bwrap 1.0.0.pre.beta1 → 1.1.0.pre.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: db6e7253c0a896975954c0d649c68321958ade750f891f353ba30b9ea58880cb
-  data.tar.gz: 90f384499e8727660b9810711e0237ce604f8ef219ed415c210db16bcd764804
+  metadata.gz: a8b6393a69ed3aed4509adc16eb3f1cd6a91e0035d8460ab4a83b89aad6556c6
+  data.tar.gz: 4d6b6482993d86b2f481b5bc941ac7ff4186f3393be11f7aa8b28aa7670218f5
 SHA512:
-  metadata.gz: 03e6873b068e52bc0c9fbbc072f9fc1a411696ca3c09aabcee05c8e660e5a210030c13fab84348aee720e7bd431600a0b18c3be124dfcb955ac95c250d83aeec
-  data.tar.gz: 4183575c47d740dd74c88995add7b87366299e75b4a8edaa89c20d422cd73cbd957b411e5bd51b9c9eabcd3881d8af1ba85922ce806b2387d75a0f30d8abd377
+  metadata.gz: 04c68f504070bc0f1b5e4b6140430ce568c3c4aef5c3a61a62370c67e71638cd8e1ea5c0b410cc3852056165770af48758402c684b7d8887c127ea8986bfba4a
+  data.tar.gz: e0ae2b57a5f7b131754a984351af597c5881bee8cc6464db11eaf58cd6fe057abb82846fa433592ae199790678ff854ebca7de8db667948bac914b41a0ad5bb5

data/CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changes
 
+## 1.1.0-rc1 (28.05.2022)
+
+* Added info log level
+* Added --quiet cli argument
+* Added more command and output to ExecutionFailed exception
+* Use script’s ruby version to load libraries
+
+## 1.0.0 (16.04.2022)
+
+* Handle invalid output to loggers
+
+## 1.0.0-beta2 (02.02.2022)
+
+* Added nscd feature
+* Added gem_env_paths to ruby feature
+* If Config#root is set, set working directory to /
+* Execution#execvalue: Allow setting log: true
+* Execution#execvalue: pass all kwargs as kwargs to execute()
+* Output::Log: Don’t die if log file can’t be written to
+
 ## 1.0.0-beta1 (12.12.2021)
 
 * optimist gem is now optional dependency

data/lib/bwrap/args/args.rb

@@ -8,5 +8,40 @@ require "bwrap/version"
 #   In future, there may be some use for classes inside here, but for now they are
 #   only used internally.
 module Bwrap::Args
-  # Nya.
+  # Used as container for arguments constructed via {Construct}.
+  #
+  # Where {Hash} defaults to nil as default argument, `Args` defaults to
+  # {Array}.
+  class Args < Hash
+    # Creates new instance of a hash for storing arguments.
+    #
+    # Where {Hash} defaults to nil as default argument, `Args` defaults to
+    # `[]`.
+    #
+    # @see Hash#initialize
+    def initialize(*args)
+      if args.empty? and !block_given?
+        super(*args) { [] }
+      else
+        super(*args)
+      end
+    end
+
+    # Adds given data to array identified by given type.
+    #
+    # Following types are meant to be used, though everything is accepted:
+    # - :mount
+    #
+    # @param type [Symbol] Type of the argument
+    # @returns self
+    def add(type, *data)
+      if data.respond_to? :each
+        self[type] += data.flatten
+      else
+        self[type] << data
+      end
+
+      self
+    end
+  end
 end

data/lib/bwrap/args/bind/library/ruby_binds.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+# Ruby feature implementation specific class.
+#
+# @api private
+class Bwrap::Args::Bind::Library::RubyBinds
+  # Instance of {Bwrap::Config}.
+  attr_writer :config
+
+  def initialize args
+    @args = args
+  end
+
+  def ruby_binds_for_features
+    return unless @config and @config.features.ruby.enabled?
+
+    @mounts = []
+
+    # Mount some common Ruby executables.
+
+    # This is most often /usr/bin.
+    bindir = Pathname.new @config.features.ruby.ruby_config["bindir"]
+
+    bind_ruby_executable
+    gem_binds bindir
+
+    @args.add :library_feature_binds, @mounts
+  end
+
+  private def bind_ruby_executable
+    path = @config.features.ruby.interpreter
+    raise "Ruby interpreter “#{path}” not found." unless File.exist? path
+
+    @mounts << "--ro-bind" << path.to_s << path.to_s
+  end
+
+  private def gem_binds bindir
+    return unless @config.features.ruby.gem_env_paths?
+
+    path = bindir / "gem"
+    return unless File.exist? path
+
+    @mounts << "--ro-bind" << path.to_s << path.to_s
+  end
+end

data/lib/bwrap/args/bind/library.rb

@@ -8,11 +8,21 @@ require_relative "mime"
 class Bwrap::Args::Bind
   # TODO: documentation
   #
+  # TODO: It may be that this should be renamed to “Binary” or ”Executable”, as this
+  # handles all binaries, not just libraries.
+  #
   # @api private
   class Library
+    # Requires are here so there is no extra trickiness with namespaces.
+    #
+    # Feature implementations are not meant to be used outside of this class anyway.
+    require_relative "library/ruby_binds"
+
     include Bwrap::Execution::Path
     include Bwrap::Output
 
+    # The command given to {Bwrap#run}.
+    #
     # @see Bwrap::Args::Construct#command=
     #
     # @see (see Bwrap::Args::Construct#command=)
@@ -39,22 +49,22 @@ class Bwrap::Args::Bind
         @executable_name = resolve_executable_name executable
         @executable_path = resolve_executable_path @executable_name, not_inside_root: true
 
-        @args.append %W{ --ro-bind #{@executable_path} #{@executable_path} }
+        @args.add :extra_executable_mounts, %W{ --ro-bind #{@executable_path} #{@executable_path} }
 
         resolve_executable_libraries
       end
     end
 
-    # Convenience method to call {#resolve_executable_libraries}.
+    # Checks the command given to {Bwrap#run} and adds the libraries it needs.
     #
-    # Used by {#handle_system_mounts}.
-    def libs_command_requires
+    # Convenience method to call {#resolve_executable_libraries}.
+    def handle_given_command
       @executable_name = resolve_executable_name @command
       @executable_path = resolve_executable_path @executable_name
 
       # Actually add the executable to be bound to the sandbox.
       unless @config&.command_inside_root
-        @args.append %W{ --ro-bind #{@executable_path} #{@executable_path} }
+        @args.add :given_command, %W{ --ro-bind #{@executable_path} #{@executable_path} }
       end
 
       resolve_executable_libraries
@@ -68,7 +78,7 @@ class Bwrap::Args::Bind
     # @todo Ensure scanelf is available (and throw proper error if it is not, telling to not use
     #   full_system_mounts option.)
     def resolve_executable_libraries
-      trace "Resolving executable libraries of #{@executable_path}"
+      debug "Resolving executable libraries of #{@executable_path}"
 
       # TODO: Put this behind additional flag for extra control/sanity.
       # Some executables are shell scripts and similar. For them we need to use the interpreter.
@@ -76,6 +86,17 @@ class Bwrap::Args::Bind
       mime = Mime.new @executable_name, @executable_path
       return unless mime.resolve_mime_type
 
+      # TODO: Ideally mime stuff should be handled as config,
+      # but then shebang parsing logic would be necessary to move to config classes.
+      #
+      # That may make sense, but for now this is here.
+      #
+      # This basically allows features to use mime data to get for example path to necessary interpreter.
+      #
+      # This way there is possibility that wrong mime information would be used,
+      # as this thing is more generalized.
+      @config.features.mime = mime if @config&.features
+
       # Then find out required libraries
 
       library_mounts = []
@@ -89,10 +110,20 @@ class Bwrap::Args::Bind
         library_mounts << "--ro-bind" << library << library
       end
 
-      @args.append library_mounts
+      @args.add :extra_executable_libraries, library_mounts
+    end
+
+    # Some features, like {Bwrap::Config::Features::Nscd}, requires some binds
+    # in order to operate properly.
+    def binds_for_features
+      # NOTE: Still nothing here, as I think this is better for library binds than anything else.
+      # The nscd bind is better in another, more generic, place.
+      #
+      # Keeping this method because I think this really makes sense for structure, in future.
+
+      ruby_binds_for_features
     end
 
-    # Used by {#libs_command_requires}.
     private def resolve_executable_name command
       if command.is_a? String
         return command
@@ -107,8 +138,6 @@ class Bwrap::Args::Bind
     end
 
     # @warning Requires environment paths to be resolved beforehand.
-    #
-    # Used by {#libs_command_requires}.
     private def resolve_executable_path executable_name, not_inside_root: nil
       if @config&.command_inside_root.nil? or not_inside_root
         return which executable_name
@@ -121,5 +150,13 @@ class Bwrap::Args::Bind
 
       which executable_name, env_path_var: env_path
     end
+
+    private def ruby_binds_for_features
+      return unless @config.features.ruby.enabled?
+
+      binds = RubyBinds.new @args
+      binds.config = @config
+      binds.ruby_binds_for_features
+    end
   end
 end

data/lib/bwrap/args/bind/mime.rb

@@ -22,12 +22,13 @@ class Bwrap::Args::Bind
       @executable_path = executable_path
     end
 
-    # Used by {Bwrap::Args::Bind::Library#libs_command_requires}.
+    # Checks if target executable is a script, in which case executable
+    # is parsed from a shebang line, if found.
     #
     # @return false if caller should also return
     def resolve_mime_type
       mime_type = execvalue %W{ file --brief --mime-type #{@executable_path} }
-      trace "Mime type of #{@executable_path} is #{mime_type}"
+      debug "Mime type of #{@executable_path} is #{mime_type}"
       return true unless mime_type[0..6] == "text/x-"
 
       shebang = File.open @executable_path, &:readline
@@ -42,7 +43,11 @@ class Bwrap::Args::Bind
       true
     end
 
+    # Parses shebang line to find out path to actual executable
+    # used to run the script.
     private def resolve_real_executable shebang
+      #trace "Figuring out correct executable from shebang #{shebang}"
+
       command_line = shebang.delete_prefix("#!").strip
       real_executable, args = command_line.split " ", 2
 
@@ -52,6 +57,8 @@ class Bwrap::Args::Bind
         real_executable = which executable_name
       end
 
+      debug "Parsed #{real_executable} from the script’s shebang. Using as executable."
+
       @executable_path = real_executable
     end
   end

data/lib/bwrap/args/bind.rb

@@ -13,6 +13,8 @@ class Bwrap::Args::Bind
   # Array of parameters passed to bwrap.
   attr_writer :args
 
+  # The command given to {Bwrap#run}.
+  #
   # @see Bwrap::Args::Construct#command=
   #
   # @see (see Bwrap::Args::Construct#command=)
@@ -26,17 +28,17 @@ class Bwrap::Args::Bind
 
   # Arguments to bind /dev/dri from host to sandbox.
   def bind_dev_dri
-    @args.append %w{ --dev-bind /dev/dri /dev/dri }
+    @args.add :dev_mounts, %w{ --dev-bind /dev/dri /dev/dri }
   end
 
   # Arguments to bind /sys/dev/char from host to sandbox.
   def bind_sys_dev_char
-    @args.append %w{ --ro-bind /sys/dev/char /sys/dev/char }
+    @args.add :dev_mounts, %w{ --ro-bind /sys/dev/char /sys/dev/char }
   end
 
   # Arguments to bind /sys/devices/pci0000:00 from host to sandbox.
   def bind_pci_devices
-    @args.append %w{ --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 }
+    @args.add :dev_mounts, %w{ --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 }
   end
 
   # Arguments to bind home directory from sandbox directory (`#{@config.sandbox_directory}/home`)
@@ -55,7 +57,23 @@ class Bwrap::Args::Bind
     @environment["HOME"] = "/home/#{@config.user}"
 
     debug "Using #{home_directory} as /home/#{@config.user}"
-    @args.append %W{ --bind #{home_directory} /home/#{@config.user} }
+    @args.add :home_directory, %W{ --bind #{home_directory} /home/#{@config.user} }
+  end
+
+  # Handle command passed to Bwrap#run.
+  #
+  # Allows subsequent actions to utilize the command.
+  def handle_given_command
+    construct_library_bind
+
+    # I’m not completely sure this is a good idea. Maybe only dependent libraries
+    # should be skipped and the actual executable should still be checked?
+    #
+    # Or maybe the data should be calculated and these are excluded in
+    # Construct#bwrap_arguments?
+    return unless @config.full_system_mounts
+
+    @library_bind.handle_given_command
   end
 
   # Arguments to read-only bind whole system inside sandbox.
@@ -67,7 +85,7 @@ class Bwrap::Args::Bind
     end
     @environment.add_to_path binaries_from
 
-    @args.append bindir_mounts
+    @args.add :bindir, bindir_mounts
 
     if debug?
       debug "Using following bindir mounts:\n" \
@@ -77,13 +95,9 @@ class Bwrap::Args::Bind
 
     libdir_mounts
 
-    library_bind = construct_library_bind
-
-    library_bind.extra_executables_mounts
-
-    return unless @config.full_system_mounts
-
-    library_bind.libs_command_requires
+    binds_for_features
+    @library_bind.binds_for_features
+    @library_bind.extra_executables_mounts
   end
 
   # These are something user can specify to do custom --ro-bind binds.
@@ -95,7 +109,7 @@ class Bwrap::Args::Bind
       binds << "--ro-bind" << source_path.to_s << destination_path.to_s
     end
 
-    @args.append binds
+    @args.add :custom_ro_binds, binds unless binds.empty?
   end
 
   # Performs cleanup operations after execution.
@@ -120,7 +134,7 @@ class Bwrap::Args::Bind
             "(Odd is key, even is value)"
     end
 
-    @args.append libdir_mounts
+    @args.add :libdir, libdir_mounts
   end
 
   private def construct_library_bind
@@ -129,6 +143,11 @@ class Bwrap::Args::Bind
     library_bind.config = @config
     library_bind.environment = @environment
 
-    library_bind
+    @library_bind = library_bind
+  end
+
+  # Binds feature specific common directories.
+  private def binds_for_features
+    # Nya.
   end
 end

data/lib/bwrap/args/construct.rb

@@ -3,11 +3,13 @@
 require "tempfile"
 
 require "bwrap/output"
+require_relative "args"
 require_relative "bind"
 require_relative "environment"
 require_relative "features"
 require_relative "machine_id"
 require_relative "mount"
+require_relative "network"
 
 # Constructs arguments for bwrap execution.
 class Bwrap::Args::Construct
@@ -25,16 +27,27 @@ class Bwrap::Args::Construct
   # @param value [Array, String] Command with arguments
   attr_writer :command
 
-  # Constructs arguments for bwrap execution.
-  def construct_bwrap_args
-    @args = []
+  def initialize
+    # If a key is not found, it is initialized with an empty array.
+    @args = Bwrap::Args::Args.new
+  end
+
+  # Parses data given with {Config} so it can be outputted in proper
+  # order by {#bwrap_arguments}.
+  #
+  # @note Command given to {Bwrap#run} is set to {Bind#command}.
+  def calculate
     create_objects
 
+    # If necessary, first handle command passed to Bwrap#run so feature binds can utilize
+    # the command.
+    @bind.handle_given_command
+
     root_mount
     xauthority_args
     machine_id = @machine_id.machine_id
-    @args.append machine_id if machine_id
-    resolv_conf
+    @args.add :machine_id, machine_id if machine_id
+    @network.resolv_conf
     @bind.handle_system_mounts
     @features.feature_binds
     @bind.custom_read_only_binds
@@ -47,14 +60,62 @@ class Bwrap::Args::Construct
     proc_mount
     tmp_as_tmpfs
     @bind.bind_home_directory
-    @args.append "--unshare-all"
-    share_net
-    hostname
-    @args.append @environment.environment_variables
-    @args.append "--die-with-parent"
-    @args.append "--new-session"
-
-    @args.compact
+    @args.add :unshare_all, "--unshare-all" # Practically means that there would be nothing in the sandbox by default.
+    @network.share_net
+    @network.hostname
+    @args.add :environment, @environment.environment_variables
+    @args.add :die_with_parent, "--die-with-parent" # For security, and as intuition says how things should work.
+    @args.add :new_session, "--new-session" # Very important for security.
+  end
+
+  # Returns arguments to pass to bwrap.
+  #
+  # @note Command given to {Bwrap#run} is set to {Bind#command}.
+  def bwrap_arguments
+    args = []
+
+    # @args.fetch() could be used here to ensure the key is present, so catching some extra typos,
+    # but for now it is not used, for convenience.
+
+    args += @args[:root_mount]
+    args += @args[:xauthority]
+    args += @args[:machine_id]
+    args += @args[:resolv_conf]
+
+    # bind.rb
+    args += @args[:bindir]
+    args += @args[:libdir]
+
+    # This is what is given to Bwrap#run.
+    args += @args[:given_command]
+
+    args += @args[:extra_executable_libraries]
+    args += @args[:library_feature_binds]
+    args += @args[:extra_executable_mounts]
+
+    args += @args[:feature_binds]
+
+    args += @args[:custom_ro_binds]
+    args += @args[:user_dir]
+
+    args += @args[:audio]
+    args += @args[:dev_mounts]
+    args += @args[:proc_mount]
+    args += @args[:tmp_mount]
+
+    args += @args[:home_directory]
+
+    args += @args[:unshare_all]
+
+    args += @args[:network]
+
+    args += @args[:hostname]
+    args += @args[:environment]
+
+    args += @args[:die_with_parent]
+    args += @args[:new_session]
+
+    args.compact
   end
 
   # Performs cleanup operations after execution.
@@ -80,6 +141,9 @@ class Bwrap::Args::Construct
 
     @machine_id = Bwrap::Args::MachineId.new
     @machine_id.config = @config
+
+    @network = Bwrap::Args::Network.new @args
+    @network.config = @config
   end
 
   # Arguments for generating .Xauthority file.
@@ -88,23 +152,13 @@ class Bwrap::Args::Construct
 
     xauth_args = %W{ --ro-bind #{Dir.home}/.Xauthority #{Dir.home}/.Xauthority }
     debug "Binding following .Xauthority file: #{Dir.home}/.Xauthority"
-    @args.append xauth_args
-  end
-
-  # Arguments to read-only bind /etc/resolv.conf.
-  private def resolv_conf
-    # We can’t really bind symlinks, so let’s resolve real path to resolv.conf, in case it is symlinked.
-    source_resolv_conf = Pathname.new "/etc/resolv.conf"
-    source_resolv_conf = source_resolv_conf.realpath
-
-    debug "Binding #{source_resolv_conf} as /etc/resolv.conf"
-    @args.append %W{ --ro-bind #{source_resolv_conf} /etc/resolv.conf }
+    @args.add :xauthority, xauth_args
   end
 
   # Arguments to create `/run/user/#{uid}`.
   private def create_user_dir
     trace "Creating directory /run/user/#{uid}"
-    @args.append %W{ --dir /run/user/#{uid} }
+    @args.add :user_dir, %W{ --dir /run/user/#{uid} }
   end
 
   # Arguments to bind necessary pulseaudio data for audio support.
@@ -112,23 +166,7 @@ class Bwrap::Args::Construct
     return unless @config.audio.include? :pulseaudio
 
     debug "Binding pulseaudio"
-    @args.append %W{ --ro-bind /run/user/#{uid}/pulse /run/user/#{uid}/pulse }
-  end
-
-  # Arguments to allow network connection inside sandbox.
-  private def share_net
-    return unless @config.share_net
-
-    verb "Sharing network"
-    @args.append %w{ --share-net }
-  end
-
-  # Arguments to set hostname to whatever is configured.
-  private def hostname
-    return unless @config.hostname
-
-    debug "Setting hostname to #{@config.hostname}"
-    @args.append %W{ --hostname #{@config.hostname} }
+    @args.add :audio, %W{ --ro-bind /run/user/#{uid}/pulse /run/user/#{uid}/pulse }
   end
 
   # Returns current user id.

data/lib/bwrap/args/environment.rb

@@ -1,15 +1,23 @@
 # frozen_string_literal: true
 
+require "bwrap/execution"
 require "bwrap/output"
 require_relative "args"
 
 # Environment variable calculation for bwrap.
 class Bwrap::Args::Environment < Hash
+  include Bwrap::Execution
   include Bwrap::Output
 
   # Instance of {Config}.
   attr_writer :config
 
+  def initialize
+    super
+
+    self["PATH"] ||= []
+  end
+
   # Returns used environment variables wrapped as bwrap arguments.
   def environment_variables
     if debug?
@@ -31,11 +39,11 @@ class Bwrap::Args::Environment < Hash
   # @return [Array] All environment paths added via {Config#add_env_path} and other parsing logic
   def env_paths
     if @config.env_paths.respond_to? :each
-      self["PATH"] ||= []
-
       self["PATH"] |= @config.env_paths
     end
 
+    features_env_paths
+
     self["PATH"]
   end
 
@@ -43,8 +51,6 @@ class Bwrap::Args::Environment < Hash
   #
   # @param elements [String, Array] Path(s) to be added added to PATH environment variable
   def add_to_path elements
-    self["PATH"] ||= []
-
     if elements.respond_to? :each
       self["PATH"] += elements
     else
@@ -52,4 +58,25 @@ class Bwrap::Args::Environment < Hash
       self["PATH"] << elements
     end
   end
+
+  # Feature specific environment path handling.
+  private def features_env_paths
+    ruby_env_paths
+  end
+
+  # Ruby feature specific environment path handling.
+  private def ruby_env_paths
+    return unless @config.features.ruby.enabled?
+    return unless @config.features.ruby.gem_env_paths?
+
+    unless command_available? "gem"
+      warn "gem is not installed in the system, so can’t add its bindirs to PATH."
+      return
+    end
+
+    gempath = execvalue %w{ gem environment gempath }
+    gempath.split(":").each do |path|
+      self["PATH"] << "#{path}/bin"
+    end
+  end
 end

data/lib/bwrap/args/features/binds_base.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+# @abstract
+#
+# Base class for binds.
+#
+# @api private
+class Bwrap::Args::Features::BindsBase
+  # @param config [Config] Instance of Config.
+  def initialize config
+    @config = config
+  end
+end