bwrap 1.0.0.pre.alpha5 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dfb5f9bdbcf68df6068aebca204e72ef9272829b1f8db11c34e5a4da469cc2c7
-  data.tar.gz: 5f19c25ecad9b7f4923f80a6d61c87c6382671667f6b39eed0198befbb8eccd2
+  metadata.gz: e422d8c89dbcf1a803b89532b1214745f558faceaa5dc997ed2487bf92912010
+  data.tar.gz: 1e265d4aaeb7e05e2b4ff5d8d5f490afb4be04287c0aaeaedc96abf4f2f1022e
 SHA512:
-  metadata.gz: c9682aff2b43180fee0e8d7b2b7234d4bb516e86c85dcabc5b40a1047284f9f5bf9e0641dff80483e4645b8aa4bd06c9b9de8ba1b43cd78af3b77de1060c8ad6
-  data.tar.gz: cadd731077ff175b86cf0d56f17dd1c2cb3123e5d9b1dcff17156da5d706d7da12274bc59297ae925c1f07ea5b3a325c999c942048c2c5b165755934ae16d2f8
+  metadata.gz: 86198210a21a75e373e15341d564fc0941d08066d5272b454b64530e3bcce951f0e402c4a9a9f7e34f60d76fbe72140aabab40637e539ec2ef2412a60ebf0f77
+  data.tar.gz: 2aa60e671d0e8da2fb2d59cf68bc3043d350b557e16c0b81b8a1e62240f24f2d44dfb143b7fb66ab50bac9e51122865326d2290138b35506cd6a6bdabe2b4402

data/CHANGELOG.md

@@ -1,5 +1,31 @@
 # Changes
 
+## 1.0.0 (16.04.2022)
+
+* Handle invalid output to loggers
+
+## 1.0.0-beta2 (02.02.2022)
+
+* Added nscd feature
+* Added gem_env_paths to ruby feature
+* If Config#root is set, set working directory to /
+* Execution#execvalue: Allow setting log: true
+* Execution#execvalue: pass all kwargs as kwargs to execute()
+* Output::Log: Don’t die if log file can’t be written to
+
+## 1.0.0-beta1 (12.12.2021)
+
+* optimist gem is now optional dependency
+* Added Config#env_paths and Config#add_env_path
+* Added Config#command_inside_root
+* Added Bwrap#run_inside_root convenience method
+* Execution#command_available?: added env_path_var argument
+* Execution#which: added env_path_var argument
+* Be able to resolve /usr/bin/env to real executable
+* Try to avoid duplicate library binds
+* Added Config#extra_executables
+* Added Config::Features::Bash
+
 ## 1.0.0-alpha5 (29.11.2021)
 
 * Execution#command_available?: support absolute paths

data/lib/bwrap/args/args.rb

@@ -2,7 +2,11 @@
 
 require "bwrap/version"
 
-# bwrap argument related operations.
+# Classes that are used for building arguments.
+#
+# @note Classes inside here are kind of pseudo-internal API.
+#   In future, there may be some use for classes inside here, but for now they are
+#   only used internally.
 module Bwrap::Args
   # Nya.
 end

data/lib/bwrap/args/bind/library.rb

@@ -0,0 +1,188 @@
+# frozen_string_literal: true
+
+require "bwrap/execution/path"
+require "bwrap/output"
+require_relative "../library"
+require_relative "mime"
+
+class Bwrap::Args::Bind
+  # TODO: documentation
+  #
+  # TODO: It may be that this should be renamed to “Binary” or ”Executable”, as this
+  # handles all binaries, not just libraries.
+  #
+  # @api private
+  class Library
+    include Bwrap::Execution::Path
+    include Bwrap::Output
+
+    # @see Bwrap::Args::Construct#command=
+    #
+    # @see (see Bwrap::Args::Construct#command=)
+    attr_writer :command
+
+    # Instance of {Bwrap::Config}.
+    attr_writer :config
+
+    # Instance of {Bwrap::Args::Environment}.
+    attr_writer :environment
+
+    attr_writer :executable_name
+
+    attr_writer :executable_path
+
+    # Ruby feature implementation specific class.
+    #
+    # @api private
+    class RubyBinds
+      # Instance of {Bwrap::Config}.
+      attr_writer :config
+
+      def initialize args
+        @args = args
+      end
+
+      def ruby_binds_for_features
+        return unless @config and @config.features.ruby.enabled?
+
+        @mounts = []
+
+        # Mount some common Ruby executables.
+
+        # This is most often /usr/bin.
+        bindir = Pathname.new RbConfig::CONFIG["bindir"]
+
+        path = bindir / "ruby"
+        if File.exist? path
+          @mounts << "--ro-bind" << path.to_s << path.to_s
+        end
+
+        gem_binds bindir
+
+        @args += @mounts
+      end
+
+      private def gem_binds bindir
+        return unless @config.features.ruby.gem_env_paths?
+
+        path = bindir / "gem"
+        return unless File.exist? path
+
+        @mounts << "--ro-bind" << path.to_s << path.to_s
+      end
+    end
+
+    def initialize args
+      @args = args
+    end
+
+    def extra_executables_mounts
+      return unless @config&.extra_executables
+
+      @config.extra_executables.each do |executable|
+        @executable_name = resolve_executable_name executable
+        @executable_path = resolve_executable_path @executable_name, not_inside_root: true
+
+        @args.append %W{ --ro-bind #{@executable_path} #{@executable_path} }
+
+        resolve_executable_libraries
+      end
+    end
+
+    # Convenience method to call {#resolve_executable_libraries}.
+    #
+    # Used by {#handle_system_mounts}.
+    def libs_command_requires
+      @executable_name = resolve_executable_name @command
+      @executable_path = resolve_executable_path @executable_name
+
+      # Actually add the executable to be bound to the sandbox.
+      unless @config&.command_inside_root
+        @args.append %W{ --ro-bind #{@executable_path} #{@executable_path} }
+      end
+
+      resolve_executable_libraries
+    end
+
+    # Does some inspection to find out libraries given executable needs in order to work.
+    #
+    # @warning scanelf does not play with spaces in names well. This method assumes that libraries
+    #   have no spaces in names, though binaries can have.
+    #
+    # @todo Ensure scanelf is available (and throw proper error if it is not, telling to not use
+    #   full_system_mounts option.)
+    def resolve_executable_libraries
+      trace "Resolving executable libraries of #{@executable_path}"
+
+      # TODO: Put this behind additional flag for extra control/sanity.
+      # Some executables are shell scripts and similar. For them we need to use the interpreter.
+
+      mime = Mime.new @executable_name, @executable_path
+      return unless mime.resolve_mime_type
+
+      # Then find out required libraries
+
+      library_mounts = []
+
+      library_object = ::Bwrap::Args::Library.new
+      libraries = library_object.libraries_needed_by mime.executable_path
+
+      # TODO: following is bad?
+      #library_object.needed_libraries(mime.executable_path).each do |library|
+      libraries.each do |library|
+        library_mounts << "--ro-bind" << library << library
+      end
+
+      @args.append library_mounts
+    end
+
+    # Some features, like {Bwrap::Config::Features::Nscd}, requires some binds
+    # in order to operate properly.
+    def binds_for_features
+      # NOTE: Still nothing here, as I think this is better for library binds than anything else.
+      # The nscd bind is better in another, more generic, place.
+      #
+      # Keeping this method because I think this really makes sense for structure, in future.
+
+      ruby_binds_for_features
+    end
+
+    # Used by {#libs_command_requires}.
+    private def resolve_executable_name command
+      if command.is_a? String
+        return command
+      end
+
+      # Array-like.
+      if command.respond_to? :at
+        return command.at(0)
+      end
+
+      raise "Can’t recognize type of given command. Type: #{command.class}"
+    end
+
+    # @warning Requires environment paths to be resolved beforehand.
+    #
+    # Used by {#libs_command_requires}.
+    private def resolve_executable_path executable_name, not_inside_root: nil
+      if @config&.command_inside_root.nil? or not_inside_root
+        return which executable_name
+      end
+
+      paths = @environment.env_paths.map do |path|
+        "#{@config.root}/#{path}"
+      end
+      env_path = paths.join ":"
+
+      which executable_name, env_path_var: env_path
+    end
+
+    private def ruby_binds_for_features
+      return unless @config.features.ruby.enabled?
+
+      binds = RubyBinds.new @args
+      binds.config = @config
+      binds.ruby_binds_for_features
+    end
+  end
+end

data/lib/bwrap/args/bind/mime.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require "bwrap/execution"
+require "bwrap/output"
+
+class Bwrap::Args::Bind
+  # Inner class to clean up namespace for implementation specific reasons.
+  #
+  # @api private
+  class Mime
+    include Bwrap::Execution
+    include Bwrap::Output
+
+    # Name given to {#initialize}.
+    attr_reader :executable_name
+
+    # Either path given to {#initialize} or one parsed from shebang.
+    attr_reader :executable_path
+
+    def initialize executable_name, executable_path
+      @executable_name = executable_name
+      @executable_path = executable_path
+    end
+
+    # Used by {Bwrap::Args::Bind::Library#libs_command_requires}.
+    #
+    # @return false if caller should also return
+    def resolve_mime_type
+      mime_type = execvalue %W{ file --brief --mime-type #{@executable_path} }
+      trace "Mime type of #{@executable_path} is #{mime_type}"
+      return true unless mime_type[0..6] == "text/x-"
+
+      shebang = File.open @executable_path, &:readline
+      if shebang[0..1] != "#!"
+        warn "Executable #{@executable_name} was recognized as #{mime_type} but does not have " \
+             "proper shebang line. Skipping automatic library mounts."
+        return false
+      end
+
+      resolve_real_executable shebang
+
+      true
+    end
+
+    private def resolve_real_executable shebang
+      command_line = shebang.delete_prefix("#!").strip
+      real_executable, args = command_line.split " ", 2
+
+      if [ "/usr/bin/env", "/bin/env" ].include? real_executable
+        # First argument is name of the executable, resolved from PATH.
+        executable_name = args.split(" ", 2).first
+        real_executable = which executable_name
+      end
+
+      @executable_path = real_executable
+    end
+  end
+end

data/lib/bwrap/args/bind.rb

@@ -3,7 +3,7 @@
 require "bwrap/execution"
 require "bwrap/output"
 require_relative "args"
-require_relative "library"
+require_relative "bind/library"
 
 # Bind arguments for bwrap.
 class Bwrap::Args::Bind
@@ -18,52 +18,12 @@ class Bwrap::Args::Bind
   # @see (see Bwrap::Args::Construct#command=)
   attr_writer :command
 
-  # Instance of {Config}.
+  # Instance of {Bwrap::Config}.
   attr_writer :config
 
   # Instance of {Bwrap::Args::Environment}.
   attr_writer :environment
 
-  # Inner class to clean up namespace for implementation specific reasons.
-  #
-  # @api internal
-  class Mime
-    include Bwrap::Execution
-    include Bwrap::Output
-
-    # Name given to {#initialize}.
-    attr_reader :executable_name
-
-    # Either path given to {#initialize} or one parsed from shebang.
-    attr_reader :executable_path
-
-    def initialize executable_name, executable_path
-      @executable_name = executable_name
-      @executable_path = executable_path
-    end
-
-    # Used by {Bwrap::Args::Bind#libs_command_requires}.
-    #
-    # @return false if caller should also return
-    def resolve_mime_type
-      mime_type = execvalue %W{ file --brief --mime-type #{@executable_path} }
-      return true unless mime_type[0..6] == "text/x-"
-
-      shebang = File.open @executable_path, &:readline
-      if shebang[0..1] != "#!"
-        warn "Executable #{@executable_name} was recognized as #{mime_type} but does not have " \
-             "proper shebang line. Skipping automatic library mounts."
-        return false
-      end
-
-      shebang = shebang.delete_prefix("#!").strip
-      real_executable, _args = shebang.split " ", 2
-      @executable_path = real_executable
-
-      true
-    end
-  end
-
   # Arguments to bind /dev/dri from host to sandbox.
   def bind_dev_dri
     @args.append %w{ --dev-bind /dev/dri /dev/dri }
@@ -99,13 +59,13 @@ class Bwrap::Args::Bind
   end
 
   # Arguments to read-only bind whole system inside sandbox.
-  def full_system_mounts
+  def handle_system_mounts
     bindir_mounts = []
     binaries_from = @config.binaries_from
     binaries_from.each do |path|
       bindir_mounts << "--ro-bind" << path << path
     end
-    @environment["PATH"] = binaries_from.join(":")
+    @environment.add_to_path binaries_from
 
     @args.append bindir_mounts
 
@@ -117,10 +77,15 @@ class Bwrap::Args::Bind
 
     libdir_mounts
 
+    library_bind = construct_library_bind
+
+    binds_for_features
+    library_bind.binds_for_features
+    library_bind.extra_executables_mounts
+
     return unless @config.full_system_mounts
 
-    loader_binds
-    libs_command_requires
+    library_bind.libs_command_requires
   end
 
   # These are something user can specify to do custom --ro-bind binds.
@@ -132,10 +97,15 @@ class Bwrap::Args::Bind
       binds << "--ro-bind" << source_path.to_s << destination_path.to_s
     end
 
-    @args.append binds
+    @args.append binds unless binds.empty?
+  end
+
+  # Performs cleanup operations after execution.
+  def cleanup
+    Bwrap::Args::Library.clear_needed_libraries_cache
   end
 
-  # Used by {#full_system_mounts}.
+  # Used by {#handle_system_mounts}.
   private def libdir_mounts
     return unless @config.libdir_mounts
 
@@ -155,49 +125,17 @@ class Bwrap::Args::Bind
     @args.append libdir_mounts
   end
 
-  # Used by {#full_system_mounts}.
-  private def loader_binds
-    loader_mounts = []
-    path = "/lib64/ld-linux-x86-64.so.2"
-    loader_mounts << "--ro-bind" << path << path if File.exist? path
-    path = "/lib/ld-linux.so.2"
-    loader_mounts << "--ro-bind" << path << path if File.exist? path
+  private def construct_library_bind
+    library_bind = Bwrap::Args::Bind::Library.new @args
+    library_bind.command = @command
+    library_bind.config = @config
+    library_bind.environment = @environment
 
-    @args.append loader_mounts
+    library_bind
   end
 
-  # Does some inspection to find out libraries given executable needs in order to work.
-  #
-  # Used by {#full_system_mounts}.
-  #
-  # @warning scanelf does not play with spaces in names well. This method assumes that libraries
-  #   have no spaces in names, though binaries can have.
-  #
-  # @todo Ensure scanelf is available (and throw proper error if it is not, telling to not use
-  #   full_system_mounts option.)
-  private def libs_command_requires
-    executable_name = @command.is_a?(String) && @command || @command[0]
-    executable_path = which executable_name
-
-    # TODO: Put this behind additional flag for extra control/sanity.
-    # Some executables are shell scripts and similar. For them we need to use the interpreter.
-
-    mime = Mime.new executable_name, executable_path
-    return unless mime.resolve_mime_type
-
-    # Then find out required libraries
-
-    library_mounts = []
-
-    library_object = Bwrap::Args::Library.new
-    libraries = library_object.libraries_needed_by mime.executable_path
-
-    # TODO: following is bad?
-    #library_object.needed_libraries(mime.executable_path).each do |library|
-    libraries.each do |library|
-      library_mounts << "--ro-bind" << library << library
-    end
-
-    @args.append library_mounts
+  # Binds feature specific common directories.
+  private def binds_for_features
+    # Nya.
   end
 end

data/lib/bwrap/args/construct.rb

@@ -22,7 +22,7 @@ class Bwrap::Args::Construct
   #   setting {Config#full_system_mounts=} uses this to resolve some
   #   additional data.
   #
-  # @param command [Array, String] Command with arguments
+  # @param value [Array, String] Command with arguments
   attr_writer :command
 
   # Constructs arguments for bwrap execution.
@@ -35,7 +35,7 @@ class Bwrap::Args::Construct
     machine_id = @machine_id.machine_id
     @args.append machine_id if machine_id
     resolv_conf
-    @bind.full_system_mounts
+    @bind.handle_system_mounts
     @features.feature_binds
     @bind.custom_read_only_binds
     create_user_dir
@@ -60,6 +60,7 @@ class Bwrap::Args::Construct
   # Performs cleanup operations after execution.
   def cleanup
     @machine_id&.cleanup
+    @bind&.cleanup
   end
 
   # Used by {#construct_bwrap_args}.

data/lib/bwrap/args/environment.rb

@@ -1,24 +1,82 @@
 # frozen_string_literal: true
 
+require "bwrap/execution"
 require "bwrap/output"
 require_relative "args"
 
 # Environment variable calculation for bwrap.
 class Bwrap::Args::Environment < Hash
+  include Bwrap::Execution
   include Bwrap::Output
 
   # Instance of {Config}.
   attr_writer :config
 
-  # Returns used environment variables.
+  def initialize
+    super
+
+    self["PATH"] ||= []
+  end
+
+  # Returns used environment variables wrapped as bwrap arguments.
   def environment_variables
     if debug?
       debug "Passing following environment variables to bwrap:\n" \
             "#{self}"
     end
 
+    env_paths
+
     map do |key, value|
+      if key == "PATH" and value.respond_to? :join
+        value = value.join ":"
+      end
+
       [ "--setenv", key, value ]
     end
   end
+
+  # @return [Array] All environment paths added via {Config#add_env_path} and other parsing logic
+  def env_paths
+    if @config.env_paths.respond_to? :each
+      self["PATH"] |= @config.env_paths
+    end
+
+    features_env_paths
+
+    self["PATH"]
+  end
+
+  # Adds given paths to PATH environment variable defined in the sandbox.
+  #
+  # @param elements [String, Array] Path(s) to be added added to PATH environment variable
+  def add_to_path elements
+    if elements.respond_to? :each
+      self["PATH"] += elements
+    else
+      # Expecting elements to be single path element as a string.
+      self["PATH"] << elements
+    end
+  end
+
+  # Feature specific environment path handling.
+  private def features_env_paths
+    ruby_env_paths
+  end
+
+  # Ruby feature specific environment path handling.
+  private def ruby_env_paths
+    return unless @config.features.ruby.enabled?
+    return unless @config.features.ruby.gem_env_paths?
+
+    unless command_available? "gem"
+      warn "gem is not installed in the system, so can’t add its bindirs to PATH."
+      return
+    end
+
+    gempath = execvalue %w{ gem environment gempath }
+    gempath.split(":").each do |path|
+      self["PATH"] << "#{path}/bin"
+    end
+  end
 end

data/lib/bwrap/args/features.rb

@@ -10,8 +10,46 @@ require_relative "library"
 class Bwrap::Args::Features < Hash
   include Bwrap::Output
 
-  # @api internal
+  # Implementation for Bash feature set.
+  #
+  # @api private
+  class BashBinds
+    # Mounts stuff like /bin/bash.
+    def bash_mounts
+      mounts = []
+
+      if File.file? "/bin/bash"
+        mounts << "--ro-bind" << "/bin/bash" << "/bin/bash"
+      end
+      if File.file? "/usr/bin/bash"
+        mounts << "--ro-bind" << "/usr/bin/bash" << "/usr/bin/bash"
+      end
+
+      mounts
+    end
+  end
+
+  # Implementation for nscd feature set.
+  #
+  # @api private
+  class NscdBinds
+    # Custom binds needed by the feature.
+    def custom_binds
+      mounts = []
+
+      # TODO: Probably some path checking is needed here. Or somewhere.
+      # TODO: Since on many systems /var/run is symlinked to /run, that probably should be handled.
+      mounts << "--ro-bind" << "/var/run/nscd" << "/var/run/nscd"
+
+      mounts
+    end
+  end
+
+  # Implementation for Ruby feature set.
+  #
+  # @api private
   class RubyBinds
+    # Returns mounts needed by Ruby feature set.
     attr_reader :mounts
 
     # Bind system paths so scripts works inside sandbox.
@@ -40,19 +78,43 @@ class Bwrap::Args::Features < Hash
           library_mounts << "--ro-bind" << requisite_library << requisite_library
         end
       end
+
+      library_mounts
     end
   end
 
-  # {Array} of parameters passed to bwrap.
+  # `Array` of parameters passed to bwrap.
   attr_writer :args
 
   # Instance of {Config}.
   attr_writer :config
 
+  # Resolves binds required by different features.
+  #
+  # Currently implemented feature sets:
+  # - ruby
   def feature_binds
+    bash_binds
+    nscd_binds
     ruby_binds
   end
 
+  private def bash_binds
+    return unless @config.features.bash.enabled?
+
+    binds = BashBinds.new
+
+    @args.append binds.bash_mounts
+  end
+
+  private def nscd_binds
+    return unless @config.features.nscd.enabled?
+
+    binds = NscdBinds.new
+
+    @args.append binds.custom_binds
+  end
+
   # @note This does not allow development headers needed for compilation for now.
   #   I’ll look at it after I have an use for it.
   private def ruby_binds
@@ -61,6 +123,6 @@ class Bwrap::Args::Features < Hash
     binds = RubyBinds.new
 
     @args.append binds.sitedir_mounts
-    @args.append binds.stdlib_mounts @config.features.ruby.stdlib
+    @args.append binds.stdlib_mounts(@config.features.ruby.stdlib)
   end
 end