bwrap 1.0.0.pre.alpha3 → 1.0.0.pre.alpha4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d7a362da994cec63d76530772a6740d68e9cf442f4bb43dfc39579ce6c10c40e
-  data.tar.gz: 0ec62bee38e4729320ec365490e94c03f1f33f84e570e186ac009b587162ea24
+  metadata.gz: 5101d7848dccd6da3f68fc02f08b37ec1cfadc516b45cb964265a3f0a60e8ea3
+  data.tar.gz: 6dbf98ccc5faba3385ce8fe6f9890f9e7369860531e4161c8092611c18a8ca02
 SHA512:
-  metadata.gz: 65e1ad6f76b55f0b9fbabc2066eb10000ab286d6440070331dd8244f608f0de39e3ccf1f54b6e663727da32c5c587a4ae87717d5f8276444f835caaf3ff0618a
-  data.tar.gz: 5298f24103bb9c4290906fed7e6a5925a85228482f17cb2516bb6a3a50ace7c3fcb2d17de00abd1bd994d7cdd97fe420451631f50fe8792c247bab577a20ea4e
+  metadata.gz: 690e7e3f4911d80d5384aa10fc8c7dab6ed86c597dc691a66a396efccf15dc06e3ee29586afe687e4f92670eea049d2e76e034a2147eed9a9abcb9b894c99e67
+  data.tar.gz: d0a5312ab4ef5814885fd928f1359fd9ba69d7f36224c8671d79396ab635f1f8c23fd21a16712e62ca4b566cc51138b0f654e5cd8e3304f30cf10d492bbdc991

data/CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changes
 
+## 1.0.0-alpha4 (22.11.2021)
+
+* Allow use without home directory set
+* Bwrap#parse_command_line_arguments is no longer run when Bwrap is initialized
+* Made pulseaudio optional
+* Changed --share-net to be added only if requested
+* Added Config#root= to specify path used as writable root
+* Added Config#full_system_mounts to control whether library loaders are mounted inside chroot
+* Added Config#libdir_mounts
+* Added Config#features
+
 ## 1.0.0-alpha3 (14.11.2021)
 
 * Avoid frozen string literal modification

data/lib/bwrap/args/bind.rb

@@ -1,32 +1,90 @@
 # frozen_string_literal: true
 
+require "bwrap/execution"
+require "bwrap/output"
 require_relative "args"
+require_relative "library"
 
 # Bind arguments for bwrap.
-module Bwrap::Args::Bind
+class Bwrap::Args::Bind
+  include Bwrap::Execution
+  include Bwrap::Output
+
+  # Array of parameters passed to bwrap.
+  attr_writer :args
+
+  # @see Bwrap::Args::Construct#command=
+  #
+  # @see (see Bwrap::Args::Construct#command=)
+  attr_writer :command
+
+  # Instance of {Config}.
+  attr_writer :config
+
+  # Instance of {Bwrap::Args::Environment}.
+  attr_writer :environment
+
+  # Inner class to clean up namespace for implementation specific reasons.
+  #
+  # @api internal
+  class Mime
+    include Bwrap::Execution
+    include Bwrap::Output
+
+    # Name given to {#initialize}.
+    attr_reader :executable_name
+
+    # Either path given to {#initialize} or one parsed from shebang.
+    attr_reader :executable_path
+
+    def initialize executable_name, executable_path
+      @executable_name = executable_name
+      @executable_path = executable_path
+    end
+
+    # Used by {Bwrap::Args::Bind#libs_command_requires}.
+    #
+    # @return false if caller should also return
+    def resolve_mime_type
+      mime_type = execvalue %W{ file --brief --mime-type #{@executable_path} }
+      return true unless mime_type[0..6] == "text/x-"
+
+      shebang = File.open @executable_path, &:readline
+      if shebang[0..1] != "#!"
+        warn "Executable #{@executable_name} was recognized as #{mime_type} but does not have " \
+              "proper shebang line. Skipping automatic library mounts."
+        return false
+      end
+
+      shebang = shebang.delete_prefix("#!").strip
+      real_executable, _args = shebang.split " ", 2
+      @executable_path = real_executable
+
+      true
+    end
+  end
+
   # Arguments to bind /dev/dri from host to sandbox.
-  private def bind_dev_dri
-    %w{ --dev-bind /dev/dri /dev/dri }
+  def bind_dev_dri
+    @args.append %w{ --dev-bind /dev/dri /dev/dri }
   end
 
   # Arguments to bind /sys/dev/char from host to sandbox.
-  private def bind_sys_dev_char
-    %w{ --ro-bind /sys/dev/char /sys/dev/char }
+  def bind_sys_dev_char
+    @args.append %w{ --ro-bind /sys/dev/char /sys/dev/char }
   end
 
   # Arguments to bind /sys/devices/pci0000:00 from host to sandbox.
-  private def bind_pci_devices
-    %w{ --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 }
+  def bind_pci_devices
+    @args.append %w{ --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 }
   end
 
   # Arguments to bind home directory from sandbox directory (`#{@config.sandbox_directory}/home`)
   # as `/home/#{@config.user}`.
   #
   # @note Requires @config.user to be set.
-  private def bind_home_directory
-    unless @config.user
-      raise "Tried to bind user directory without user being set."
-    end
+  def bind_home_directory
+    return unless @config.user
 
     home_directory = "#{@config.sandbox_directory}/home"
 
@@ -36,11 +94,12 @@ module Bwrap::Args::Bind
 
     @environment["HOME"] = "/home/#{@config.user}"
 
-    %W{ --bind #{home_directory} /home/#{@config.user} }
+    debug "Using #{home_directory} as /home/#{@config.user}"
+    @args.append %W{ --bind #{home_directory} /home/#{@config.user} }
   end
 
   # Arguments to read-only bind whole system inside sandbox.
-  private def full_system_mounts
+  def full_system_mounts
     bindir_mounts = []
     binaries_from = @config.binaries_from
     binaries_from.each do |path|
@@ -48,6 +107,38 @@ module Bwrap::Args::Bind
     end
     @environment["PATH"] = binaries_from.join(":")
 
+    @args.append bindir_mounts
+
+    if debug?
+      debug "Using following bindir mounts:\n" \
+            "#{bindir_mounts}\n" \
+            "(Odd is key, even is value)"
+    end
+
+    libdir_mounts
+
+    return unless @config.full_system_mounts
+
+    loader_binds
+    libs_command_requires
+  end
+
+  # These are something user can specify to do custom --ro-bind binds.
+  def custom_read_only_binds
+    return unless @config.ro_binds
+
+    binds = []
+    @config.ro_binds.each do |source_path, destination_path|
+      binds << "--ro-bind" << source_path.to_s << destination_path.to_s
+    end
+
+    @args.append binds
+  end
+
+  # Used by {#full_system_mounts}.
+  private def libdir_mounts
+    return unless @config.libdir_mounts
+
     libdir_mounts = %w{
       --ro-bind /lib /lib
       --ro-bind /lib64 /lib64
@@ -55,24 +146,54 @@ module Bwrap::Args::Bind
       --ro-bind /usr/lib64 /usr/lib64
     }
 
-    system_mounts = bindir_mounts + libdir_mounts
     if debug?
-      debug "Using following system mounts:\n" \
-            "#{system_mounts}\n" \
+      debug "Using following libdir mounts:\n" \
+            "#{libdir_mounts}\n" \
             "(Odd is key, even is value)"
     end
-    system_mounts
+
+    @args.append libdir_mounts
   end
 
-  # These are something user can specify to do custom --ro-bind binds.
-  private def custom_read_only_binds
-    return [] unless @config.ro_binds
+  # Used by {#full_system_mounts}.
+  private def loader_binds
+    loader_mounts = []
+    path = "/lib64/ld-linux-x86-64.so.2"
+    loader_mounts << "--ro-bind" << path << path if File.exist? path
+    path = "/lib/ld-linux.so.2"
+    loader_mounts << "--ro-bind" << path << path if File.exist? path
 
-    binds = []
-    @config.ro_binds.each do |source_path, destination_path|
-      binds << "--ro-bind" << source_path.to_s << destination_path.to_s
+    @args.append loader_mounts
+  end
+
+  # Does some inspection to find out libraries given executable needs in order to work.
+  #
+  # Used by {#full_system_mounts}.
+  #
+  # @warning scanelf does not play with spaces in names well. This method assumes that libraries
+  #   have no spaces in names, though binaries can have.
+  #
+  # @todo Ensure scanelf is available (and throw proper error if it is not, telling to not use full_system_mounts option.)
+  private def libs_command_requires
+    executable_name = @command.is_a?(String) && @command || @command[0]
+    executable_path = which executable_name
+
+    # TODO: Put this behind additional flag for extra control/sanity.
+    # Some executables are shell scripts and similar. For them we need to use the interpreter.
+
+    mime = Mime.new executable_name, executable_path
+    return unless mime.resolve_mime_type
+
+    # Then find out required libraries
+
+    library_mounts = []
+
+    library_object = Bwrap::Args::Library.new
+    library_object.needed_libraries(mime.executable_path).each do |library|
+      library_mounts << "--ro-bind" << library << library
     end
 
-    binds
+    @args.append library_mounts
   end
-end
+
+end

data/lib/bwrap/args/construct.rb

@@ -5,46 +5,56 @@ require "tempfile"
 require "bwrap/output"
 require_relative "bind"
 require_relative "environment"
+require_relative "features"
 require_relative "machine_id"
 require_relative "mount"
 
 # Constructs arguments for bwrap execution.
 class Bwrap::Args::Construct
   include Bwrap::Output
-  include Bwrap::Args::Bind
   include Bwrap::Args::Mount
 
   attr_writer :config
 
+  # Command that is executed inside bwrap sandbox.
+  #
+  # @note This is not used for anything vital, but some things, like
+  #   setting {Config#full_system_mounts=} uses this to resolve some
+  #   additional data.
+  #
+  # @param command [Array, String] Command with arguments
+  attr_writer :command
+
   # Constructs arguments for bwrap execution.
   def construct_bwrap_args
-    @environment = Bwrap::Args::Environment.new
-    @environment.config = @config
-    @machine_id = Bwrap::Args::MachineId.new
-    @machine_id.config = @config
-
-    [
-      xauthority_args,
-      @machine_id.machine_id,
-      resolv_conf,
-      full_system_mounts,
-      custom_read_only_binds,
-      create_user_dir,
-      read_only_pulseaudio,
-      dev_mount,
-      bind_dev_dri,
-      bind_sys_dev_char,
-      bind_pci_devices,
-      proc_mount,
-      tmp_as_tmpfs,
-      bind_home_directory,
-      "--unshare-all",
-      share_net,
-      hostname,
-      @environment.environment_variables,
-      "--die-with-parent",
-      "--new-session"
-    ]
+    @args = []
+    create_objects
+
+    root_mount
+    xauthority_args
+    machine_id = @machine_id.machine_id
+    @args.append machine_id if machine_id
+    resolv_conf
+    @bind.full_system_mounts
+    @features.feature_binds
+    @bind.custom_read_only_binds
+    create_user_dir
+    read_only_pulseaudio
+    dev_mount
+    @bind.bind_dev_dri
+    @bind.bind_sys_dev_char
+    @bind.bind_pci_devices
+    proc_mount
+    tmp_as_tmpfs
+    @bind.bind_home_directory
+    @args.append "--unshare-all"
+    share_net
+    hostname
+    @args.append @environment.environment_variables
+    @args.append "--die-with-parent"
+    @args.append "--new-session"
+
+    @args.compact
   end
 
   # Performs cleanup operations after execution.
@@ -52,13 +62,32 @@ class Bwrap::Args::Construct
     @machine_id&.cleanup
   end
 
+  # Used by {#construct_bwrap_args}.
+  private def create_objects
+    @bind = Bwrap::Args::Bind.new
+    @bind.args = @args
+    @bind.command = @command
+    @bind.config = @config
+
+    @environment = Bwrap::Args::Environment.new
+    @environment.config = @config
+    @bind.environment = @environment
+
+    @features = Bwrap::Args::Features.new
+    @features.args = @args
+    @features.config = @config
+
+    @machine_id = Bwrap::Args::MachineId.new
+    @machine_id.config = @config
+  end
+
   # Arguments for generating .Xauthority file.
   private def xauthority_args
-    return [] unless @config.xorg_application
+    return unless @config.xorg_application
 
     xauth_args = %W{ --ro-bind #{Dir.home}/.Xauthority #{Dir.home}/.Xauthority }
     debug "Binding following .Xauthority file: #{Dir.home}/.Xauthority"
-    xauth_args
+    @args.append xauth_args
   end
 
   # Arguments to read-only bind /etc/resolv.conf.
@@ -68,25 +97,29 @@ class Bwrap::Args::Construct
     source_resolv_conf = source_resolv_conf.realpath
 
     debug "Binding #{source_resolv_conf} as /etc/resolv.conf"
-    %W{ --ro-bind #{source_resolv_conf} /etc/resolv.conf }
+    @args.append %W{ --ro-bind #{source_resolv_conf} /etc/resolv.conf }
   end
 
   # Arguments to create `/run/user/#{uid}`.
   private def create_user_dir
     trace "Creating directory /run/user/#{uid}"
-    %W{ --dir /run/user/#{uid} }
+    @args.append %W{ --dir /run/user/#{uid} }
   end
 
   # Arguments to bind necessary pulseaudio data for audio support.
   private def read_only_pulseaudio
+    return unless @config.audio.include? :pulseaudio
+
     debug "Binding pulseaudio"
-    %W{ --ro-bind /run/user/#{uid}/pulse /run/user/#{uid}/pulse }
+    @args.append %W{ --ro-bind /run/user/#{uid}/pulse /run/user/#{uid}/pulse }
   end
 
   # Arguments to allow network connection inside sandbox.
   private def share_net
+    return unless @config.share_net
+
     verb "Sharing network"
-    %w{ --share-net }
+    @args.append %w{ --share-net }
   end
 
   # Arguments to set hostname to whatever is configured.
@@ -94,7 +127,7 @@ class Bwrap::Args::Construct
     return unless @config.hostname
 
     debug "Setting hostname to #{@config.hostname}"
-    %W{ --hostname #{@config.hostname} }
+    @args.append %W{ --hostname #{@config.hostname} }
   end
 
   # Returns current user id.

data/lib/bwrap/args/features.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require "bwrap/output"
+require_relative "args"
+require_relative "library"
+
+# Feature parameter construction.
+#
+# @see Config::Features
+class Bwrap::Args::Features < Hash
+  include Bwrap::Output
+
+  # {Array} of parameters passed to bwrap.
+  attr_writer :args
+
+  # Instance of {Config}.
+  attr_writer :config
+
+  def feature_binds
+    ruby_binds
+  end
+
+  # @note This does not allow development headers needed for compilation for now. I’ll look at it after I have an use for it.
+  private def ruby_binds
+    return unless @config.features.ruby.enabled?
+
+    # Bind system paths so scripts works inside sandbox.
+
+    mounts = []
+    mounts << "--ro-bind" << RbConfig::CONFIG["sitedir"] << RbConfig::CONFIG["sitedir"]
+    mounts << "--ro-bind" << RbConfig::CONFIG["rubyhdrdir"] << RbConfig::CONFIG["rubyhdrdir"]
+    mounts << "--ro-bind" << RbConfig::CONFIG["rubylibdir"] << RbConfig::CONFIG["rubylibdir"]
+    mounts << "--ro-bind" << RbConfig::CONFIG["vendordir"] << RbConfig::CONFIG["vendordir"]
+
+    @args.append mounts
+
+    # Create binds for required system libraries.
+    #
+    # These are in path like /usr/lib64/ruby/2.5.0/x86_64-linux-gnu/,
+    # and as they are mostly shared libraries, they may have some extra
+    # dependencies that also need to be bound inside the sandbox.
+
+    library_mounts = []
+    library = Bwrap::Args::Library.new
+    @config.features.ruby.stdlib.each do |lib|
+      path = "#{RbConfig::CONFIG["rubyarchdir"]}/#{lib}.so"
+
+      library.needed_libraries(path).each do |library|
+        library_mounts << "--ro-bind" << library << library
+      end
+    end
+
+    @args.append library_mounts
+  end
+end

data/lib/bwrap/args/library.rb

@@ -0,0 +1,63 @@
+
+require "bwrap/execution"
+require "bwrap/output"
+require_relative "args"
+
+# Class to clean up namespace for implementation specific reasons.
+#
+# @api internal
+class Bwrap::Args::Library
+  include Bwrap::Execution
+  include Bwrap::Output
+
+  # Used by {Bwrap::Args::Bind#libs_command_requires}.
+  def needed_libraries binary_paths
+    trace "Finding libraries #{binary_paths} requires"
+    @needed_libraries = []
+    # NOTE: This caching can be made more efficient, but need to look at it later, what to do about it.
+    @@needed_libraries_cache ||= []
+
+    output_format = "%F:libraries:%n"
+    scanelf_command = %W{ scanelf --nobanner --quiet --format #{output_format} --ldcache --needed }
+
+    if binary_paths.is_a? String
+      binary_paths = [ binary_paths ]
+    end
+
+    # Check if the exe is already resolved.
+    binary_paths.delete_if do |binary_path|
+      @@needed_libraries_cache.include? binary_path
+    end
+
+    return [] if binary_paths.empty?
+
+    data = execvalue(scanelf_command + binary_paths)
+    trace "scanelf found following libraries: #{data}"
+
+    lines = data.split "\n"
+    lines.each do |line|
+      parse_scanelf_line line
+    end
+
+    @needed_libraries
+  end
+
+  # Used by {#needed_libraries}.
+  private def parse_scanelf_line line
+    binary_path, libraries_line = line.split ":libraries:"
+    libraries = libraries_line.split ","
+
+    @needed_libraries += libraries
+
+    # Also check if requisite libraries needs some libraries.
+    inner = Bwrap::Args::Library.new
+    @needed_libraries += inner.needed_libraries libraries
+
+    # Mark library cached only after its dependencies have been also handled.
+    libraries.each do |library|
+      verb "Binding #{library} as dependency of #{binary_path}"
+      @@needed_libraries_cache << library
+    end
+  end
+end
+# class Library ended

data/lib/bwrap/args/machine_id.rb

@@ -24,7 +24,7 @@ class Bwrap::Args::MachineId
     # Returning [] means that execute() will ignore this fully.
     # Nil would be converted to empty string, causing spawn() to pass it as argument, causing
     # bwrap to misbehave.
-    return [] unless @config.machine_id
+    return unless @config.machine_id
 
     machine_id = @config.machine_id
 

data/lib/bwrap/args/mount.rb

@@ -4,21 +4,29 @@ require_relative "args"
 
 # Bind arguments for bwrap.
 module Bwrap::Args::Mount
+  # Arguments for readwrite-binding {Config#root} as /.
+  private def root_mount
+    return unless @config.root
+
+    debug "Binding #{@config.root} as /"
+    @args.append %W{ --bind #{@config.root} / }
+  end
+
   # Arguments for mounting devtmpfs to /dev.
   private def dev_mount
     debug "Mounting new devtmpfs to /dev"
-    %w{ --dev /dev }
+    @args.append %w{ --dev /dev }
   end
 
   # Arguments for mounting procfs to /proc.
   private def proc_mount
     debug "Mounting new procfs to /proc"
-    %w{ --proc /proc }
+    @args.append %w{ --proc /proc }
   end
 
   # Arguments for mounting tmpfs to /tmp.
   private def tmp_as_tmpfs
     debug "Mounting tmpfs to /tmp"
-    %w{ --tmpfs /tmp }
+    @args.append %w{ --tmpfs /tmp }
   end
 end

data/lib/bwrap/config.rb

@@ -24,6 +24,9 @@ class Bwrap::Config
   #   Given file as bound as /etc/machine_id.
   attr_accessor :machine_id
 
+  # Name of the user inside chroot.
+  #
+  # This is optional and defaults to no user.
   attr_accessor :user
 
   # Set to true to indicate we’re running a X.org application, meaning we need to do some extra holes,
@@ -32,11 +35,43 @@ class Bwrap::Config
   # @return [Boolean] Whether Xorg specific binds are used.
   attr_accessor :xorg_application
 
+  # Array of audio schemes usable inside chroot.
+  #
+  # Currently supports:
+  #   - :pulseaudio
+  #
+  attr_accessor :audio
+
+  # @return [Boolean] true if network should be shared from host.
+  attr_accessor :share_net
+
+  # TODO: This should cause Bind#full_system_mounts to mount /lib64/ld-linux-x86-64.so.2 and so on,
+  # probably according executable type of specified command. But that needs some magic.
+  #
+  # For now this just mounts all relevant files it can find.
+  #
+  # @return [Boolean] true if Linux library loaders are mounted inside chroot
+  attr_accessor :full_system_mounts
+
+  # Set to true if basic system directories, like /usr/lib and /usr/lib64,
+  # should be bound inside chroot.
+  #
+  # /usr/bin can be mounted using {Config#binaries_from=}.
+  #
+  # @return [Boolean] true if libdirs are mounted to the chroot
+  attr_accessor :libdir_mounts
+
   # Array of directories to be bind mounted and used to construct PATH environment variable.
   attr_reader :binaries_from
 
+  # TODO: Document this.
+  # TODO: I wonder if this should just be removed. I don’t know, this is a bit ...
+  # Well, I can see it can have some merit, but very hard to say.
   attr_reader :sandbox_directory
 
+  # Use given directory as root. End result is similar to classic chroot.
+  attr_reader :root
+
   # `Hash`[`Pathname`] => `Pathname` containing custom read-only binds.
   attr_reader :ro_binds
 
@@ -45,9 +80,62 @@ class Bwrap::Config
   # Defaults to Dir.tmpdir.
   attr_reader :tmpdir
 
+  # Methods to enable or disable feature sets to control various aspects of sandboxing.
+  class Features
+    # Defines Ruby feature set.
+    class Ruby
+      # @return [Array] list of needed libraries.
+      attr_reader :stdlib
+
+      def initialize
+        @stdlib = []
+      end
+
+      # @see enabled=
+      def enabled?
+        @enabled
+      end
+
+      # Enable Ruby feature set.
+      #
+      # Among others, binds RbConfig::CONFIG["sitedir"] so scripts works.
+      #
+      # @note This does not allow development headers needed for compilation for now. I’ll look at it after I have an use for it.
+      def enable
+        @enabled = true
+      end
+
+      # Disable Ruby feature set.
+      def disable
+        @enabled = false
+      end
+
+      # Extra libraries to be loaded from `RbConfig::CONFIG["rubyarchdir"]`.
+      #
+      # @note This is only required to be called if extra dependencies are necessary.
+      #     For example, psych.so requires libyaml.so.
+      def stdlib= libs
+        # Just a little check to have error earlier.
+        libs.each do |lib|
+          unless File.exist? "#{RbConfig::CONFIG["rubyarchdir"]}/#{lib}.so"
+            raise "Library “#{lib}” passed to Bwrap::Config::Ruby.stdlib= does not exist."
+          end
+        end
+
+        @stdlib = libs
+      end
+    end
+
+    # @return [Ruby] Instance of feature class for Ruby
+    def ruby
+      @ruby ||= Ruby.new
+    end
+  end
+
   def initialize
     @binaries_from = []
     @tmpdir = Dir.tmpdir
+    @audio = []
   end
 
   def binaries_from= array
@@ -61,6 +149,17 @@ class Bwrap::Config
     end
   end
 
+  # Enable or disable feature sets to control various aspects of sandboxing.
+  #
+  # @example To enable Ruby feature set
+  #     @config.features.ruby = true
+  #
+  # @see {Features} List of available features
+  # @return [Features] Object used to toggle features
+  def features
+    @features ||= ::Bwrap::Config::Features.new
+  end
+
   def sandbox_directory= directory
     unless Dir.exist? directory
       raise "Given sandbox directory #{directory} does not exist. Please create it beforehand and setup to your needs."
@@ -69,6 +168,15 @@ class Bwrap::Config
     @sandbox_directory = directory
   end
 
+  # Directory used as writable root, akin to classic chroot.
+  def root= directory
+    unless Dir.exist? directory
+      raise "Given root directory #{directory} does not exist. Please create it beforehand and set up to your needs."
+    end
+
+    @root = directory
+  end
+
   # Set given hash of paths to be bound with --ro-bind.
   #
   # Key is source path, value is destination path.

data/lib/bwrap/version.rb

@@ -3,7 +3,7 @@
 # bwrap command runner tools.
 module Bwrap
   # Current version of bwrap.
-  VERSION = "1.0.0-alpha3"
+  VERSION = "1.0.0-alpha4"
 end
 
 require "deep-cover" if ENV["DEEP_COVER"]

data/lib/bwrap.rb

@@ -15,8 +15,13 @@ class Bwrap::Bwrap
 
   def initialize config
     @config = config
+  end
+
+  # Parses command line arguments given to caller script.
+  def parse_command_line_arguments
+    options = optimist_cli_args
 
-    parse_command_line_arguments
+    Bwrap::Output.handle_output_options options
   end
 
   # Runs given command inside bwrap.
@@ -24,26 +29,20 @@ class Bwrap::Bwrap
   # @param command [String, Array] Command, with necessary arguments, to be executed inside bwrap
   def run command
     construct = Bwrap::Args::Construct.new
+    construct.command = command
     construct.config = @config
     bwrap_args = construct.construct_bwrap_args
 
     exec_command = [ "bwrap" ]
     exec_command += bwrap_args
-    exec_command += %W{ #{command} --new-instance }
-    exec_command += ARGV unless ARGV.empty?
+    exec_command.append command
+    exec_command += @cli_args if @cli_args
 
     execute exec_command
 
     construct.cleanup
   end
 
-  # Parses command line arguments given to caller script.
-  private def parse_command_line_arguments
-    options = optimist_cli_args
-
-    Bwrap::Output.handle_output_options options
-  end
-
   # Parses global bwrap flags using Optimist.
   private def optimist_cli_args
     Optimist.options do
@@ -70,5 +69,7 @@ class Bwrap::Bwrap
 
       educate_on_error
     end
+
+    @cli_args = ARGV.dup
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bwrap
 version: !ruby/object:Gem::Version
-  version: 1.0.0.pre.alpha3
+  version: 1.0.0.pre.alpha4
 platform: ruby
 authors:
 - Samu Voutilainen
@@ -34,7 +34,7 @@ cert_chain:
   X4ioQwEn1/9tHs19VO1CLF58451HgEo1BXd7eWLmV1V5cqw0YWok1ly4L/Su/Phf
   MRxVMHiVAqY=
   -----END CERTIFICATE-----
-date: 2021-11-14 00:00:00.000000000 Z
+date: 2021-11-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: optimist
@@ -120,7 +120,8 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.7'
-description: For now this just reserves this name. Please be back later.
+description: For now this is tailored to my needs, so this may or may not be of any
+  use.
 email:
 - smar@smar.fi
 executables: []
@@ -135,6 +136,8 @@ files:
 - lib/bwrap/args/bind.rb
 - lib/bwrap/args/construct.rb
 - lib/bwrap/args/environment.rb
+- lib/bwrap/args/features.rb
+- lib/bwrap/args/library.rb
 - lib/bwrap/args/machine_id.rb
 - lib/bwrap/args/mount.rb
 - lib/bwrap/config.rb
@@ -174,5 +177,5 @@ rubyforge_project:
 rubygems_version: 2.7.6.3
 signing_key: 
 specification_version: 4
-summary: 'THIS WILL BE IN FUTURE: Framework to create commands for bwrap'
+summary: Framework to create commands for bwrap
 test_files: []