bwrap 1.0.0.pre.beta1 → 1.1.0.pre.rc1

data/lib/bwrap/args/features/ruby_binds.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+# Implementation for Ruby feature set.
+#
+# @api private
+class Bwrap::Args::Features::RubyBinds < Bwrap::Args::Features::BindsBase
+  # Returns mounts needed by Ruby feature set.
+  attr_reader :mounts
+
+  # Bind system paths so scripts works inside sandbox.
+  def sitedir_mounts
+    raise "@config is required" unless @config
+
+    ruby_config = @config.features.ruby.ruby_config
+
+    mounts = []
+    mounts << "--ro-bind" << ruby_config["sitedir"] << ruby_config["sitedir"]
+    mounts << "--ro-bind" << ruby_config["rubyhdrdir"] << ruby_config["rubyhdrdir"]
+    mounts << "--ro-bind" << ruby_config["rubylibdir"] << ruby_config["rubylibdir"]
+    mounts << "--ro-bind" << ruby_config["vendordir"] << ruby_config["vendordir"]
+
+    mounts
+  end
+
+  # Create binds for required system libraries.
+  #
+  # These are in path like /usr/lib64/ruby/2.5.0/x86_64-linux-gnu/,
+  # and as they are mostly shared libraries, they may have some extra
+  # dependencies that also need to be bound inside the sandbox.
+  def stdlib_mounts stdlib
+    raise "@config is required" unless @config
+
+    ruby_config = @config.features.ruby.ruby_config
+
+    library_mounts = []
+    library = Bwrap::Args::Library.new
+    stdlib.each do |lib|
+      path = "#{ruby_config["rubyarchdir"]}/#{lib}.so"
+
+      library.needed_libraries(path).each do |requisite_library|
+        library_mounts << "--ro-bind" << requisite_library << requisite_library
+      end
+    end
+
+    library_mounts
+  end
+end

data/lib/bwrap/args/features.rb

@@ -8,6 +8,12 @@ require_relative "library"
 #
 # @see Config::Features
 class Bwrap::Args::Features < Hash
+  # Requires are here so there is no extra trickiness with namespaces.
+  #
+  # Feature implementations are not meant to be used outside of this class anyway.
+  require_relative "features/binds_base"
+  require_relative "features/ruby_binds"
+
   include Bwrap::Output
 
   # Implementation for Bash feature set.
@@ -29,41 +35,19 @@ class Bwrap::Args::Features < Hash
     end
   end
 
-  # Implementation for Ruby feature set.
+  # Implementation for nscd feature set.
   #
   # @api private
-  class RubyBinds
-    # Returns mounts needed by Ruby feature set.
-    attr_reader :mounts
-
-    # Bind system paths so scripts works inside sandbox.
-    def sitedir_mounts
+  class NscdBinds
+    # Custom binds needed by the feature.
+    def custom_binds
       mounts = []
-      mounts << "--ro-bind" << RbConfig::CONFIG["sitedir"] << RbConfig::CONFIG["sitedir"]
-      mounts << "--ro-bind" << RbConfig::CONFIG["rubyhdrdir"] << RbConfig::CONFIG["rubyhdrdir"]
-      mounts << "--ro-bind" << RbConfig::CONFIG["rubylibdir"] << RbConfig::CONFIG["rubylibdir"]
-      mounts << "--ro-bind" << RbConfig::CONFIG["vendordir"] << RbConfig::CONFIG["vendordir"]
-
-      mounts
-    end
 
-    # Create binds for required system libraries.
-    #
-    # These are in path like /usr/lib64/ruby/2.5.0/x86_64-linux-gnu/,
-    # and as they are mostly shared libraries, they may have some extra
-    # dependencies that also need to be bound inside the sandbox.
-    def stdlib_mounts stdlib
-      library_mounts = []
-      library = Bwrap::Args::Library.new
-      stdlib.each do |lib|
-        path = "#{RbConfig::CONFIG["rubyarchdir"]}/#{lib}.so"
-
-        library.needed_libraries(path).each do |requisite_library|
-          library_mounts << "--ro-bind" << requisite_library << requisite_library
-        end
-      end
+      # TODO: Probably some path checking is needed here. Or somewhere.
+      # TODO: Since on many systems /var/run is symlinked to /run, that probably should be handled.
+      mounts << "--ro-bind" << "/var/run/nscd" << "/var/run/nscd"
 
-      library_mounts
+      mounts
     end
   end
 
@@ -79,6 +63,7 @@ class Bwrap::Args::Features < Hash
   # - ruby
   def feature_binds
     bash_binds
+    nscd_binds
     ruby_binds
   end
 
@@ -87,7 +72,15 @@ class Bwrap::Args::Features < Hash
 
     binds = BashBinds.new
 
-    @args.append binds.bash_mounts
+    @args.add :feature_binds, binds.bash_mounts
+  end
+
+  private def nscd_binds
+    return unless @config.features.nscd.enabled?
+
+    binds = NscdBinds.new
+
+    @args.add :feature_binds, binds.custom_binds
   end
 
   # @note This does not allow development headers needed for compilation for now.
@@ -95,9 +88,9 @@ class Bwrap::Args::Features < Hash
   private def ruby_binds
     return unless @config.features.ruby.enabled?
 
-    binds = RubyBinds.new
+    binds = RubyBinds.new @config
 
-    @args.append binds.sitedir_mounts
-    @args.append binds.stdlib_mounts(@config.features.ruby.stdlib)
+    @args.add :feature_binds, binds.sitedir_mounts
+    @args.add :feature_binds, binds.stdlib_mounts(@config.features.ruby.stdlib)
   end
 end

data/lib/bwrap/args/library.rb

@@ -66,8 +66,6 @@ class Bwrap::Args::Library
     @needed_libraries
   end
 
-  # Used by {Bwrap::Args::Bind#libs_command_requires}.
-  #
   # @param binary_paths [String, Array] one or more paths to be resolved
   def needed_libraries binary_paths
     trace "Finding libraries #{binary_paths} requires"
@@ -105,7 +103,7 @@ class Bwrap::Args::Library
     libraries = libraries_line.split ","
 
     (@needed_libraries & libraries).each do |library|
-      verb "Binding #{library} as dependency of #{binary_path}"
+      debug "Binding #{library} as dependency of #{binary_path}"
     end
 
     @needed_libraries |= libraries

data/lib/bwrap/args/machine_id.rb

@@ -25,7 +25,7 @@ class Bwrap::Args::MachineId
     # Returning [] means that execute() will ignore this fully.
     # Nil would be converted to empty string, causing spawn() to pass it as argument, causing
     # bwrap to misbehave.
-    return unless @config.machine_id
+    return unless @config&.machine_id
 
     machine_id = @config.machine_id
 
@@ -52,10 +52,10 @@ class Bwrap::Args::MachineId
     debug "Using random machine id as /etc/machine-id"
 
     @machine_id_file = Tempfile.new "bwrap-random_machine_id-", @config.tmpdir
-    @machine_id_file.write SecureRandom.uuid.delete("-", "")
+    @machine_id_file.write SecureRandom.uuid.tr("-", "")
     @machine_id_file.flush
 
-    %W{ --ro-bind-data #{machine_id_file.fileno} /etc/machine-id }
+    %W{ --ro-bind-data #{@machine_id_file.fileno} /etc/machine-id }
   end
 
   # Uses `10000000000000000000000000000000` as machine id.
@@ -80,6 +80,8 @@ class Bwrap::Args::MachineId
   end
 
   # Uses file inside sandbox directory as machine id.
+  #
+  # TODO: I kind of want to deprecate this one. It may make sense, but eh... Let’s see.
   private def machine_id_inside_sandbox_dir sandbox_directory
     machine_id_file = "#{sandbox_directory}/machine-id"
 

data/lib/bwrap/args/mount.rb

@@ -9,24 +9,25 @@ module Bwrap::Args::Mount
     return unless @config.root
 
     debug "Binding #{@config.root} as /"
-    @args.append %W{ --bind #{@config.root} / }
+    @args.add :root_mount, "--bind", @config.root, "/"
+    @args.add :root_mount, "--chdir", "/"
   end
 
   # Arguments for mounting devtmpfs to /dev.
   private def dev_mount
     debug "Mounting new devtmpfs to /dev"
-    @args.append %w{ --dev /dev }
+    @args.add :dev_mounts, "--dev", "/dev"
   end
 
   # Arguments for mounting procfs to /proc.
   private def proc_mount
     debug "Mounting new procfs to /proc"
-    @args.append %w{ --proc /proc }
+    @args.add :proc_mount, "--proc", "/proc"
   end
 
   # Arguments for mounting tmpfs to /tmp.
   private def tmp_as_tmpfs
     debug "Mounting tmpfs to /tmp"
-    @args.append %w{ --tmpfs /tmp }
+    @args.add :tmp_mount, "--tmpfs", "/tmp"
   end
 end

data/lib/bwrap/args/network.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "bwrap/output"
+require_relative "args"
+
+# Network related binds.
+class Bwrap::Args::Network
+  include Bwrap::Output
+
+  # Instance of {Config}.
+  attr_writer :config
+
+  # @param args [Bwrap::Args::Args] Arguments to be passed to bwrap.
+  def initialize args
+    @args = args
+  end
+
+  # Arguments to set hostname to whatever is configured.
+  def hostname
+    return unless @config.hostname
+
+    debug "Setting hostname to #{@config.hostname}"
+    @args.add :hostname, %W{ --hostname #{@config.hostname} }
+  end
+
+  # Arguments to read-only bind /etc/resolv.conf.
+  def resolv_conf
+    # We can’t really bind symlinks, so let’s resolve real path to resolv.conf, in case it is symlinked.
+    source_resolv_conf = Pathname.new "/etc/resolv.conf"
+    source_resolv_conf = source_resolv_conf.realpath
+
+    debug "Binding #{source_resolv_conf} as /etc/resolv.conf"
+    @args.add :resolv_conf, %W{ --ro-bind #{source_resolv_conf} /etc/resolv.conf }
+  end
+
+  # Arguments to allow network connection inside sandbox.
+  def share_net
+    return unless @config.share_net
+
+    verb "Sharing network"
+    @args.add :network, %w{ --share-net }
+  end
+end

data/lib/bwrap/bwrap.rb

@@ -2,6 +2,7 @@
 
 #require "deep-cover" if ENV["DEEP_COVER"]
 
+require_relative "bwrap_module"
 require "bwrap/version"
 require "bwrap/args/construct"
 require "bwrap/config"
@@ -54,7 +55,9 @@ class Bwrap::Bwrap
     construct = Bwrap::Args::Construct.new
     construct.command = command
     construct.config = @config
-    bwrap_args = construct.construct_bwrap_args
+
+    construct.calculate
+    bwrap_args = construct.bwrap_arguments
 
     exec_command = [ "bwrap" ]
     exec_command += bwrap_args
@@ -88,7 +91,9 @@ class Bwrap::Bwrap
     construct = Bwrap::Args::Construct.new
     construct.command = command
     construct.config = config
-    bwrap_args = construct.construct_bwrap_args
+
+    construct.calculate
+    bwrap_args = construct.bwrap_arguments
 
     exec_command = [ "bwrap" ]
     exec_command += bwrap_args
@@ -133,6 +138,9 @@ class Bwrap::Bwrap
       opt :trace,
           "Show trace output (noisiest, probably not useful for most of time)",
           short: :none
+      opt [ :quiet, :silent ],
+          "Hides notice messages. Warnings and errors are still shown.",
+          short: :none
       opt :version,
           "Print version and exit",
           short: "V"

data/lib/bwrap/bwrap_module.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+# ruby-bwrap provides easy-to-use interface to run complex programs in sandboxes created with
+# {https://github.com/containers/bubblewrap bubblewrap}.
+#
+# To run a program inside bubblewrap, a wrapper executable can be created. For example:
+#
+#     require "bwrap"
+#
+#     config = Bwrap::Config.new
+#     config.user = "dummy_user"
+#     config.full_system_mounts = true
+#     config.binaries_from = %w{
+#       /bin
+#       /usr/bin
+#     }
+#
+#     bwrap = Bwrap::Bwrap.new config
+#     bwrap.parse_command_line_arguments
+#     bwrap.run "/bin/true"
+#
+# There also are few generic utilities, {Bwrap::Output} for handling output of scripts and
+# {Bwrap::Execution} to run executables.
+module Bwrap
+  # Empty module.
+end

data/lib/bwrap/config/features/base.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+# @abstract
+#
+# Base of all features.
+class Bwrap::Config::Features::Base
+  # @param features [Bwrap::Config::Features] Instance of features object in {Config}
+  def initialize features
+    @features = features
+  end
+
+  # Checks if the feature has been enabled.
+  #
+  # @return [Boolean] whether feature is enabled
+  def enabled?
+    @enabled
+  end
+
+  # Enable the feature.
+  def enable
+    @enabled = true
+  end
+
+  # Disable the feature.
+  def disable
+    @enabled = false
+  end
+end

data/lib/bwrap/config/features/ruby.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+require "bwrap/execution"
+
+# Defines Ruby feature set.
+#
+# Implies {Nscd} feature.
+class Bwrap::Config::Features::Ruby < Bwrap::Config::Features::Base
+  include Bwrap::Execution
+
+  def initialize features
+    super features
+
+    @gem_env_paths = true
+    @stdlib = []
+  end
+
+  # @return true if bindirs from “gem environment” should be added to sandbox.
+  def gem_env_paths?
+    @gem_env_paths
+  end
+
+  # Enable Ruby feature set.
+  #
+  # Among others, binds `RbConfig::CONFIG["sitedir"]` so scripts works.
+  #
+  # @note This does not allow development headers needed for compilation for now.
+  #   I’ll look at it after I have an use for it.
+  #
+  # @note Also enables {Nscd} feature.
+  def enable
+    super
+
+    @features.nscd.enable
+  end
+
+  # @return [Pathname|nil] path to Ruby interpreter.
+  def interpreter
+    @features.mime&.executable_path
+  end
+
+  # @return [Hash(String, String)] RbConfig::CONFIG from interpreter returned by {#interpreter}
+  def ruby_config
+    unless interpreter
+      raise "Interpreter is not set, so ruby_config() can’t be called yet."
+    end
+
+    return @ruby_config if @ruby_config
+
+    script = %q{RbConfig::CONFIG.each { |k, v| puts "#{k}=#{v}" }}
+    config_string = execvalue %W{ #{interpreter} -e #{script} }
+
+    ruby_config = {}
+    config_string.split("\n").each do |line|
+      key, value = line.split "=", 2
+      ruby_config[key] = value
+    end
+
+    @ruby_config = ruby_config
+  end
+
+  # Extra libraries to be loaded from script’s interpreter’s `RbConfig::CONFIG["rubyarchdir"]`.
+  #
+  # @note Existence of library paths are checked here, and not in {#stdlib=},
+  #   to avoid error about missing interpreter, as it is set in {Bwrap::Bwrap#run},
+  #   and config is meant to be created beforehand.
+  #
+  # @note This is only required to be called if extra dependencies are necessary.
+  #   For example, psych.so requires libyaml.so.
+  #
+  # @return [Array] list of needed libraries.
+  def stdlib
+    # Just a little check to have error earlier.
+    @stdlib.each do |lib|
+      unless File.exist? "#{ruby_config["rubyarchdir"]}/#{lib}.so"
+        raise "Library “#{lib}” passed to Bwrap::Config::Ruby.stdlib= does not exist."
+      end
+    end
+
+    @stdlib
+  end
+
+  def stdlib= libs
+    @stdlib = libs
+  end
+end

data/lib/bwrap/config/features.rb

@@ -3,79 +3,42 @@
 class Bwrap::Config
   # Methods to enable or disable feature sets to control various aspects of sandboxing.
   class Features
-    # Defines Bash feature set.
-    class Bash
-      def enabled?
-        @enabled
-      end
+    # Requires are here so there is no extra trickiness with namespaces.
+    #
+    # Feature implementations are not meant to be used outside of this class anyway.
+    require_relative "features/base"
+    require_relative "features/ruby"
 
-      def enable
-        @enabled = true
-      end
+    # Instance of {Bwrap::Args::Bind::Mime}.
+    attr_accessor :mime
 
-      # Disable Bash feature set.
-      def disable
-        @enabled = false
-      end
+    # Defines Bash feature set.
+    class Bash < Base
+      # Nya.
     end
 
-    # Defines Ruby feature set.
-    class Ruby
-      # Extra libraries to be loaded from `RbConfig::CONFIG["rubyarchdir"]`.
-      #
-      # @note This is only required to be called if extra dependencies are necessary.
-      #     For example, psych.so requires libyaml.so.
-      #
-      # @note There is stdlib= method also. Yardoc is broken.
-      #
-      # @return [Array] list of needed libraries.
-      attr_reader :stdlib
-
-      def initialize
-        @stdlib = []
-      end
-
-      # @see enabled=
-      def enabled?
-        @enabled
-      end
-
-      # Enable Ruby feature set.
-      #
-      # Among others, binds `RbConfig::CONFIG["sitedir"]` so scripts works.
-      #
-      # @note This does not allow development headers needed for compilation for now.
-      #   I’ll look at it after I have an use for it.
-      def enable
-        @enabled = true
-      end
-
-      # Disable Ruby feature set.
-      def disable
-        @enabled = false
-      end
-
-      # @see #stdlib
-      def stdlib= libs
-        # Just a little check to have error earlier.
-        libs.each do |lib|
-          unless File.exist? "#{RbConfig::CONFIG["rubyarchdir"]}/#{lib}.so"
-            raise "Library “#{lib}” passed to Bwrap::Config::Ruby.stdlib= does not exist."
-          end
-        end
-
-        @stdlib = libs
-      end
+    # Defines Nscd feature set.
+    #
+    # nscd is short of name service cache daemon. It may make sense to
+    # have this class under another name, but I don’t know how nscd specific
+    # this feature can be, so this name it is for now.
+    class Nscd < Base
+      # Nya.
     end
 
     # @return [Bash] Instance of feature class for Bash
     def bash
-      @bash ||= Bash.new
+      @bash ||= Bash.new self
+    end
+
+    # @return [Nscd] Instance of feature class for nscd
+    def nscd
+      @nscd ||= Nscd.new self
     end
 
     # @return [Ruby] Instance of feature class for Ruby
     def ruby
-      @ruby ||= Ruby.new
+      @ruby ||= Ruby.new self
     end
   end
 end