bwrap 1.0.0 → 1.1.1

data/lib/bwrap/args/features.rb

@@ -8,6 +8,12 @@ require_relative "library"
 #
 # @see Config::Features
 class Bwrap::Args::Features < Hash
+  # Requires are here so there is no extra trickiness with namespaces.
+  #
+  # Feature implementations are not meant to be used outside of this class anyway.
+  require_relative "features/binds_base"
+  require_relative "features/ruby_binds"
+
   include Bwrap::Output
 
   # Implementation for Bash feature set.
@@ -45,44 +51,6 @@ class Bwrap::Args::Features < Hash
     end
   end
 
-  # Implementation for Ruby feature set.
-  #
-  # @api private
-  class RubyBinds
-    # Returns mounts needed by Ruby feature set.
-    attr_reader :mounts
-
-    # Bind system paths so scripts works inside sandbox.
-    def sitedir_mounts
-      mounts = []
-      mounts << "--ro-bind" << RbConfig::CONFIG["sitedir"] << RbConfig::CONFIG["sitedir"]
-      mounts << "--ro-bind" << RbConfig::CONFIG["rubyhdrdir"] << RbConfig::CONFIG["rubyhdrdir"]
-      mounts << "--ro-bind" << RbConfig::CONFIG["rubylibdir"] << RbConfig::CONFIG["rubylibdir"]
-      mounts << "--ro-bind" << RbConfig::CONFIG["vendordir"] << RbConfig::CONFIG["vendordir"]
-
-      mounts
-    end
-
-    # Create binds for required system libraries.
-    #
-    # These are in path like /usr/lib64/ruby/2.5.0/x86_64-linux-gnu/,
-    # and as they are mostly shared libraries, they may have some extra
-    # dependencies that also need to be bound inside the sandbox.
-    def stdlib_mounts stdlib
-      library_mounts = []
-      library = Bwrap::Args::Library.new
-      stdlib.each do |lib|
-        path = "#{RbConfig::CONFIG["rubyarchdir"]}/#{lib}.so"
-
-        library.needed_libraries(path).each do |requisite_library|
-          library_mounts << "--ro-bind" << requisite_library << requisite_library
-        end
-      end
-
-      library_mounts
-    end
-  end
-
   # `Array` of parameters passed to bwrap.
   attr_writer :args
 
@@ -104,7 +72,7 @@ class Bwrap::Args::Features < Hash
 
     binds = BashBinds.new
 
-    @args.append binds.bash_mounts
+    @args.add :feature_binds, binds.bash_mounts
   end
 
   private def nscd_binds
@@ -112,7 +80,7 @@ class Bwrap::Args::Features < Hash
 
     binds = NscdBinds.new
 
-    @args.append binds.custom_binds
+    @args.add :feature_binds, binds.custom_binds
   end
 
   # @note This does not allow development headers needed for compilation for now.
@@ -120,9 +88,9 @@ class Bwrap::Args::Features < Hash
   private def ruby_binds
     return unless @config.features.ruby.enabled?
 
-    binds = RubyBinds.new
+    binds = RubyBinds.new @config
 
-    @args.append binds.sitedir_mounts
-    @args.append binds.stdlib_mounts(@config.features.ruby.stdlib)
+    @args.add :feature_binds, binds.sitedir_mounts
+    @args.add :feature_binds, binds.stdlib_mounts(@config.features.ruby.stdlib)
   end
 end

data/lib/bwrap/args/library.rb

@@ -66,8 +66,6 @@ class Bwrap::Args::Library
     @needed_libraries
   end
 
-  # Used by {Bwrap::Args::Bind#libs_command_requires}.
-  #
   # @param binary_paths [String, Array] one or more paths to be resolved
   def needed_libraries binary_paths
     trace "Finding libraries #{binary_paths} requires"
@@ -105,7 +103,7 @@ class Bwrap::Args::Library
     libraries = libraries_line.split ","
 
     (@needed_libraries & libraries).each do |library|
-      verb "Binding #{library} as dependency of #{binary_path}"
+      debug "Binding #{library} as dependency of #{binary_path}"
     end
 
     @needed_libraries |= libraries

data/lib/bwrap/args/mount.rb

@@ -9,25 +9,25 @@ module Bwrap::Args::Mount
     return unless @config.root
 
     debug "Binding #{@config.root} as /"
-    @args.append %W{ --bind #{@config.root} / }
-    @args.append %w{ --chdir / }
+    @args.add :root_mount, "--bind", @config.root, "/"
+    @args.add :root_mount, "--chdir", "/"
   end
 
   # Arguments for mounting devtmpfs to /dev.
   private def dev_mount
     debug "Mounting new devtmpfs to /dev"
-    @args.append %w{ --dev /dev }
+    @args.add :dev_mounts, "--dev", "/dev"
   end
 
   # Arguments for mounting procfs to /proc.
   private def proc_mount
     debug "Mounting new procfs to /proc"
-    @args.append %w{ --proc /proc }
+    @args.add :proc_mount, "--proc", "/proc"
   end
 
   # Arguments for mounting tmpfs to /tmp.
   private def tmp_as_tmpfs
     debug "Mounting tmpfs to /tmp"
-    @args.append %w{ --tmpfs /tmp }
+    @args.add :tmp_mount, "--tmpfs", "/tmp"
   end
 end

data/lib/bwrap/args/network.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "bwrap/output"
+require_relative "args"
+
+# Network related binds.
+class Bwrap::Args::Network
+  include Bwrap::Output
+
+  # Instance of {Config}.
+  attr_writer :config
+
+  # @param args [Bwrap::Args::Args] Arguments to be passed to bwrap.
+  def initialize args
+    @args = args
+  end
+
+  # Arguments to set hostname to whatever is configured.
+  def hostname
+    return unless @config.hostname
+
+    debug "Setting hostname to #{@config.hostname}"
+    @args.add :hostname, %W{ --hostname #{@config.hostname} }
+  end
+
+  # Arguments to read-only bind /etc/resolv.conf.
+  def resolv_conf
+    # We can’t really bind symlinks, so let’s resolve real path to resolv.conf, in case it is symlinked.
+    source_resolv_conf = Pathname.new "/etc/resolv.conf"
+    source_resolv_conf = source_resolv_conf.realpath
+
+    debug "Binding #{source_resolv_conf} as /etc/resolv.conf"
+    @args.add :resolv_conf, %W{ --ro-bind #{source_resolv_conf} /etc/resolv.conf }
+  end
+
+  # Arguments to allow network connection inside sandbox.
+  def share_net
+    return unless @config.share_net
+
+    verb "Sharing network"
+    @args.add :network, %w{ --share-net }
+  end
+end

data/lib/bwrap/bwrap.rb

@@ -55,7 +55,9 @@ class Bwrap::Bwrap
     construct = Bwrap::Args::Construct.new
     construct.command = command
     construct.config = @config
-    bwrap_args = construct.construct_bwrap_args
+
+    construct.calculate
+    bwrap_args = construct.bwrap_arguments
 
     exec_command = [ "bwrap" ]
     exec_command += bwrap_args
@@ -89,7 +91,9 @@ class Bwrap::Bwrap
     construct = Bwrap::Args::Construct.new
     construct.command = command
     construct.config = config
-    bwrap_args = construct.construct_bwrap_args
+
+    construct.calculate
+    bwrap_args = construct.bwrap_arguments
 
     exec_command = [ "bwrap" ]
     exec_command += bwrap_args
@@ -134,6 +138,9 @@ class Bwrap::Bwrap
       opt :trace,
           "Show trace output (noisiest, probably not useful for most of time)",
           short: :none
+      opt [ :quiet, :silent ],
+          "Hides notice messages. Warnings and errors are still shown.",
+          short: :none
       opt :version,
           "Print version and exit",
           short: "V"

data/lib/bwrap/config/features/base.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+# @abstract
+#
+# Base of all features.
+class Bwrap::Config::Features::Base
+  # @param features [Bwrap::Config::Features] Instance of features object in {Config}
+  def initialize features
+    @features = features
+  end
+
+  # Checks if the feature has been enabled.
+  #
+  # @return [Boolean] whether feature is enabled
+  def enabled?
+    @enabled
+  end
+
+  # Enable the feature.
+  def enable
+    @enabled = true
+  end
+
+  # Disable the feature.
+  def disable
+    @enabled = false
+  end
+end

data/lib/bwrap/config/features/ruby.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+require "bwrap/execution"
+
+# Defines Ruby feature set.
+#
+# Implies {Nscd} feature.
+class Bwrap::Config::Features::Ruby < Bwrap::Config::Features::Base
+  include Bwrap::Execution
+
+  def initialize features
+    super features
+
+    @gem_env_paths = true
+    @stdlib = []
+  end
+
+  # @return true if bindirs from “gem environment” should be added to sandbox.
+  def gem_env_paths?
+    @gem_env_paths
+  end
+
+  # Enable Ruby feature set.
+  #
+  # Among others, binds `RbConfig::CONFIG["sitedir"]` so scripts works.
+  #
+  # @note This does not allow development headers needed for compilation for now.
+  #   I’ll look at it after I have an use for it.
+  #
+  # @note Also enables {Nscd} feature.
+  def enable
+    super
+
+    @features.nscd.enable
+  end
+
+  # @return [Pathname|nil] path to Ruby interpreter.
+  def interpreter
+    @features.mime&.executable_path
+  end
+
+  # @return [Hash(String, String)] RbConfig::CONFIG from interpreter returned by {#interpreter}
+  def ruby_config
+    unless interpreter
+      raise "Interpreter is not set, so ruby_config() can’t be called yet."
+    end
+
+    return @ruby_config if @ruby_config
+
+    script = %q{RbConfig::CONFIG.each { |k, v| puts "#{k}=#{v}" }}
+    config_string = execvalue %W{ #{interpreter} -e #{script} }
+
+    ruby_config = {}
+    config_string.split("\n").each do |line|
+      key, value = line.split "=", 2
+      ruby_config[key] = value
+    end
+
+    @ruby_config = ruby_config
+  end
+
+  # Extra libraries to be loaded from script’s interpreter’s `RbConfig::CONFIG["rubyarchdir"]`.
+  #
+  # @note Existence of library paths are checked here, and not in {#stdlib=},
+  #   to avoid error about missing interpreter, as it is set in {Bwrap::Bwrap#run},
+  #   and config is meant to be created beforehand.
+  #
+  # @note This is only required to be called if extra dependencies are necessary.
+  #   For example, psych.so requires libyaml.so.
+  #
+  # @return [Array] list of needed libraries.
+  def stdlib
+    # Just a little check to have error earlier.
+    @stdlib.each do |lib|
+      unless File.exist? "#{ruby_config["rubyarchdir"]}/#{lib}.so"
+        raise "Library “#{lib}” passed to Bwrap::Config::Ruby.stdlib= does not exist."
+      end
+    end
+
+    @stdlib
+  end
+
+  def stdlib= libs
+    @stdlib = libs
+  end
+end

data/lib/bwrap/config/features.rb

@@ -3,32 +3,14 @@
 class Bwrap::Config
   # Methods to enable or disable feature sets to control various aspects of sandboxing.
   class Features
-    # @abstract
+    # Requires are here so there is no extra trickiness with namespaces.
     #
-    # Base of all features.
-    class Base
-      # @param features [Bwrap::Config::Features] Instance of features object in {Config}
-      def initialize features
-        @features = features
-      end
+    # Feature implementations are not meant to be used outside of this class anyway.
+    require_relative "features/base"
+    require_relative "features/ruby"
 
-      # Checks if the feature has been enabled.
-      #
-      # @return [Boolean] whether feature is enabled
-      def enabled?
-        @enabled
-      end
-
-      # Enable the feature.
-      def enable
-        @enabled = true
-      end
-
-      # Disable the feature.
-      def disable
-        @enabled = false
-      end
-    end
+    # Instance of {Bwrap::Args::Bind::Mime}.
+    attr_accessor :mime
 
     # Defines Bash feature set.
     class Bash < Base
@@ -44,60 +26,6 @@ class Bwrap::Config
       # Nya.
     end
 
-    # Defines Ruby feature set.
-    #
-    # Implies {Nscd} feature.
-    class Ruby < Base
-      # Extra libraries to be loaded from `RbConfig::CONFIG["rubyarchdir"]`.
-      #
-      # @note This is only required to be called if extra dependencies are necessary.
-      #     For example, psych.so requires libyaml.so.
-      #
-      # @return [Array] list of needed libraries.
-      #
-      # @overload stdlib
-      # @overload stdlib=(libs)
-      attr_reader :stdlib
-
-      def initialize features
-        super features
-
-        @gem_env_paths = true
-        @stdlib = []
-      end
-
-      # @return true if bindirs from “gem environment” should be added to sandbox.
-      def gem_env_paths?
-        @gem_env_paths
-      end
-
-      # Enable Ruby feature set.
-      #
-      # Among others, binds `RbConfig::CONFIG["sitedir"]` so scripts works.
-      #
-      # @note This does not allow development headers needed for compilation for now.
-      #   I’ll look at it after I have an use for it.
-      #
-      # @note Also enables {Nscd} feature.
-      def enable
-        super
-
-        @features.nscd.enable
-      end
-
-      # @see #stdlib
-      def stdlib= libs
-        # Just a little check to have error earlier.
-        libs.each do |lib|
-          unless File.exist? "#{RbConfig::CONFIG["rubyarchdir"]}/#{lib}.so"
-            raise "Library “#{lib}” passed to Bwrap::Config::Ruby.stdlib= does not exist."
-          end
-        end
-
-        @stdlib = libs
-      end
-    end
-
     # @return [Bash] Instance of feature class for Bash
     def bash
       @bash ||= Bash.new self

data/lib/bwrap/execution/exceptions.rb

@@ -7,6 +7,18 @@ module Bwrap::Execution
 
   # Signifies that command execution has failed.
   class ExecutionFailed < CommandError
+    # The command that was executed.
+    attr_reader :command
+
+    # Output of the command.
+    attr_reader :output
+
+    def initialize msg, command:, output:
+      @command = command
+      @output = output
+
+      super msg
+    end
   end
 
   # Thrown if given command was not found.

data/lib/bwrap/execution/execute.rb

@@ -40,6 +40,13 @@ class Bwrap::Execution::Execute
 
   # @return formatted command.
   def self.format_command command, rootcmd:
+    # Flatten the command if required, so nils can be converted in more of cases.
+    # Flattenization is also done in executions, but they also take in account
+    # for example rootcmd, so they probably should be done in addition to this one.
+    if command.respond_to? :flatten!
+      command.flatten!
+    end
+
     replace_nils command
     return command if rootcmd.nil?
 
@@ -63,13 +70,17 @@ class Bwrap::Execution::Execute
   end
 
   # Checks whether execution failed and acts accordingly.
-  def self.handle_execution_fail fail:, error:, output:
-    return unless fail and !$CHILD_STATUS.success?
+  def self.handle_execution_fail fail:, error:, output:, command:
+    return unless fail and !execution_success?
 
     if error == :show and !output.empty?
       Bwrap::Output.warn_output "Command failed with output:\n“#{output}”"
     end
-    raise Bwrap::Execution::ExecutionFailed, "Command execution failed.", caller
+
+    exception = Bwrap::Execution::ExecutionFailed.new "Command execution failed",
+                                                      command: command,
+                                                      output: output
+    raise exception, caller
   end
 
   # @note It makes sense for caller to just return if wait has been set and not check output.
@@ -101,6 +112,13 @@ class Bwrap::Execution::Execute
                                "to add “self.prepend_rootcmd(command, rootcmd:)” method."
   end
 
+  # A wrapper to get status of an execution.
+  #
+  # Mainly here so test implementation is easier.
+  private_class_method def self.execution_success?
+    $CHILD_STATUS.success?
+  end
+
   # Used by `#handle_logging`.
   private_class_method def self.calculate_log_command command
     return command.dup unless command.respond_to?(:join)

data/lib/bwrap/execution/execution.rb

@@ -5,6 +5,7 @@ require "bwrap/output"
 require_relative "exceptions"
 require_relative "execute"
 require_relative "path"
+require_relative "popen2e"
 
 # Provides methods to execute commands and handle its output.
 #
@@ -61,7 +62,7 @@ module Bwrap::Execution
     end
 
     # If command is string, splat operator (the *) does not do anything. If array, it expand the arguments.
-    # This causes spawning work correctly, as that’s how spawn() expects to have the argu
+    # This causes spawning work correctly, as that’s how spawn() expects to have the arguments.
     pid = spawn(env, *command, err: [ :child, :out ], out: Execute.w, unsetenv_others: clear_env)
     output = Execute.finish_execution(log: log, wait: wait, direct_output: direct_output)
     return pid unless wait
@@ -71,12 +72,35 @@ module Bwrap::Execution
     @last_status = $CHILD_STATUS
 
     output = Execute.process_output output: output
-    Execute.handle_execution_fail fail: fail, error: error, output: output
+    Execute.handle_execution_fail fail: fail, error: error, output: output, command: command
     output
   ensure
     Execute.clean_variables
   end
 
+  # Works similarly to {Open3.popen2e}.
+  #
+  # TODO: If there will be any difference to input syntax, document those differences here.
+  # For now, rootcmd option has been implemented.
+  #
+  # A block is accepted, as does {Open3.popen2e}. For now, at least.
+  #
+  # TODO: Implement this so that this uses same execution things as other things here.
+  # This way bwrap actually can be integrated to this...
+  #
+  # TODO: Verify default log_callback is correct
+  #
+  # @warning Only array style commands are accepted. For example, `ls /`
+  # is not ok, but `ls` or `%w{ ls / }` is ok.
+  def popen2e *cmd, rootcmd: nil, log_callback: 1, log: true, &block
+    popen = Bwrap::Execution::Popen2e.new
+    popen.dry_run = @dry_run
+    popen.popen2e(*cmd, rootcmd: rootcmd, log_callback: log_callback, log: log, &block)
+  ensure
+    @last_status = $CHILD_STATUS
+  end
+  module_function :popen2e
+
   # Returns Process::Status instance of last execution.
   #
   # @note This only is able to return the status if wait is true, as otherwise caller is assumed to

data/lib/bwrap/execution/path.rb

@@ -20,7 +20,7 @@ module Bwrap::Execution::Path
     #
     # @yield Command appended to each path in PATH environment variable
     # @yieldparam path [String] Full path to executable
-    def self.each_env_path command, env_path_var: ENV["PATH"]
+    def self.each_env_path command, env_path_var: ENV.fetch("PATH", nil)
       exts = ENV["PATHEXT"] ? ENV["PATHEXT"].split(";") : [ "" ]
 
       env_path_var.split(File::PATH_SEPARATOR).each do |env_path|
@@ -39,7 +39,7 @@ module Bwrap::Execution::Path
   # @param command [String] executable to be resolved
   # @param env_path_var [String] PATH environment variable as string.
   #   Defaults to `ENV["PATH"]`
-  private def command_available? command, env_path_var: ENV["PATH"]
+  private def command_available? command, env_path_var: ENV.fetch("PATH", nil)
     # Special handling for absolute paths.
     path = Pathname.new command
     if path.absolute?
@@ -60,7 +60,7 @@ module Bwrap::Execution::Path
   # Returns path to given executable.
   #
   # @param (see #command_available?)
-  private def which command, fail: true, env_path_var: ENV["PATH"]
+  private def which command, fail: true, env_path_var: ENV.fetch("PATH", nil)
     # Special handling for absolute paths.
     path = Pathname.new command
     if path.absolute?

data/lib/bwrap/execution/popen2e.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+# @see {Bwrap::Execution.popen2e}
+class Bwrap::Execution::Popen2e
+  attr_writer :dry_run
+
+  # @see {Bwrap::Execution.popen2e}
+  # TODO: Add a test for this (does Ruby have anything I could use here?).
+  #
+  # @note Also options accepted by {Open3.popen2e} are accepted
+  #   here, in addition to those specified here.
+  def popen2e *cmd, rootcmd: nil, log_callback: 1, log: true, &block
+    @rootcmd = rootcmd
+    @log_callback = log_callback + 1 # Passing to another method, so need to add one more.
+    @log = log
+    self.opts_from_input = cmd
+
+    resolve_actual_command cmd
+
+    return if @dry_run || Bwrap::Execution::Execute.dry_run
+
+    open_pipes
+    popen_run(@actual_command, [ @in_read, @out_write ], [ @in_write, @out_read ], &block)
+  ensure
+    if block
+      @in_read.close
+      @in_write.close
+      @out_read.close
+      @out_write.close
+    end
+  end
+
+  # Sets @opts from `cmd` given to {#popen2e}, if any extra options have been given.
+  private def opts_from_input= cmd
+    @opts = cmd.last.is_a?(Hash) && cmd.pop.dup || {}
+  end
+
+  private def open_pipes
+    @in_read, @in_write = IO.pipe
+    @opts[:in] = @in_read
+    @in_write.sync = true
+
+    @out_read, @out_write = IO.pipe
+    @opts[[ :out, :err ]] = @out_write
+  end
+
+  # First element may be optional environment variables.
+  private def resolve_actual_command cmd
+    temp_cmd = cmd.dup
+
+    # Delete environment hash.
+    env_hash = temp_cmd.shift if temp_cmd.first.is_a? Hash
+
+    # Delete option hash.
+    option_hash = temp_cmd.pop if temp_cmd.last.is_a? Hash
+
+    temp_cmd = Bwrap::Execution::Execute.format_command temp_cmd, rootcmd: @rootcmd
+    Bwrap::Execution::Execute.handle_logging temp_cmd, log_callback: @log_callback, log: @log, dry_run: @dry_run
+
+    temp_cmd.unshift env_hash if env_hash
+    temp_cmd.push option_hash if option_hash
+
+    # If command is an array, there can’t be arrays inside the array (hashes are preserved).
+    # For convenience, the array is flattened here, so callers can construct commands more easily.
+    temp_cmd.flatten!
+
+    @actual_command = temp_cmd
+  end
+
+  private def popen_run cmd, child_io, parent_io
+    pid = spawn(*cmd, @opts)
+    wait_thr = Process.detach(pid)
+    child_io.each(&:close)
+    result = [ *parent_io, wait_thr ]
+
+    if defined? yield
+      begin
+        return yield(*result)
+      ensure
+        parent_io.each(&:close)
+        wait_thr.join
+      end
+    end
+
+    result
+  end
+end