bwrap 1.0.0.pre.alpha4 → 1.0.0.pre.alpha5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5101d7848dccd6da3f68fc02f08b37ec1cfadc516b45cb964265a3f0a60e8ea3
-  data.tar.gz: 6dbf98ccc5faba3385ce8fe6f9890f9e7369860531e4161c8092611c18a8ca02
+  metadata.gz: dfb5f9bdbcf68df6068aebca204e72ef9272829b1f8db11c34e5a4da469cc2c7
+  data.tar.gz: 5f19c25ecad9b7f4923f80a6d61c87c6382671667f6b39eed0198befbb8eccd2
 SHA512:
-  metadata.gz: 690e7e3f4911d80d5384aa10fc8c7dab6ed86c597dc691a66a396efccf15dc06e3ee29586afe687e4f92670eea049d2e76e034a2147eed9a9abcb9b894c99e67
-  data.tar.gz: d0a5312ab4ef5814885fd928f1359fd9ba69d7f36224c8671d79396ab635f1f8c23fd21a16712e62ca4b566cc51138b0f654e5cd8e3304f30cf10d492bbdc991
+  metadata.gz: c9682aff2b43180fee0e8d7b2b7234d4bb516e86c85dcabc5b40a1047284f9f5bf9e0641dff80483e4645b8aa4bd06c9b9de8ba1b43cd78af3b77de1060c8ad6
+  data.tar.gz: cadd731077ff175b86cf0d56f17dd1c2cb3123e5d9b1dcff17156da5d706d7da12274bc59297ae925c1f07ea5b3a325c999c942048c2c5b165755934ae16d2f8

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changes
 
+## 1.0.0-alpha5 (29.11.2021)
+
+* Execution#command_available?: support absolute paths
+* Execution#which: support absolute paths
+* Many miscellaneous fixes
+
 ## 1.0.0-alpha4 (22.11.2021)
 
 * Allow use without home directory set

data/README.md

@@ -31,3 +31,5 @@ Please see [API documentation](https://www.rubydoc.info/gems/bwrap) for usage in
 ## Contributing
 
 Bug reports and pull requests are welcome at https://git.sr.ht/~smar/ruby-bwrap.
+
+Gerrit instance https://gerrit.smar.fi/admin/repos/ruby-bwrap can also be used.

data/lib/bwrap/args/bind.rb

@@ -52,7 +52,7 @@ class Bwrap::Args::Bind
       shebang = File.open @executable_path, &:readline
       if shebang[0..1] != "#!"
         warn "Executable #{@executable_name} was recognized as #{mime_type} but does not have " \
-              "proper shebang line. Skipping automatic library mounts."
+             "proper shebang line. Skipping automatic library mounts."
         return false
       end
 
@@ -173,7 +173,8 @@ class Bwrap::Args::Bind
   # @warning scanelf does not play with spaces in names well. This method assumes that libraries
   #   have no spaces in names, though binaries can have.
   #
-  # @todo Ensure scanelf is available (and throw proper error if it is not, telling to not use full_system_mounts option.)
+  # @todo Ensure scanelf is available (and throw proper error if it is not, telling to not use
+  #   full_system_mounts option.)
   private def libs_command_requires
     executable_name = @command.is_a?(String) && @command || @command[0]
     executable_path = which executable_name
@@ -189,11 +190,14 @@ class Bwrap::Args::Bind
     library_mounts = []
 
     library_object = Bwrap::Args::Library.new
-    library_object.needed_libraries(mime.executable_path).each do |library|
+    libraries = library_object.libraries_needed_by mime.executable_path
+
+    # TODO: following is bad?
+    #library_object.needed_libraries(mime.executable_path).each do |library|
+    libraries.each do |library|
       library_mounts << "--ro-bind" << library << library
     end
 
     @args.append library_mounts
   end
-
 end

data/lib/bwrap/args/features.rb

@@ -10,6 +10,39 @@ require_relative "library"
 class Bwrap::Args::Features < Hash
   include Bwrap::Output
 
+  # @api internal
+  class RubyBinds
+    attr_reader :mounts
+
+    # Bind system paths so scripts works inside sandbox.
+    def sitedir_mounts
+      mounts = []
+      mounts << "--ro-bind" << RbConfig::CONFIG["sitedir"] << RbConfig::CONFIG["sitedir"]
+      mounts << "--ro-bind" << RbConfig::CONFIG["rubyhdrdir"] << RbConfig::CONFIG["rubyhdrdir"]
+      mounts << "--ro-bind" << RbConfig::CONFIG["rubylibdir"] << RbConfig::CONFIG["rubylibdir"]
+      mounts << "--ro-bind" << RbConfig::CONFIG["vendordir"] << RbConfig::CONFIG["vendordir"]
+
+      mounts
+    end
+
+    # Create binds for required system libraries.
+    #
+    # These are in path like /usr/lib64/ruby/2.5.0/x86_64-linux-gnu/,
+    # and as they are mostly shared libraries, they may have some extra
+    # dependencies that also need to be bound inside the sandbox.
+    def stdlib_mounts stdlib
+      library_mounts = []
+      library = Bwrap::Args::Library.new
+      stdlib.each do |lib|
+        path = "#{RbConfig::CONFIG["rubyarchdir"]}/#{lib}.so"
+
+        library.needed_libraries(path).each do |requisite_library|
+          library_mounts << "--ro-bind" << requisite_library << requisite_library
+        end
+      end
+    end
+  end
+
   # {Array} of parameters passed to bwrap.
   attr_writer :args
 
@@ -20,36 +53,14 @@ class Bwrap::Args::Features < Hash
     ruby_binds
   end
 
-  # @note This does not allow development headers needed for compilation for now. I’ll look at it after I have an use for it.
+  # @note This does not allow development headers needed for compilation for now.
+  #   I’ll look at it after I have an use for it.
   private def ruby_binds
     return unless @config.features.ruby.enabled?
 
-    # Bind system paths so scripts works inside sandbox.
-
-    mounts = []
-    mounts << "--ro-bind" << RbConfig::CONFIG["sitedir"] << RbConfig::CONFIG["sitedir"]
-    mounts << "--ro-bind" << RbConfig::CONFIG["rubyhdrdir"] << RbConfig::CONFIG["rubyhdrdir"]
-    mounts << "--ro-bind" << RbConfig::CONFIG["rubylibdir"] << RbConfig::CONFIG["rubylibdir"]
-    mounts << "--ro-bind" << RbConfig::CONFIG["vendordir"] << RbConfig::CONFIG["vendordir"]
-
-    @args.append mounts
-
-    # Create binds for required system libraries.
-    #
-    # These are in path like /usr/lib64/ruby/2.5.0/x86_64-linux-gnu/,
-    # and as they are mostly shared libraries, they may have some extra
-    # dependencies that also need to be bound inside the sandbox.
-
-    library_mounts = []
-    library = Bwrap::Args::Library.new
-    @config.features.ruby.stdlib.each do |lib|
-      path = "#{RbConfig::CONFIG["rubyarchdir"]}/#{lib}.so"
-
-      library.needed_libraries(path).each do |library|
-        library_mounts << "--ro-bind" << library << library
-      end
-    end
+    binds = RubyBinds.new
 
-    @args.append library_mounts
+    @args.append binds.sitedir_mounts
+    @args.append binds.stdlib_mounts @config.features.ruby.stdlib
   end
 end

data/lib/bwrap/args/library.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 
 require "bwrap/execution"
 require "bwrap/output"
@@ -10,14 +11,65 @@ class Bwrap::Args::Library
   include Bwrap::Execution
   include Bwrap::Output
 
+  # NOTE: This caching can be made more efficient, but need to look at it later, what to do about it.
+  @@needed_libraries_cache ||= []
+
+  # Otherwise similar to {#needed_libraries}, but checks used libc to handle musl executables.
+  #
+  # @param executable [String] Path to the executable to find dependencies for
+  def libraries_needed_by executable
+    # %i == interpreter, the library used to load the executable by kernel.
+    # %F == Path to given file.
+    output_format = "%i::SEPARATOR::%F"
+    scanelf_command = %W{ scanelf --nobanner --quiet --format #{output_format} }
+    scanelf_command << executable
+
+    data = execvalue scanelf_command
+    data = data.strip
+    interpreter, _executable_path = data.split "::SEPARATOR::"
+    interpreter = Pathname.new interpreter
+
+    if interpreter.basename.to_s[0..6] == "ld-musl"
+      musl_needed_libraries executable
+    else
+      # For glibc, scanelf can return full paths for us most of time.
+      needed_libraries executable
+    end
+  end
+
+  # @param binary_paths [String, Array] one or more paths to be resolved
+  #
+  # @todo Maybe caching should be done here too?
+  def musl_needed_libraries binary_paths
+    trace "Finding musl libraries #{binary_paths} requires"
+    @needed_libraries = []
+
+    if binary_paths.is_a? String
+      binary_paths = [ binary_paths ]
+    end
+
+    binary_paths.each do |binary_path|
+      output = execvalue %W{ ldd #{binary_path} }
+      lines = output.split "\n"
+      _interpreter_line = lines.shift
+
+      lines.each do |line|
+        parse_ldd_line line
+      end
+    end
+
+    @needed_libraries
+  end
+
   # Used by {Bwrap::Args::Bind#libs_command_requires}.
+  #
+  # @param binary_paths [String, Array] one or more paths to be resolved
   def needed_libraries binary_paths
     trace "Finding libraries #{binary_paths} requires"
     @needed_libraries = []
-    # NOTE: This caching can be made more efficient, but need to look at it later, what to do about it.
-    @@needed_libraries_cache ||= []
 
-    output_format = "%F:libraries:%n"
+    # %i == interpreter, the library used to load the executable by kernel.
+    output_format = "%F::SEPARATOR::%n"
     scanelf_command = %W{ scanelf --nobanner --quiet --format #{output_format} --ldcache --needed }
 
     if binary_paths.is_a? String
@@ -44,7 +96,7 @@ class Bwrap::Args::Library
 
   # Used by {#needed_libraries}.
   private def parse_scanelf_line line
-    binary_path, libraries_line = line.split ":libraries:"
+    binary_path, libraries_line = line.split "::SEPARATOR::"
     libraries = libraries_line.split ","
 
     @needed_libraries += libraries
@@ -59,5 +111,20 @@ class Bwrap::Args::Library
       @@needed_libraries_cache << library
     end
   end
+
+  # Used by {#musl_needed_libraries}.
+  private def parse_ldd_line line
+    line = line.strip
+    _library_name, library_data = line.split " => "
+
+    matches = library_data.match(/(.*) \(0x[0-9a-f]+\)/)
+    library_path = matches[1]
+
+    @needed_libraries << library_path
+
+    # Also check if requisite libraries needs some libraries.
+    inner = Bwrap::Args::Library.new
+    @needed_libraries += inner.musl_needed_libraries library_path
+  end
 end
 # class Library ended

data/lib/bwrap/config.rb

@@ -100,7 +100,8 @@ class Bwrap::Config
       #
       # Among others, binds RbConfig::CONFIG["sitedir"] so scripts works.
       #
-      # @note This does not allow development headers needed for compilation for now. I’ll look at it after I have an use for it.
+      # @note This does not allow development headers needed for compilation for now.
+      #   I’ll look at it after I have an use for it.
       def enable
         @enabled = true
       end

data/lib/bwrap/execution/execute.rb

@@ -95,7 +95,7 @@ class Bwrap::Execution::Execute
   # Stub to instruct implementation in subclass.
   def self.prepend_rootcmd command, rootcmd:
     raise NotImplementedError, "If rootcmd execution is necessary, monkey patch Bwrap::Execution::Execute " \
-          "to add “self.prepend_rootcmd(command, rootcmd:)” method."
+                               "to add “self.prepend_rootcmd(command, rootcmd:)” method."
   end
 
   # Used by `#handle_logging`.

data/lib/bwrap/execution/path.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require "bwrap/output"
+
+# Path checking methods.
+module Bwrap::Execution::Path
+  # @api internal
+  class Environment
+    def self.each_env_path command
+      exts = ENV["PATHEXT"] ? ENV["PATHEXT"].split(";") : [ "" ]
+
+      ENV["PATH"].split(File::PATH_SEPARATOR).each do |env_path|
+        exts.each do |ext|
+          exe = File.join(env_path, "#{command}#{ext}")
+          yield exe
+        end
+      end
+    end
+  end
+
+  # Check if requested program can be found.
+  #
+  # Should work cross-platform and in restricted environents pretty well.
+  private def command_available? command
+    # Special handling for absolute paths.
+    path = Pathname.new command
+    if path.absolute?
+      if path.executable? && !path.directory?
+        return true
+      end
+
+      return false
+    end
+
+    Bwrap::Execution::Path::Environment.each_env_path command do |exe|
+      return true if File.executable?(exe) && !File.directory?(exe)
+    end
+
+    false
+  end
+
+  # Returns path to given executable.
+  private def which command, fail: true
+    # Special handling for absolute paths.
+    path = Pathname.new command
+    if path.absolute?
+      if path.executable?
+        return command
+      end
+
+      raise CommandNotFound.new command: command if fail
+
+      return nil
+    end
+
+    Bwrap::Execution::Path::Environment.each_env_path command do |exe|
+      return exe if File.executable?(exe) && !File.directory?(exe)
+    end
+
+    return nil unless fail
+
+    raise CommandNotFound.new command: command
+  end
+end

data/lib/bwrap/execution.rb

@@ -3,12 +3,14 @@
 require "bwrap/version"
 require "bwrap/output"
 require_relative "execution/execute"
+require_relative "execution/path"
 
 # @abstract Module to be included in a class that needs to execute commands.
 #
 # Methods to execute processes.
 module Bwrap::Execution
   include Bwrap::Output
+  include Bwrap::Execution::Path
 
   # Unspecified execution related error.
   class CommandError < StandardError
@@ -18,6 +20,19 @@ module Bwrap::Execution
   class ExecutionFailed < CommandError
   end
 
+  # Thrown if given command was not found.
+  class CommandNotFound < CommandError
+    # Command that was looked at.
+    attr_reader :command
+
+    def initialize command:
+      @command = command
+      msg = "Failed to find #{command} from PATH."
+
+      super msg
+    end
+  end
+
   # Actual implementation of execution command. Can be used when static method is needed.
   #
   # @note When an array is given as a command, empty strings are passed as empty arguments.
@@ -83,33 +98,6 @@ module Bwrap::Execution
     @last_status
   end
 
-  # Check if requested program can be found.
-  #
-  # Should work cross-platform and in restricted environents pretty well.
-  private def command_available? command
-    exts = ENV["PATHEXT"] ? ENV["PATHEXT"].split(";") : [ "" ]
-    ENV["PATH"].split(File::PATH_SEPARATOR).each do |path|
-      exts.each do |ext|
-        exe = File.join(path, "#{command}#{ext}")
-        return true if File.executable?(exe) && !File.directory?(exe)
-      end
-    end
-    false
-  end
-
-  # Returns path to given executable.
-  private def which command, fail: true
-    exts = ENV["PATHEXT"] ? ENV["PATHEXT"].split(";") : [ "" ]
-    ENV["PATH"].split(File::PATH_SEPARATOR).each do |path|
-      exts.each do |ext|
-        exe = File.join(path, "#{command}#{ext}")
-        return exe if File.executable?(exe) && !File.directory?(exe)
-      end
-    end
-    error "Failed to find #{command} from PATH." if fail
-    nil
-  end
-
   # Execute a command.
   #
   # This method can be used by including Execution module in a class that should be able to

data/lib/bwrap/output.rb

@@ -81,13 +81,16 @@ module Bwrap::Output
   # Aborts current process.
   #
   # Use this instead of Ruby’s #exit in order to filter out dummy #exit calls from the code.
-  def self.error_output str = nil, label: :unspecified, log_callback: 1
+  def self.error_output str = nil, label: :unspecified, log_callback: 1, raise_exception: false
     unless str.nil?
       out = Bwrap::Output::Levels.error_print_formatted str, log_callback: (log_callback + 1)
       Bwrap::Output::Log.puts_to_log out
     end
 
-    exit Bwrap::Execution::Labels.resolve_exit_code(label)
+    exit_code = Bwrap::Execution::Labels.resolve_exit_code(label)
+    raise str if raise_exception
+
+    exit exit_code
   end
 
   # @return true if --verbose, --debug or --trace has been passed, false if not.
@@ -147,7 +150,8 @@ module Bwrap::Output
   #
   # @param str String to be outputted
   # @param label [Symbol] Exit label accepted by {Bwrap::Execution.resolve_exit_code}
-  private def error str = nil, label: :unspecified
-    Bwrap::Output.error_output(str, label: label, log_callback: 2)
+  # @param raise [Boolean] if true, an exception is raised instead of just existing with exit code.
+  private def error str = nil, label: :unspecified, raise_exception: false
+    Bwrap::Output.error_output(str, label: label, log_callback: 2, raise_exception: raise_exception)
   end
 end

data/lib/bwrap/version.rb

@@ -3,7 +3,7 @@
 # bwrap command runner tools.
 module Bwrap
   # Current version of bwrap.
-  VERSION = "1.0.0-alpha4"
+  VERSION = "1.0.0-alpha5"
 end
 
 require "deep-cover" if ENV["DEEP_COVER"]

data/lib/bwrap.rb

@@ -19,7 +19,7 @@ class Bwrap::Bwrap
 
   # Parses command line arguments given to caller script.
   def parse_command_line_arguments
-    options = optimist_cli_args
+    options = parse_options
 
     Bwrap::Output.handle_output_options options
   end
@@ -44,8 +44,12 @@ class Bwrap::Bwrap
   end
 
   # Parses global bwrap flags using Optimist.
-  private def optimist_cli_args
-    Optimist.options do
+  #
+  # Sets instance variable `@cli_args`.
+  #
+  # @return [Hash] options parsed by {Optimist.options}
+  private def parse_options
+    options = Optimist.options do
       version ::Bwrap::VERSION
 
       banner "Usage:"
@@ -71,5 +75,7 @@ class Bwrap::Bwrap
     end
 
     @cli_args = ARGV.dup
+
+    options
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bwrap
 version: !ruby/object:Gem::Version
-  version: 1.0.0.pre.alpha4
+  version: 1.0.0.pre.alpha5
 platform: ruby
 authors:
 - Samu Voutilainen
@@ -34,7 +34,7 @@ cert_chain:
   X4ioQwEn1/9tHs19VO1CLF58451HgEo1BXd7eWLmV1V5cqw0YWok1ly4L/Su/Phf
   MRxVMHiVAqY=
   -----END CERTIFICATE-----
-date: 2021-11-22 00:00:00.000000000 Z
+date: 2021-11-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: optimist
@@ -56,14 +56,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '1.16'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '1.16'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -145,6 +145,7 @@ files:
 - lib/bwrap/execution/execute.rb
 - lib/bwrap/execution/execution.rb
 - lib/bwrap/execution/labels.rb
+- lib/bwrap/execution/path.rb
 - lib/bwrap/output.rb
 - lib/bwrap/output/colors.rb
 - lib/bwrap/output/levels.rb
@@ -158,6 +159,7 @@ metadata:
   homepage_uri: https://git.sr.ht/~smar/ruby-bwrap
   source_code_uri: https://git.sr.ht/~smar/ruby-bwrap
   changelog_uri: https://git.sr.ht/~smar/ruby-bwrap/tree/master/item/CHANGELOG.md
+  rubygems_mfa_required: 'false'
 post_install_message: 
 rdoc_options: []
 require_paths: