with exit code.
+  private def error str = nil, label: :unspecified, raise_exception: false
+    Bwrap::Output.error_output(str, label: label, log_callback: 2, raise_exception: raise_exception)
   end
 end

data/lib/bwrap/version.rb

@@ -3,7 +3,7 @@
 # bwrap command runner tools.
 module Bwrap
   # Current version of bwrap.
-  VERSION = "1.0.0-alpha1"
+  VERSION = "1.0.0-alpha5"
 end
 
-require "deep-cover" if ENV["DEEP_COVER"]
+require "deep-cover" if ENV["DEEP_COVER"]

data/lib/bwrap.rb

@@ -15,8 +15,13 @@ class Bwrap::Bwrap
 
   def initialize config
     @config = config
+  end
+
+  # Parses command line arguments given to caller script.
+  def parse_command_line_arguments
+    options = parse_options
 
-    parse_command_line_arguments
+    Bwrap::Output.handle_output_options options
   end
 
   # Runs given command inside bwrap.
@@ -24,29 +29,27 @@ class Bwrap::Bwrap
   # @param command [String, Array] Command, with necessary arguments, to be executed inside bwrap
   def run command
     construct = Bwrap::Args::Construct.new
+    construct.command = command
     construct.config = @config
     bwrap_args = construct.construct_bwrap_args
 
     exec_command = [ "bwrap" ]
     exec_command += bwrap_args
-    exec_command += %W{ #{command} --new-instance }
-    exec_command += ARGV unless ARGV.empty?
+    exec_command.append command
+    exec_command += @cli_args if @cli_args
 
     execute exec_command
 
     construct.cleanup
   end
 
-  # Parses command line arguments given to caller script.
-  private def parse_command_line_arguments
-    options = optimist_cli_args
-
-    Bwrap::Output.handle_output_options options
-  end
-
   # Parses global bwrap flags using Optimist.
-  private def optimist_cli_args
-    Optimist.options do
+  #
+  # Sets instance variable `@cli_args`.
+  #
+  # @return [Hash] options parsed by {Optimist.options}
+  private def parse_options
+    options = Optimist.options do
       version ::Bwrap::VERSION
 
       banner "Usage:"
@@ -70,5 +73,9 @@ class Bwrap::Bwrap
 
       educate_on_error
     end
+
+    @cli_args = ARGV.dup
+
+    options
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bwrap
 version: !ruby/object:Gem::Version
-  version: 1.0.0.pre.alpha1
+  version: 1.0.0.pre.alpha5
 platform: ruby
 authors:
 - Samu Voutilainen
@@ -34,7 +34,7 @@ cert_chain:
   X4ioQwEn1/9tHs19VO1CLF58451HgEo1BXd7eWLmV1V5cqw0YWok1ly4L/Su/Phf
   MRxVMHiVAqY=
   -----END CERTIFICATE-----
-date: 2021-11-14 00:00:00.000000000 Z
+date: 2021-11-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: optimist
@@ -54,16 +54,16 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '1.16'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '1.16'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -120,7 +120,8 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.7'
-description: For now this just reserves this name. Please be back later.
+description: For now this is tailored to my needs, so this may or may not be of any
+  use.
 email:
 - smar@smar.fi
 executables: []
@@ -135,6 +136,8 @@ files:
 - lib/bwrap/args/bind.rb
 - lib/bwrap/args/construct.rb
 - lib/bwrap/args/environment.rb
+- lib/bwrap/args/features.rb
+- lib/bwrap/args/library.rb
 - lib/bwrap/args/machine_id.rb
 - lib/bwrap/args/mount.rb
 - lib/bwrap/config.rb
@@ -142,6 +145,7 @@ files:
 - lib/bwrap/execution/execute.rb
 - lib/bwrap/execution/execution.rb
 - lib/bwrap/execution/labels.rb
+- lib/bwrap/execution/path.rb
 - lib/bwrap/output.rb
 - lib/bwrap/output/colors.rb
 - lib/bwrap/output/levels.rb
@@ -149,11 +153,13 @@ files:
 - lib/bwrap/output/output.rb
 - lib/bwrap/version.rb
 homepage: https://git.sr.ht/~smar/ruby-bwrap
-licenses: []
+licenses:
+- ISC
 metadata:
   homepage_uri: https://git.sr.ht/~smar/ruby-bwrap
   source_code_uri: https://git.sr.ht/~smar/ruby-bwrap
   changelog_uri: https://git.sr.ht/~smar/ruby-bwrap/tree/master/item/CHANGELOG.md
+  rubygems_mfa_required: 'false'
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -173,5 +179,5 @@ rubyforge_project:
 rubygems_version: 2.7.6.3
 signing_key: 
 specification_version: 4
-summary: 'THIS WILL BE IN FUTURE: Framework to create commands for bwrap'
+summary: Framework to create commands for bwrap
 test_files: []