bwrap 1.0.0.pre.alpha3 → 1.0.0.pre.beta2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d7a362da994cec63d76530772a6740d68e9cf442f4bb43dfc39579ce6c10c40e
-  data.tar.gz: 0ec62bee38e4729320ec365490e94c03f1f33f84e570e186ac009b587162ea24
+  metadata.gz: 807b5065d9a5615be9910e52bf7beed12faf271a6aa533de71fe925d759d68c3
+  data.tar.gz: a3ed8130aac69442f2175b9035aa34392b462fcc3934e3e7a69081b2b936b8f7
 SHA512:
-  metadata.gz: 65e1ad6f76b55f0b9fbabc2066eb10000ab286d6440070331dd8244f608f0de39e3ccf1f54b6e663727da32c5c587a4ae87717d5f8276444f835caaf3ff0618a
-  data.tar.gz: 5298f24103bb9c4290906fed7e6a5925a85228482f17cb2516bb6a3a50ace7c3fcb2d17de00abd1bd994d7cdd97fe420451631f50fe8792c247bab577a20ea4e
+  metadata.gz: 66131023be01339b797c21615ce32b5aa639fd0599590724f9262f8393d2cc9226c1bfa87bfad37dba751bac15d6b6fc9efa3babd168cc2f40973f8a5729f9cd
+  data.tar.gz: fcf5fdd36a7728e84502e33efb86d43ce08d44732f0c070ecdaa54b5bbc15a35749238fd79084b688baedd605b98252c59fdaee61ef4434ea967deb00f10a577

data/CHANGELOG.md

@@ -1,5 +1,44 @@
 # Changes
 
+## 1.0.0-beta2 (02.02.2022)
+
+* Added nscd feature
+* Added gem_env_paths to ruby feature
+* If Config#root is set, set working directory to /
+* Execution#execvalue: Allow setting log: true
+* Execution#execvalue: pass all kwargs as kwargs to execute()
+* Output::Log: Don’t die if log file can’t be written to
+
+## 1.0.0-beta1 (12.12.2021)
+
+* optimist gem is now optional dependency
+* Added Config#env_paths and Config#add_env_path
+* Added Config#command_inside_root
+* Added Bwrap#run_inside_root convenience method
+* Execution#command_available?: added env_path_var argument
+* Execution#which: added env_path_var argument
+* Be able to resolve /usr/bin/env to real executable
+* Try to avoid duplicate library binds
+* Added Config#extra_executables
+* Added Config::Features::Bash
+
+## 1.0.0-alpha5 (29.11.2021)
+
+* Execution#command_available?: support absolute paths
+* Execution#which: support absolute paths
+* Many miscellaneous fixes
+
+## 1.0.0-alpha4 (22.11.2021)
+
+* Allow use without home directory set
+* Bwrap#parse_command_line_arguments is no longer run when Bwrap is initialized
+* Made pulseaudio optional
+* Changed --share-net to be added only if requested
+* Added Config#root= to specify path used as writable root
+* Added Config#full_system_mounts to control whether library loaders are mounted inside chroot
+* Added Config#libdir_mounts
+* Added Config#features
+
 ## 1.0.0-alpha3 (14.11.2021)
 
 * Avoid frozen string literal modification

data/README.md

@@ -31,3 +31,5 @@ Please see [API documentation](https://www.rubydoc.info/gems/bwrap) for usage in
 ## Contributing
 
 Bug reports and pull requests are welcome at https://git.sr.ht/~smar/ruby-bwrap.
+
+Gerrit instance https://gerrit.smar.fi/admin/repos/ruby-bwrap can also be used.

data/lib/bwrap/args/args.rb

@@ -2,7 +2,11 @@
 
 require "bwrap/version"
 
-# bwrap argument related operations.
+# Classes that are used for building arguments.
+#
+# @note Classes inside here are kind of pseudo-internal API.
+#   In future, there may be some use for classes inside here, but for now they are
+#   only used internally.
 module Bwrap::Args
   # Nya.
 end

data/lib/bwrap/args/bind/library.rb

@@ -0,0 +1,188 @@
+# frozen_string_literal: true
+
+require "bwrap/execution/path"
+require "bwrap/output"
+require_relative "../library"
+require_relative "mime"
+
+class Bwrap::Args::Bind
+  # TODO: documentation
+  #
+  # TODO: It may be that this should be renamed to “Binary” or ”Executable”, as this
+  # handles all binaries, not just libraries.
+  #
+  # @api private
+  class Library
+    include Bwrap::Execution::Path
+    include Bwrap::Output
+
+    # @see Bwrap::Args::Construct#command=
+    #
+    # @see (see Bwrap::Args::Construct#command=)
+    attr_writer :command
+
+    # Instance of {Bwrap::Config}.
+    attr_writer :config
+
+    # Instance of {Bwrap::Args::Environment}.
+    attr_writer :environment
+
+    attr_writer :executable_name
+
+    attr_writer :executable_path
+
+    # Ruby feature implementation specific class.
+    #
+    # @api private
+    class RubyBinds
+      # Instance of {Bwrap::Config}.
+      attr_writer :config
+
+      def initialize args
+        @args = args
+      end
+
+      def ruby_binds_for_features
+        return unless @config and @config.features.ruby.enabled?
+
+        @mounts = []
+
+        # Mount some common Ruby executables.
+
+        # This is most often /usr/bin.
+        bindir = Pathname.new RbConfig::CONFIG["bindir"]
+
+        path = bindir / "ruby"
+        if File.exist? path
+          @mounts << "--ro-bind" << path.to_s << path.to_s
+        end
+
+        gem_binds bindir
+
+        @args += @mounts
+      end
+
+      private def gem_binds bindir
+        return unless @config.features.ruby.gem_env_paths?
+
+        path = bindir / "gem"
+        return unless File.exist? path
+
+        @mounts << "--ro-bind" << path.to_s << path.to_s
+      end
+    end
+
+    def initialize args
+      @args = args
+    end
+
+    def extra_executables_mounts
+      return unless @config&.extra_executables
+
+      @config.extra_executables.each do |executable|
+        @executable_name = resolve_executable_name executable
+        @executable_path = resolve_executable_path @executable_name, not_inside_root: true
+
+        @args.append %W{ --ro-bind #{@executable_path} #{@executable_path} }
+
+        resolve_executable_libraries
+      end
+    end
+
+    # Convenience method to call {#resolve_executable_libraries}.
+    #
+    # Used by {#handle_system_mounts}.
+    def libs_command_requires
+      @executable_name = resolve_executable_name @command
+      @executable_path = resolve_executable_path @executable_name
+
+      # Actually add the executable to be bound to the sandbox.
+      unless @config&.command_inside_root
+        @args.append %W{ --ro-bind #{@executable_path} #{@executable_path} }
+      end
+
+      resolve_executable_libraries
+    end
+
+    # Does some inspection to find out libraries given executable needs in order to work.
+    #
+    # @warning scanelf does not play with spaces in names well. This method assumes that libraries
+    #   have no spaces in names, though binaries can have.
+    #
+    # @todo Ensure scanelf is available (and throw proper error if it is not, telling to not use
+    #   full_system_mounts option.)
+    def resolve_executable_libraries
+      trace "Resolving executable libraries of #{@executable_path}"
+
+      # TODO: Put this behind additional flag for extra control/sanity.
+      # Some executables are shell scripts and similar. For them we need to use the interpreter.
+
+      mime = Mime.new @executable_name, @executable_path
+      return unless mime.resolve_mime_type
+
+      # Then find out required libraries
+
+      library_mounts = []
+
+      library_object = ::Bwrap::Args::Library.new
+      libraries = library_object.libraries_needed_by mime.executable_path
+
+      # TODO: following is bad?
+      #library_object.needed_libraries(mime.executable_path).each do |library|
+      libraries.each do |library|
+        library_mounts << "--ro-bind" << library << library
+      end
+
+      @args.append library_mounts
+    end
+
+    # Some features, like {Bwrap::Config::Features::Nscd}, requires some binds
+    # in order to operate properly.
+    def binds_for_features
+      # NOTE: Still nothing here, as I think this is better for library binds than anything else.
+      # The nscd bind is better in another, more generic, place.
+      #
+      # Keeping this method because I think this really makes sense for structure, in future.
+
+      ruby_binds_for_features
+    end
+
+    # Used by {#libs_command_requires}.
+    private def resolve_executable_name command
+      if command.is_a? String
+        return command
+      end
+
+      # Array-like.
+      if command.respond_to? :at
+        return command.at(0)
+      end
+
+      raise "Can’t recognize type of given command. Type: #{command.class}"
+    end
+
+    # @warning Requires environment paths to be resolved beforehand.
+    #
+    # Used by {#libs_command_requires}.
+    private def resolve_executable_path executable_name, not_inside_root: nil
+      if @config&.command_inside_root.nil? or not_inside_root
+        return which executable_name
+      end
+
+      paths = @environment.env_paths.map do |path|
+        "#{@config.root}/#{path}"
+      end
+      env_path = paths.join ":"
+
+      which executable_name, env_path_var: env_path
+    end
+
+    private def ruby_binds_for_features
+      return unless @config.features.ruby.enabled?
+
+      binds = RubyBinds.new @args
+      binds.config = @config
+      binds.ruby_binds_for_features
+    end
+  end
+end

data/lib/bwrap/args/bind/mime.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require "bwrap/execution"
+require "bwrap/output"
+
+class Bwrap::Args::Bind
+  # Inner class to clean up namespace for implementation specific reasons.
+  #
+  # @api private
+  class Mime
+    include Bwrap::Execution
+    include Bwrap::Output
+
+    # Name given to {#initialize}.
+    attr_reader :executable_name
+
+    # Either path given to {#initialize} or one parsed from shebang.
+    attr_reader :executable_path
+
+    def initialize executable_name, executable_path
+      @executable_name = executable_name
+      @executable_path = executable_path
+    end
+
+    # Used by {Bwrap::Args::Bind::Library#libs_command_requires}.
+    #
+    # @return false if caller should also return
+    def resolve_mime_type
+      mime_type = execvalue %W{ file --brief --mime-type #{@executable_path} }
+      trace "Mime type of #{@executable_path} is #{mime_type}"
+      return true unless mime_type[0..6] == "text/x-"
+
+      shebang = File.open @executable_path, &:readline
+      if shebang[0..1] != "#!"
+        warn "Executable #{@executable_name} was recognized as #{mime_type} but does not have " \
+             "proper shebang line. Skipping automatic library mounts."
+        return false
+      end
+
+      resolve_real_executable shebang
+
+      true
+    end
+
+    private def resolve_real_executable shebang
+      command_line = shebang.delete_prefix("#!").strip
+      real_executable, args = command_line.split " ", 2
+
+      if [ "/usr/bin/env", "/bin/env" ].include? real_executable
+        # First argument is name of the executable, resolved from PATH.
+        executable_name = args.split(" ", 2).first
+        real_executable = which executable_name
+      end
+
+      @executable_path = real_executable
+    end
+  end
+end

data/lib/bwrap/args/bind.rb

@@ -1,32 +1,50 @@
 # frozen_string_literal: true
 
+require "bwrap/execution"
+require "bwrap/output"
 require_relative "args"
+require_relative "bind/library"
 
 # Bind arguments for bwrap.
-module Bwrap::Args::Bind
+class Bwrap::Args::Bind
+  include Bwrap::Execution
+  include Bwrap::Output
+
+  # Array of parameters passed to bwrap.
+  attr_writer :args
+
+  # @see Bwrap::Args::Construct#command=
+  #
+  # @see (see Bwrap::Args::Construct#command=)
+  attr_writer :command
+
+  # Instance of {Bwrap::Config}.
+  attr_writer :config
+
+  # Instance of {Bwrap::Args::Environment}.
+  attr_writer :environment
+
   # Arguments to bind /dev/dri from host to sandbox.
-  private def bind_dev_dri
-    %w{ --dev-bind /dev/dri /dev/dri }
+  def bind_dev_dri
+    @args.append %w{ --dev-bind /dev/dri /dev/dri }
   end
 
   # Arguments to bind /sys/dev/char from host to sandbox.
-  private def bind_sys_dev_char
-    %w{ --ro-bind /sys/dev/char /sys/dev/char }
+  def bind_sys_dev_char
+    @args.append %w{ --ro-bind /sys/dev/char /sys/dev/char }
   end
 
   # Arguments to bind /sys/devices/pci0000:00 from host to sandbox.
-  private def bind_pci_devices
-    %w{ --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 }
+  def bind_pci_devices
+    @args.append %w{ --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 }
   end
 
   # Arguments to bind home directory from sandbox directory (`#{@config.sandbox_directory}/home`)
   # as `/home/#{@config.user}`.
   #
   # @note Requires @config.user to be set.
-  private def bind_home_directory
-    unless @config.user
-      raise "Tried to bind user directory without user being set."
-    end
+  def bind_home_directory
+    return unless @config.user
 
     home_directory = "#{@config.sandbox_directory}/home"
 
@@ -36,17 +54,60 @@ module Bwrap::Args::Bind
 
     @environment["HOME"] = "/home/#{@config.user}"
 
-    %W{ --bind #{home_directory} /home/#{@config.user} }
+    debug "Using #{home_directory} as /home/#{@config.user}"
+    @args.append %W{ --bind #{home_directory} /home/#{@config.user} }
   end
 
   # Arguments to read-only bind whole system inside sandbox.
-  private def full_system_mounts
+  def handle_system_mounts
     bindir_mounts = []
     binaries_from = @config.binaries_from
     binaries_from.each do |path|
       bindir_mounts << "--ro-bind" << path << path
     end
-    @environment["PATH"] = binaries_from.join(":")
+    @environment.add_to_path binaries_from
+
+    @args.append bindir_mounts
+
+    if debug?
+      debug "Using following bindir mounts:\n" \
+            "#{bindir_mounts}\n" \
+            "(Odd is key, even is value)"
+    end
+
+    libdir_mounts
+
+    library_bind = construct_library_bind
+
+    binds_for_features
+    library_bind.binds_for_features
+    library_bind.extra_executables_mounts
+
+    return unless @config.full_system_mounts
+
+    library_bind.libs_command_requires
+  end
+
+  # These are something user can specify to do custom --ro-bind binds.
+  def custom_read_only_binds
+    return unless @config.ro_binds
+
+    binds = []
+    @config.ro_binds.each do |source_path, destination_path|
+      binds << "--ro-bind" << source_path.to_s << destination_path.to_s
+    end
+
+    @args.append binds unless binds.empty?
+  end
+
+  # Performs cleanup operations after execution.
+  def cleanup
+    Bwrap::Args::Library.clear_needed_libraries_cache
+  end
+
+  # Used by {#handle_system_mounts}.
+  private def libdir_mounts
+    return unless @config.libdir_mounts
 
     libdir_mounts = %w{
       --ro-bind /lib /lib
@@ -55,24 +116,26 @@ module Bwrap::Args::Bind
       --ro-bind /usr/lib64 /usr/lib64
     }
 
-    system_mounts = bindir_mounts + libdir_mounts
     if debug?
-      debug "Using following system mounts:\n" \
-            "#{system_mounts}\n" \
+      debug "Using following libdir mounts:\n" \
+            "#{libdir_mounts}\n" \
             "(Odd is key, even is value)"
     end
-    system_mounts
+
+    @args.append libdir_mounts
   end
 
-  # These are something user can specify to do custom --ro-bind binds.
-  private def custom_read_only_binds
-    return [] unless @config.ro_binds
+  private def construct_library_bind
+    library_bind = Bwrap::Args::Bind::Library.new @args
+    library_bind.command = @command
+    library_bind.config = @config
+    library_bind.environment = @environment
 
-    binds = []
-    @config.ro_binds.each do |source_path, destination_path|
-      binds << "--ro-bind" << source_path.to_s << destination_path.to_s
-    end
+    library_bind
+  end
 
-    binds
+  # Binds feature specific common directories.
+  private def binds_for_features
+    # Nya.
   end
-end
+end

data/lib/bwrap/args/construct.rb

@@ -5,60 +5,90 @@ require "tempfile"
 require "bwrap/output"
 require_relative "bind"
 require_relative "environment"
+require_relative "features"
 require_relative "machine_id"
 require_relative "mount"
 
 # Constructs arguments for bwrap execution.
 class Bwrap::Args::Construct
   include Bwrap::Output
-  include Bwrap::Args::Bind
   include Bwrap::Args::Mount
 
   attr_writer :config
 
+  # Command that is executed inside bwrap sandbox.
+  #
+  # @note This is not used for anything vital, but some things, like
+  #   setting {Config#full_system_mounts=} uses this to resolve some
+  #   additional data.
+  #
+  # @param value [Array, String] Command with arguments
+  attr_writer :command
+
   # Constructs arguments for bwrap execution.
   def construct_bwrap_args
-    @environment = Bwrap::Args::Environment.new
-    @environment.config = @config
-    @machine_id = Bwrap::Args::MachineId.new
-    @machine_id.config = @config
-
-    [
-      xauthority_args,
-      @machine_id.machine_id,
-      resolv_conf,
-      full_system_mounts,
-      custom_read_only_binds,
-      create_user_dir,
-      read_only_pulseaudio,
-      dev_mount,
-      bind_dev_dri,
-      bind_sys_dev_char,
-      bind_pci_devices,
-      proc_mount,
-      tmp_as_tmpfs,
-      bind_home_directory,
-      "--unshare-all",
-      share_net,
-      hostname,
-      @environment.environment_variables,
-      "--die-with-parent",
-      "--new-session"
-    ]
+    @args = []
+    create_objects
+
+    root_mount
+    xauthority_args
+    machine_id = @machine_id.machine_id
+    @args.append machine_id if machine_id
+    resolv_conf
+    @bind.handle_system_mounts
+    @features.feature_binds
+    @bind.custom_read_only_binds
+    create_user_dir
+    read_only_pulseaudio
+    dev_mount
+    @bind.bind_dev_dri
+    @bind.bind_sys_dev_char
+    @bind.bind_pci_devices
+    proc_mount
+    tmp_as_tmpfs
+    @bind.bind_home_directory
+    @args.append "--unshare-all"
+    share_net
+    hostname
+    @args.append @environment.environment_variables
+    @args.append "--die-with-parent"
+    @args.append "--new-session"
+
+    @args.compact
   end
 
   # Performs cleanup operations after execution.
   def cleanup
     @machine_id&.cleanup
+    @bind&.cleanup
+  end
+
+  # Used by {#construct_bwrap_args}.
+  private def create_objects
+    @bind = Bwrap::Args::Bind.new
+    @bind.args = @args
+    @bind.command = @command
+    @bind.config = @config
+
+    @environment = Bwrap::Args::Environment.new
+    @environment.config = @config
+    @bind.environment = @environment
+
+    @features = Bwrap::Args::Features.new
+    @features.args = @args
+    @features.config = @config
+
+    @machine_id = Bwrap::Args::MachineId.new
+    @machine_id.config = @config
   end
 
   # Arguments for generating .Xauthority file.
   private def xauthority_args
-    return [] unless @config.xorg_application
+    return unless @config.xorg_application
 
     xauth_args = %W{ --ro-bind #{Dir.home}/.Xauthority #{Dir.home}/.Xauthority }
     debug "Binding following .Xauthority file: #{Dir.home}/.Xauthority"
-    xauth_args
+    @args.append xauth_args
   end
 
   # Arguments to read-only bind /etc/resolv.conf.
@@ -68,25 +98,29 @@ class Bwrap::Args::Construct
     source_resolv_conf = source_resolv_conf.realpath
 
     debug "Binding #{source_resolv_conf} as /etc/resolv.conf"
-    %W{ --ro-bind #{source_resolv_conf} /etc/resolv.conf }
+    @args.append %W{ --ro-bind #{source_resolv_conf} /etc/resolv.conf }
   end
 
   # Arguments to create `/run/user/#{uid}`.
   private def create_user_dir
     trace "Creating directory /run/user/#{uid}"
-    %W{ --dir /run/user/#{uid} }
+    @args.append %W{ --dir /run/user/#{uid} }
   end
 
   # Arguments to bind necessary pulseaudio data for audio support.
   private def read_only_pulseaudio
+    return unless @config.audio.include? :pulseaudio
+
     debug "Binding pulseaudio"
-    %W{ --ro-bind /run/user/#{uid}/pulse /run/user/#{uid}/pulse }
+    @args.append %W{ --ro-bind /run/user/#{uid}/pulse /run/user/#{uid}/pulse }
   end
 
   # Arguments to allow network connection inside sandbox.
   private def share_net
+    return unless @config.share_net
+
     verb "Sharing network"
-    %w{ --share-net }
+    @args.append %w{ --share-net }
   end
 
   # Arguments to set hostname to whatever is configured.
@@ -94,7 +128,7 @@ class Bwrap::Args::Construct
     return unless @config.hostname
 
     debug "Setting hostname to #{@config.hostname}"
-    %W{ --hostname #{@config.hostname} }
+    @args.append %W{ --hostname #{@config.hostname} }
   end
 
   # Returns current user id.