bwrap 1.0.0 → 1.1.0.pre.rc1

data/lib/bwrap/args/features.rb

@@ -8,6 +8,12 @@ require_relative "library"
 #
 # @see Config::Features
 class Bwrap::Args::Features < Hash
+  # Requires are here so there is no extra trickiness with namespaces.
+  #
+  # Feature implementations are not meant to be used outside of this class anyway.
+  require_relative "features/binds_base"
+  require_relative "features/ruby_binds"
+
   include Bwrap::Output
 
   # Implementation for Bash feature set.
@@ -45,44 +51,6 @@ class Bwrap::Args::Features < Hash
     end
   end
 
-  # Implementation for Ruby feature set.
-  #
-  # @api private
-  class RubyBinds
-    # Returns mounts needed by Ruby feature set.
-    attr_reader :mounts
-
-    # Bind system paths so scripts works inside sandbox.
-    def sitedir_mounts
-      mounts = []
-      mounts << "--ro-bind" << RbConfig::CONFIG["sitedir"] << RbConfig::CONFIG["sitedir"]
-      mounts << "--ro-bind" << RbConfig::CONFIG["rubyhdrdir"] << RbConfig::CONFIG["rubyhdrdir"]
-      mounts << "--ro-bind" << RbConfig::CONFIG["rubylibdir"] << RbConfig::CONFIG["rubylibdir"]
-      mounts << "--ro-bind" << RbConfig::CONFIG["vendordir"] << RbConfig::CONFIG["vendordir"]
-
-      mounts
-    end
-
-    # Create binds for required system libraries.
-    #
-    # These are in path like /usr/lib64/ruby/2.5.0/x86_64-linux-gnu/,
-    # and as they are mostly shared libraries, they may have some extra
-    # dependencies that also need to be bound inside the sandbox.
-    def stdlib_mounts stdlib
-      library_mounts = []
-      library = Bwrap::Args::Library.new
-      stdlib.each do |lib|
-        path = "#{RbConfig::CONFIG["rubyarchdir"]}/#{lib}.so"
-
-        library.needed_libraries(path).each do |requisite_library|
-          library_mounts << "--ro-bind" << requisite_library << requisite_library
-        end
-      end
-
-      library_mounts
-    end
-  end
-
   # `Array` of parameters passed to bwrap.
   attr_writer :args
 
@@ -104,7 +72,7 @@ class Bwrap::Args::Features < Hash
 
     binds = BashBinds.new
 
-    @args.append binds.bash_mounts
+    @args.add :feature_binds, binds.bash_mounts
   end
 
   private def nscd_binds
@@ -112,7 +80,7 @@ class Bwrap::Args::Features < Hash
 
     binds = NscdBinds.new
 
-    @args.append binds.custom_binds
+    @args.add :feature_binds, binds.custom_binds
   end
 
   # @note This does not allow development headers needed for compilation for now.
@@ -120,9 +88,9 @@ class Bwrap::Args::Features < Hash
   private def ruby_binds
     return unless @config.features.ruby.enabled?
 
-    binds = RubyBinds.new
+    binds = RubyBinds.new @config
 
-    @args.append binds.sitedir_mounts
-    @args.append binds.stdlib_mounts(@config.features.ruby.stdlib)
+    @args.add :feature_binds, binds.sitedir_mounts
+    @args.add :feature_binds, binds.stdlib_mounts(@config.features.ruby.stdlib)
   end
 end

data/lib/bwrap/args/library.rb

@@ -66,8 +66,6 @@ class Bwrap::Args::Library
     @needed_libraries
   end
 
-  # Used by {Bwrap::Args::Bind#libs_command_requires}.
-  #
   # @param binary_paths [String, Array] one or more paths to be resolved
   def needed_libraries binary_paths
     trace "Finding libraries #{binary_paths} requires"
@@ -105,7 +103,7 @@ class Bwrap::Args::Library
     libraries = libraries_line.split ","
 
     (@needed_libraries & libraries).each do |library|
-      verb "Binding #{library} as dependency of #{binary_path}"
+      debug "Binding #{library} as dependency of #{binary_path}"
     end
 
     @needed_libraries |= libraries

data/lib/bwrap/args/mount.rb

@@ -9,25 +9,25 @@ module Bwrap::Args::Mount
     return unless @config.root
 
     debug "Binding #{@config.root} as /"
-    @args.append %W{ --bind #{@config.root} / }
-    @args.append %w{ --chdir / }
+    @args.add :root_mount, "--bind", @config.root, "/"
+    @args.add :root_mount, "--chdir", "/"
   end
 
   # Arguments for mounting devtmpfs to /dev.
   private def dev_mount
     debug "Mounting new devtmpfs to /dev"
-    @args.append %w{ --dev /dev }
+    @args.add :dev_mounts, "--dev", "/dev"
   end
 
   # Arguments for mounting procfs to /proc.
   private def proc_mount
     debug "Mounting new procfs to /proc"
-    @args.append %w{ --proc /proc }
+    @args.add :proc_mount, "--proc", "/proc"
   end
 
   # Arguments for mounting tmpfs to /tmp.
   private def tmp_as_tmpfs
     debug "Mounting tmpfs to /tmp"
-    @args.append %w{ --tmpfs /tmp }
+    @args.add :tmp_mount, "--tmpfs", "/tmp"
   end
 end

data/lib/bwrap/args/network.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "bwrap/output"
+require_relative "args"
+
+# Network related binds.
+class Bwrap::Args::Network
+  include Bwrap::Output
+
+  # Instance of {Config}.
+  attr_writer :config
+
+  # @param args [Bwrap::Args::Args] Arguments to be passed to bwrap.
+  def initialize args
+    @args = args
+  end
+
+  # Arguments to set hostname to whatever is configured.
+  def hostname
+    return unless @config.hostname
+
+    debug "Setting hostname to #{@config.hostname}"
+    @args.add :hostname, %W{ --hostname #{@config.hostname} }
+  end
+
+  # Arguments to read-only bind /etc/resolv.conf.
+  def resolv_conf
+    # We can’t really bind symlinks, so let’s resolve real path to resolv.conf, in case it is symlinked.
+    source_resolv_conf = Pathname.new "/etc/resolv.conf"
+    source_resolv_conf = source_resolv_conf.realpath
+
+    debug "Binding #{source_resolv_conf} as /etc/resolv.conf"
+    @args.add :resolv_conf, %W{ --ro-bind #{source_resolv_conf} /etc/resolv.conf }
+  end
+
+  # Arguments to allow network connection inside sandbox.
+  def share_net
+    return unless @config.share_net
+
+    verb "Sharing network"
+    @args.add :network, %w{ --share-net }
+  end
+end

data/lib/bwrap/bwrap.rb

@@ -55,7 +55,9 @@ class Bwrap::Bwrap
     construct = Bwrap::Args::Construct.new
     construct.command = command
     construct.config = @config
-    bwrap_args = construct.construct_bwrap_args
+
+    construct.calculate
+    bwrap_args = construct.bwrap_arguments
 
     exec_command = [ "bwrap" ]
     exec_command += bwrap_args
@@ -89,7 +91,9 @@ class Bwrap::Bwrap
     construct = Bwrap::Args::Construct.new
     construct.command = command
     construct.config = config
-    bwrap_args = construct.construct_bwrap_args
+
+    construct.calculate
+    bwrap_args = construct.bwrap_arguments
 
     exec_command = [ "bwrap" ]
     exec_command += bwrap_args
@@ -134,6 +138,9 @@ class Bwrap::Bwrap
       opt :trace,
           "Show trace output (noisiest, probably not useful for most of time)",
           short: :none
+      opt [ :quiet, :silent ],
+          "Hides notice messages. Warnings and errors are still shown.",
+          short: :none
       opt :version,
           "Print version and exit",
           short: "V"

data/lib/bwrap/config/features/base.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+# @abstract
+#
+# Base of all features.
+class Bwrap::Config::Features::Base
+  # @param features [Bwrap::Config::Features] Instance of features object in {Config}
+  def initialize features
+    @features = features
+  end
+
+  # Checks if the feature has been enabled.
+  #
+  # @return [Boolean] whether feature is enabled
+  def enabled?
+    @enabled
+  end
+
+  # Enable the feature.
+  def enable
+    @enabled = true
+  end
+
+  # Disable the feature.
+  def disable
+    @enabled = false
+  end
+end

data/lib/bwrap/config/features/ruby.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+require "bwrap/execution"
+
+# Defines Ruby feature set.
+#
+# Implies {Nscd} feature.
+class Bwrap::Config::Features::Ruby < Bwrap::Config::Features::Base
+  include Bwrap::Execution
+
+  def initialize features
+    super features
+
+    @gem_env_paths = true
+    @stdlib = []
+  end
+
+  # @return true if bindirs from “gem environment” should be added to sandbox.
+  def gem_env_paths?
+    @gem_env_paths
+  end
+
+  # Enable Ruby feature set.
+  #
+  # Among others, binds `RbConfig::CONFIG["sitedir"]` so scripts works.
+  #
+  # @note This does not allow development headers needed for compilation for now.
+  #   I’ll look at it after I have an use for it.
+  #
+  # @note Also enables {Nscd} feature.
+  def enable
+    super
+
+    @features.nscd.enable
+  end
+
+  # @return [Pathname|nil] path to Ruby interpreter.
+  def interpreter
+    @features.mime&.executable_path
+  end
+
+  # @return [Hash(String, String)] RbConfig::CONFIG from interpreter returned by {#interpreter}
+  def ruby_config
+    unless interpreter
+      raise "Interpreter is not set, so ruby_config() can’t be called yet."
+    end
+
+    return @ruby_config if @ruby_config
+
+    script = %q{RbConfig::CONFIG.each { |k, v| puts "#{k}=#{v}" }}
+    config_string = execvalue %W{ #{interpreter} -e #{script} }
+
+    ruby_config = {}
+    config_string.split("\n").each do |line|
+      key, value = line.split "=", 2
+      ruby_config[key] = value
+    end
+
+    @ruby_config = ruby_config
+  end
+
+  # Extra libraries to be loaded from script’s interpreter’s `RbConfig::CONFIG["rubyarchdir"]`.
+  #
+  # @note Existence of library paths are checked here, and not in {#stdlib=},
+  #   to avoid error about missing interpreter, as it is set in {Bwrap::Bwrap#run},
+  #   and config is meant to be created beforehand.
+  #
+  # @note This is only required to be called if extra dependencies are necessary.
+  #   For example, psych.so requires libyaml.so.
+  #
+  # @return [Array] list of needed libraries.
+  def stdlib
+    # Just a little check to have error earlier.
+    @stdlib.each do |lib|
+      unless File.exist? "#{ruby_config["rubyarchdir"]}/#{lib}.so"
+        raise "Library “#{lib}” passed to Bwrap::Config::Ruby.stdlib= does not exist."
+      end
+    end
+
+    @stdlib
+  end
+
+  def stdlib= libs
+    @stdlib = libs
+  end
+end

data/lib/bwrap/config/features.rb

@@ -3,32 +3,14 @@
 class Bwrap::Config
   # Methods to enable or disable feature sets to control various aspects of sandboxing.
   class Features
-    # @abstract
+    # Requires are here so there is no extra trickiness with namespaces.
     #
-    # Base of all features.
-    class Base
-      # @param features [Bwrap::Config::Features] Instance of features object in {Config}
-      def initialize features
-        @features = features
-      end
+    # Feature implementations are not meant to be used outside of this class anyway.
+    require_relative "features/base"
+    require_relative "features/ruby"
 
-      # Checks if the feature has been enabled.
-      #
-      # @return [Boolean] whether feature is enabled
-      def enabled?
-        @enabled
-      end
-
-      # Enable the feature.
-      def enable
-        @enabled = true
-      end
-
-      # Disable the feature.
-      def disable
-        @enabled = false
-      end
-    end
+    # Instance of {Bwrap::Args::Bind::Mime}.
+    attr_accessor :mime
 
     # Defines Bash feature set.
     class Bash < Base
@@ -44,60 +26,6 @@ class Bwrap::Config
       # Nya.
     end
 
-    # Defines Ruby feature set.
-    #
-    # Implies {Nscd} feature.
-    class Ruby < Base
-      # Extra libraries to be loaded from `RbConfig::CONFIG["rubyarchdir"]`.
-      #
-      # @note This is only required to be called if extra dependencies are necessary.
-      #     For example, psych.so requires libyaml.so.
-      #
-      # @return [Array] list of needed libraries.
-      #
-      # @overload stdlib
-      # @overload stdlib=(libs)
-      attr_reader :stdlib
-
-      def initialize features
-        super features
-
-        @gem_env_paths = true
-        @stdlib = []
-      end
-
-      # @return true if bindirs from “gem environment” should be added to sandbox.
-      def gem_env_paths?
-        @gem_env_paths
-      end
-
-      # Enable Ruby feature set.
-      #
-      # Among others, binds `RbConfig::CONFIG["sitedir"]` so scripts works.
-      #
-      # @note This does not allow development headers needed for compilation for now.
-      #   I’ll look at it after I have an use for it.
-      #
-      # @note Also enables {Nscd} feature.
-      def enable
-        super
-
-        @features.nscd.enable
-      end
-
-      # @see #stdlib
-      def stdlib= libs
-        # Just a little check to have error earlier.
-        libs.each do |lib|
-          unless File.exist? "#{RbConfig::CONFIG["rubyarchdir"]}/#{lib}.so"
-            raise "Library “#{lib}” passed to Bwrap::Config::Ruby.stdlib= does not exist."
-          end
-        end
-
-        @stdlib = libs
-      end
-    end
-
     # @return [Bash] Instance of feature class for Bash
     def bash
       @bash ||= Bash.new self

data/lib/bwrap/execution/exceptions.rb

@@ -7,6 +7,18 @@ module Bwrap::Execution
 
   # Signifies that command execution has failed.
   class ExecutionFailed < CommandError
+    # The command that was executed.
+    attr_reader :command
+
+    # Output of the command.
+    attr_reader :output
+
+    def initialize msg, command:, output:
+      @command = command
+      @output = output
+
+      super msg
+    end
   end
 
   # Thrown if given command was not found.

data/lib/bwrap/execution/execute.rb

@@ -63,13 +63,17 @@ class Bwrap::Execution::Execute
   end
 
   # Checks whether execution failed and acts accordingly.
-  def self.handle_execution_fail fail:, error:, output:
-    return unless fail and !$CHILD_STATUS.success?
+  def self.handle_execution_fail fail:, error:, output:, command:
+    return unless fail and !execution_success?
 
     if error == :show and !output.empty?
       Bwrap::Output.warn_output "Command failed with output:\n“#{output}”"
     end
-    raise Bwrap::Execution::ExecutionFailed, "Command execution failed.", caller
+
+    exception = Bwrap::Execution::ExecutionFailed.new "Command execution failed",
+                                                      command: command,
+                                                      output: output
+    raise exception, caller
   end
 
   # @note It makes sense for caller to just return if wait has been set and not check output.
@@ -101,6 +105,13 @@ class Bwrap::Execution::Execute
                                "to add “self.prepend_rootcmd(command, rootcmd:)” method."
   end
 
+  # A wrapper to get status of an execution.
+  #
+  # Mainly here so test implementation is easier.
+  private_class_method def self.execution_success?
+    $CHILD_STATUS.success?
+  end
+
   # Used by `#handle_logging`.
   private_class_method def self.calculate_log_command command
     return command.dup unless command.respond_to?(:join)

data/lib/bwrap/execution/execution.rb

@@ -61,7 +61,7 @@ module Bwrap::Execution
     end
 
     # If command is string, splat operator (the *) does not do anything. If array, it expand the arguments.
-    # This causes spawning work correctly, as that’s how spawn() expects to have the argu
+    # This causes spawning work correctly, as that’s how spawn() expects to have the arguments.
     pid = spawn(env, *command, err: [ :child, :out ], out: Execute.w, unsetenv_others: clear_env)
     output = Execute.finish_execution(log: log, wait: wait, direct_output: direct_output)
     return pid unless wait
@@ -71,7 +71,7 @@ module Bwrap::Execution
     @last_status = $CHILD_STATUS
 
     output = Execute.process_output output: output
-    Execute.handle_execution_fail fail: fail, error: error, output: output
+    Execute.handle_execution_fail fail: fail, error: error, output: output, command: command
     output
   ensure
     Execute.clean_variables

data/lib/bwrap/execution/path.rb

@@ -20,7 +20,7 @@ module Bwrap::Execution::Path
     #
     # @yield Command appended to each path in PATH environment variable
     # @yieldparam path [String] Full path to executable
-    def self.each_env_path command, env_path_var: ENV["PATH"]
+    def self.each_env_path command, env_path_var: ENV.fetch("PATH", nil)
       exts = ENV["PATHEXT"] ? ENV["PATHEXT"].split(";") : [ "" ]
 
       env_path_var.split(File::PATH_SEPARATOR).each do |env_path|
@@ -39,7 +39,7 @@ module Bwrap::Execution::Path
   # @param command [String] executable to be resolved
   # @param env_path_var [String] PATH environment variable as string.
   #   Defaults to `ENV["PATH"]`
-  private def command_available? command, env_path_var: ENV["PATH"]
+  private def command_available? command, env_path_var: ENV.fetch("PATH", nil)
     # Special handling for absolute paths.
     path = Pathname.new command
     if path.absolute?
@@ -60,7 +60,7 @@ module Bwrap::Execution::Path
   # Returns path to given executable.
   #
   # @param (see #command_available?)
-  private def which command, fail: true, env_path_var: ENV["PATH"]
+  private def which command, fail: true, env_path_var: ENV.fetch("PATH", nil)
     # Special handling for absolute paths.
     path = Pathname.new command
     if path.absolute?

data/lib/bwrap/output/levels.rb

@@ -8,7 +8,8 @@ class Bwrap::Output::Levels
 
   @@_verbose = false
   @@_debug = false
-  @@_trace = ENV["BWRAP_TRACE"] && true || false
+  @@_trace = ENV.fetch("BWRAP_TRACE", nil) && true || false
+  @@_quiet = false
 
   # @see Bwrap::Output#verbose?
   def self.verbose?
@@ -25,8 +26,18 @@ class Bwrap::Output::Levels
     @@_trace
   end
 
+  # @see Bwrap::Output##quiet?
+  def self.quiet?
+    @@_quiet
+  end
+
   # Takes hash of options received from Optimist and checks output related flags.
   def self.handle_output_options options
+    if options[:quiet] or options[:silent]
+      quiet!
+      return
+    end
+
     # Set output level flags to true or false, if it was given.
     unless options[:trace].nil?
       @@_verbose = options[:trace]
@@ -64,6 +75,18 @@ class Bwrap::Output::Levels
     out
   end
 
+  # Formats given string and outputs it.
+  #
+  # @return formatted string
+  def self.info_print_formatted str, log_callback: 1
+    # TODO: Maybe have different color for NOTICE than for INFO?
+    out = "#{Bwrap::Output::Colors.color(130, 230, 130, bold: true)}[NOTICE]#{Bwrap::Output::Colors.stopcolor} #{str}"
+    out = append_caller out, log_callback: (log_callback + 1)
+    puts out
+
+    out
+  end
+
   # Formats given string and outputs it.
   #
   # @return formatted string
@@ -98,9 +121,16 @@ class Bwrap::Output::Levels
   # Appends caller information to given output.
   #
   # Used by *_print_formatted methods.
-  def self.append_caller out, log_callback: 1
+  private_class_method def self.append_caller out, log_callback: 1
     out = "#{out} (called at #{caller_locations(log_callback, 1)[0]})" if @@_trace
     out
   end
-  private_class_method :append_caller
+
+  # Sets variables so that no extra output is shown.
+  private_class_method def self.quiet!
+    @@_verbose = false
+    @@_debug = false
+    @@_trace = false
+    @@_quiet = true
+  end
 end

data/lib/bwrap/output/output_impl.rb

@@ -32,6 +32,8 @@ require_relative "log"
 # When using {Bwrap::Bwrap}, {Bwrap::Bwrap#parse_command_line_arguments}
 # causes output levels to be set if relevant CLI arguments have been
 # given. TODO: Add documentation about CLI args somewhere. Maybe README?
+#
+# TODO: Add new method info() which can then be silenced using --quiet or --silent.
 module Bwrap::Output
   # @see #verbose?
   def self.verbose?
@@ -43,6 +45,12 @@ module Bwrap::Output
     Bwrap::Output::Levels.debug?
   end
 
+  # @see #quiet?
+  # @see #info
+  def self.quiet?
+    Bwrap::Output::Levels.quiet?
+  end
+
   # @see #trace?
   def self.trace?
     Bwrap::Output::Levels.trace?
@@ -89,6 +97,18 @@ module Bwrap::Output
     Bwrap::Output::Log.puts_to_log out || str
   end
 
+  # Handler used by #info to output given string.
+  def self.info_output str, raw: false, log_callback: 1
+    return if quiet?
+
+    if raw
+      print str
+    else
+      out = Bwrap::Output::Levels.info_print_formatted str, log_callback: (log_callback + 1)
+    end
+    Bwrap::Output::Log.puts_to_log out || str
+  end
+
   # Handler used by #warn to output given string.
   def self.warn_output str, raw: false, log_callback: 1
     if raw
@@ -114,6 +134,13 @@ module Bwrap::Output
     exit exit_code
   end
 
+  # @see #info
+  #
+  # @return true if --quiet or --silent has been passed, false if not.
+  private def quiet?
+    Bwrap::Output::Levels.quiet?
+  end
+
   # @return true if --verbose, --debug or --trace has been passed, false if not.
   private def verbose?
     Bwrap::Output::Levels.verbose?
@@ -161,6 +188,33 @@ module Bwrap::Output
     Bwrap::Output.verb_output(str, raw: raw, log_callback: 2)
   end
 
+  # Outputs given string if info flag has been set.
+  #
+  # This is meant for notices, and the log will be labeled with
+  # [NOTICE].
+  #
+  # Output flags can be set with {.handle_output_options}.
+  #
+  # == Implementation hint
+  #
+  # Usually implementing --quiet and/or --silent flag
+  # to control these messages (and all other output) may make
+  # sense.
+  #
+  # That way it would be possible to have some important
+  # informational messages that should be shown, but for script
+  # usage, those could be muted.
+  #
+  # Warning messages are meant to be shown always. Error messages
+  # will always be printed, as execution is halted after the
+  # error message has been printed.
+  #
+  # @param str String to be outputted
+  # @param raw [Boolean] If true, disables output formatting
+  private def info str, raw: false
+    Bwrap::Output.info_output(str, raw: raw, log_callback: 2)
+  end
+
   # Outputs given string to `$stderr`.
   #
   # @param str String to be outputted

data/lib/bwrap/version.rb

@@ -2,7 +2,7 @@
 
 module Bwrap
   # Current version of bwrap.
-  VERSION = "1.0.0"
+  VERSION = "1.1.0-rc1"
 end
 
 require "deep-cover" if ENV["DEEP_COVER"]