bwrap 1.1.1 → 1.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 352b23610ac14344695cc17c4bcdaeaf7307b3742983f520581251b4bb7f85a5
-  data.tar.gz: e4cfa7fb8ca749e5dfddf11f6eb030fd82af1bd2a15dad5062d9ba4fd9be72fb
+  metadata.gz: 2d50d32e5158e20f7a5a1f75124c8b657a12b54b3392612d5aa11e9717add289
+  data.tar.gz: 7ac4aede1519880cd7c4e48d233688d1fb0d2ade75e8dc202bd27969d9c28428
 SHA512:
-  metadata.gz: cb7feb42474faa52ab6cce4cafd66daabf20f8490519a0f950885b1347332d38a6c335de40d6db4c7371e9eb0a0a722352d6e4613db3e3df193688ae896c584e
-  data.tar.gz: 90892a26e8efddc5112c4fa22bd1b95e8380f1860df1680031549f0addf485b4229fcdd11d786a63d476bf151483db60eba7682d045d35b08dfccea88e6b5f44
+  metadata.gz: 88dfdab0abd2342289724060107c1a8fcc681eac5a4b24f402e316cc8d4470e33cb9fe11f7be1072b2dc0b97f3b1fc10e7df92bce192f0de9de9978f423237c0
+  data.tar.gz: 76fc0bd2dc04e98b3254a540813212a6b9fb7cba1b7c0f64f49a19577106eb0dc8efac79215e4f689a229e1bfce57e9b9ca0926347d552d28000aa815697892f

data/CHANGELOG.md

@@ -1,5 +1,26 @@
 # Changes
 
+## 1.3.1 (06.01.2023)
+
+* Renewed expired key
+
+## 1.3.0 (06.01.2023)
+
+NOTE: No gem was released due expired key.
+
+* Introduced llvm-readelf as additional dependency for library resolution.
+* Fix library resolution on newer systems.
+* Made resolv.conf binding to require a configuration option.
+* Added option for --unshare-all (enabled by default, which is previous behaviour).
+* Return output of the command with Bwrap#run
+
+## 1.2.0 (20.07.2022)
+
+* Properly throw execution failure exception
+* Config is now optional argument for Bwrap#initialize
+* Allow passing kwargs to Bwrap#run
+* Allow passing config to execute
+
 ## 1.1.1 (07.06.2022)
 
 * Added Bwrap::Execution.popen2e

data/README.md

@@ -20,6 +20,15 @@ Or install it yourself as:
 
     $ gem install bwrap
 
+Running system must have following executables present:
+  - scanelf (from pax-utils)
+
+Additionally, for musl executables and libraries, following are necessary:
+  - ldd
+
+Additionally, for glibc executables and libraries, following are necessary:
+  - llvm-readelf
+
 ## Usage
 
 For now this is under ongoing development, though semantic versioning will apply.

data/lib/bwrap/args/args.rb

@@ -10,12 +10,12 @@ require "bwrap/version"
 module Bwrap::Args
   # Used as container for arguments constructed via {Construct}.
   #
-  # Where {Hash} defaults to nil as default argument, `Args` defaults to
-  # {Array}.
+  # Where `Hash` defaults to nil as default argument, {Args} defaults to
+  # `Array`.
   class Args < Hash
     # Creates new instance of a hash for storing arguments.
     #
-    # Where {Hash} defaults to nil as default argument, `Args` defaults to
+    # Where `Hash` defaults to nil as default argument, {Args} defaults to
     # `[]`.
     #
     # @see Hash#initialize
@@ -31,9 +31,10 @@ module Bwrap::Args
     #
     # Following types are meant to be used, though everything is accepted:
     # - :mount
+    # - (and many others, they are not documented here)
     #
     # @param type [Symbol] Type of the argument
-    # @returns self
+    # @return self
     def add(type, *data)
       if data.respond_to? :each
         self[type] += data.flatten
@@ -43,5 +44,33 @@ module Bwrap::Args
 
       self
     end
+
+    # Adds ugiven data to array identified by given type if they
+    # have not been already added.
+    #
+    # Following types are meant to be used, though everything is accepted:
+    # - :mount
+    # - (and many others, they are not documented here)
+    #
+    # @param type [Symbol] Type of the argument
+    # @return self
+    def add_uniq(type, *data)
+      if data.respond_to? :each
+        self[type] |= data
+      else
+        self[type] << data unless include? data
+      end
+
+      self
+    end
+
+    # Adds a read-only bind to bind given path from host to same path inside sandbox.
+    #
+    # @see bwrap argument `--ro-bind`.
+    #
+    # TODO: doc for params
+    def ro_bind(type, path)
+      add(type, %W{ --ro-bind #{path} #{path} })
+    end
   end
 end

data/lib/bwrap/args/bind/device.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require "bwrap/output"
+
+class Bwrap::Args::Bind
+  # Device related binds.
+  class Device
+    include Bwrap::Output
+
+    # Instance of {Config}.
+    attr_writer :config
+
+    # @param args [Args] Args created by {Construct}
+    def initialize args
+      @args = args
+    end
+
+    # Arguments for mounting devtmpfs to /dev.
+    def dev_mount
+      return unless @config&.dev_mount
+
+      debug "Mounting new devtmpfs to /dev"
+      @args.add :dev_mounts, "--dev", "/dev"
+    end
+
+    # Arguments to bind /dev/dri from host to sandbox.
+    def bind_dev_dri
+      return unless @config&.graphics_acceleration
+
+      @args.add :dev_mounts, %w{ --dev-bind /dev/dri /dev/dri }
+    end
+
+    # Arguments to bind /sys/dev/char from host to sandbox.
+    def bind_sys_dev_char
+      return unless @config&.graphics_acceleration
+
+      @args.add :dev_mounts, %w{ --ro-bind /sys/dev/char /sys/dev/char }
+    end
+
+    # Arguments to bind /sys/devices/pci0000:00 from host to sandbox.
+    def bind_pci_devices
+      return unless @config&.graphics_acceleration
+
+      @args.add :dev_mounts, %w{ --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 }
+    end
+  end
+end
+

data/lib/bwrap/args/bind/library.rb

@@ -2,8 +2,9 @@
 
 require "bwrap/execution/path"
 require "bwrap/output"
-require_relative "../library"
-require_relative "mime"
+require "bwrap/resolvers/executable"
+require "bwrap/resolvers/library"
+require "bwrap/resolvers/mime"
 
 class Bwrap::Args::Bind
   # TODO: documentation
@@ -21,22 +22,20 @@ class Bwrap::Args::Bind
     include Bwrap::Execution::Path
     include Bwrap::Output
 
-    # The command given to {Bwrap#run}.
-    #
-    # @see Bwrap::Args::Construct#command=
-    #
-    # @see (see Bwrap::Args::Construct#command=)
-    attr_writer :command
-
     # Instance of {Bwrap::Config}.
     attr_writer :config
 
     # Instance of {Bwrap::Args::Environment}.
     attr_writer :environment
 
-    attr_writer :executable_name
+    # Instance of {Bwrap::Resolvers::Executable}.
+    attr_writer :executable
 
-    attr_writer :executable_path
+    # TODO: Remove?
+    #attr_writer :executable_name
+
+    # TODO: Remove?
+    #attr_writer :executable_path
 
     def initialize args
       @args = args
@@ -45,29 +44,15 @@ class Bwrap::Args::Bind
     def extra_executables_mounts
       return unless @config&.extra_executables
 
-      @config.extra_executables.each do |executable|
-        @executable_name = resolve_executable_name executable
-        @executable_path = resolve_executable_path @executable_name, not_inside_root: true
-
-        @args.add :extra_executable_mounts, %W{ --ro-bind #{@executable_path} #{@executable_path} }
+      @config.extra_executables.each do |extra_executable|
+        executable = Bwrap::Resolvers::Executable.new extra_executable
 
-        resolve_executable_libraries
+        generate_binds_for_command :extra_executable_mounts, executable, inside_root: false
       end
     end
 
-    # Checks the command given to {Bwrap#run} and adds the libraries it needs.
-    #
-    # Convenience method to call {#resolve_executable_libraries}.
     def handle_given_command
-      @executable_name = resolve_executable_name @command
-      @executable_path = resolve_executable_path @executable_name
-
-      # Actually add the executable to be bound to the sandbox.
-      unless @config&.command_inside_root
-        @args.add :given_command, %W{ --ro-bind #{@executable_path} #{@executable_path} }
-      end
-
-      resolve_executable_libraries
+      generate_binds_for_command :given_command, @executable
     end
 
     # Does some inspection to find out libraries given executable needs in order to work.
@@ -77,14 +62,15 @@ class Bwrap::Args::Bind
     #
     # @todo Ensure scanelf is available (and throw proper error if it is not, telling to not use
     #   full_system_mounts option.)
-    def resolve_executable_libraries
-      debug "Resolving executable libraries of #{@executable_path}"
+    #
+    # @param executable_name [String] Executable to be run inside bwrap
+    def resolve_executable_libraries executable_name, executable_path
+      debug "Resolving executable libraries of #{executable_path}"
 
-      # TODO: Put this behind additional flag for extra control/sanity.
-      # Some executables are shell scripts and similar. For them we need to use the interpreter.
+      mime = Bwrap::Resolvers::Mime.new executable_name, executable_path
+      mime.resolve_mime_type
 
-      mime = Mime.new @executable_name, @executable_path
-      return unless mime.resolve_mime_type
+      return if shell_executable_binds mime
 
       # TODO: Ideally mime stuff should be handled as config,
       # but then shebang parsing logic would be necessary to move to config classes.
@@ -101,7 +87,7 @@ class Bwrap::Args::Bind
 
       library_mounts = []
 
-      library_object = ::Bwrap::Args::Library.new
+      library_object = ::Bwrap::Resolvers::Library.new
       libraries = library_object.libraries_needed_by mime.executable_path
 
       # TODO: following is bad?
@@ -110,7 +96,7 @@ class Bwrap::Args::Bind
         library_mounts << "--ro-bind" << library << library
       end
 
-      @args.add :extra_executable_libraries, library_mounts
+      @args.add_uniq :extra_executable_libraries, library_mounts
     end
 
     # Some features, like {Bwrap::Config::Features::Nscd}, requires some binds
@@ -124,22 +110,52 @@ class Bwrap::Args::Bind
       ruby_binds_for_features
     end
 
-    private def resolve_executable_name command
-      if command.is_a? String
-        return command
-      end
+    private def shell_executable_binds mime
+      # TODO: Put this behind additional flag for extra control/sanity.
+      # Some executables are shell scripts and similar. For them we need to use the interpreter.
 
-      # Array-like.
-      if command.respond_to? :at
-        return command.at(0)
+      if mime.mime_type[0..6] != "text/x-"
+        # All is good as this is not an interpreter.
+      elsif mime.interpreter?
+        # TODO: For less unmessiness, this should be done before actual
+        #   handle_given_command() and extra_executable_mounts() are run.
+        #   I guess that needs some refactoring...
+        mime_executable = Bwrap::Resolvers::Executable.new mime.resolve_real_executable
+        generate_binds_for_command :extra_executable_mounts, mime_executable
+      else
+        warn "Executable #{mime.executable_name} was recognized as #{mime.mime_type} but does not have " \
+             "proper shebang line. Skipping automatic library mounts."
+        return true
       end
 
-      raise "Can’t recognize type of given command. Type: #{command.class}"
+      false
+    end
+
+    # @param executable [Bwrap::Resolvers::Executable] Executable to be resolved
+    private def generate_binds_for_command args_flag, executable, inside_root: true
+      # Type can be :path or :symlink. It is not used for now.
+      executable.executable_paths.each do |path, _type|
+        executable_path = resolve_executable_path path, inside_root: inside_root
+
+        # Actually add the executable to be bound to the sandbox.
+        if @config and !@config.command_inside_root
+          # Avoid double-binding the executable.
+          executable_dir = File.dirname(executable_path)
+          unless @config.binaries_from&.include? executable_dir
+            @args.ro_bind args_flag, executable_path
+
+            # Also add the directory where the executable is to PATH, for convenience.
+            @environment.add_to_path executable_dir unless executable.absolute_path?
+          end
+        end
+
+        resolve_executable_libraries path, executable_path
+      end
     end
 
     # @warning Requires environment paths to be resolved beforehand.
-    private def resolve_executable_path executable_name, not_inside_root: nil
-      if @config&.command_inside_root.nil? or not_inside_root
+    private def resolve_executable_path executable_name, inside_root: true
+      if @config&.command_inside_root.nil? or !inside_root
         return which executable_name
       end
 

data/lib/bwrap/args/bind.rb

@@ -3,6 +3,7 @@
 require "bwrap/execution"
 require "bwrap/output"
 require_relative "args"
+require_relative "bind/device"
 require_relative "bind/library"
 
 # Bind arguments for bwrap.
@@ -13,40 +14,21 @@ class Bwrap::Args::Bind
   # Array of parameters passed to bwrap.
   attr_writer :args
 
-  # The command given to {Bwrap#run}.
-  #
-  # @see Bwrap::Args::Construct#command=
-  #
-  # @see (see Bwrap::Args::Construct#command=)
-  attr_writer :command
-
   # Instance of {Bwrap::Config}.
   attr_writer :config
 
   # Instance of {Bwrap::Args::Environment}.
   attr_writer :environment
 
-  # Arguments to bind /dev/dri from host to sandbox.
-  def bind_dev_dri
-    @args.add :dev_mounts, %w{ --dev-bind /dev/dri /dev/dri }
-  end
-
-  # Arguments to bind /sys/dev/char from host to sandbox.
-  def bind_sys_dev_char
-    @args.add :dev_mounts, %w{ --ro-bind /sys/dev/char /sys/dev/char }
-  end
-
-  # Arguments to bind /sys/devices/pci0000:00 from host to sandbox.
-  def bind_pci_devices
-    @args.add :dev_mounts, %w{ --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 }
-  end
+  # Instance of {Bwrap::Resolvers::Executable}.
+  attr_writer :executable
 
   # Arguments to bind home directory from sandbox directory (`#{@config.sandbox_directory}/home`)
   # as `/home/#{@config.user}`.
   #
   # @note Requires @config.user to be set.
   def bind_home_directory
-    return unless @config.user
+    return unless @config&.user
 
     home_directory = "#{@config.sandbox_directory}/home"
 
@@ -71,28 +53,16 @@ class Bwrap::Args::Bind
     #
     # Or maybe the data should be calculated and these are excluded in
     # Construct#bwrap_arguments?
-    return unless @config.full_system_mounts
+    return if @config && !@config&.full_system_mounts
 
     @library_bind.handle_given_command
   end
 
   # Arguments to read-only bind whole system inside sandbox.
   def handle_system_mounts
-    bindir_mounts = []
-    binaries_from = @config.binaries_from
-    binaries_from.each do |path|
-      bindir_mounts << "--ro-bind" << path << path
-    end
-    @environment.add_to_path binaries_from
-
-    @args.add :bindir, bindir_mounts
-
-    if debug?
-      debug "Using following bindir mounts:\n" \
-            "#{bindir_mounts}\n" \
-            "(Odd is key, even is value)"
-    end
+    return unless @config&.binaries_from
 
+    bindir_mounts
     libdir_mounts
 
     binds_for_features
@@ -100,9 +70,19 @@ class Bwrap::Args::Bind
     @library_bind.extra_executables_mounts
   end
 
+  def device_binds
+    device = Bwrap::Args::Bind::Device.new @args
+    device.config = @config
+
+    device.dev_mount
+    device.bind_dev_dri
+    device.bind_sys_dev_char
+    device.bind_pci_devices
+  end
+
   # These are something user can specify to do custom --ro-bind binds.
   def custom_read_only_binds
-    return unless @config.ro_binds
+    return unless @config&.ro_binds
 
     binds = []
     @config.ro_binds.each do |source_path, destination_path|
@@ -114,12 +94,30 @@ class Bwrap::Args::Bind
 
   # Performs cleanup operations after execution.
   def cleanup
-    Bwrap::Args::Library.clear_needed_libraries_cache
+    Bwrap::Resolvers::Library.clear_needed_libraries_cache
+  end
+
+  # Used by {#handle_system_mounts}.
+  private def bindir_mounts
+    bindir_mounts = []
+    binaries_from = @config.binaries_from
+    binaries_from.each do |path|
+      bindir_mounts << "--ro-bind" << path << path
+    end
+    @environment.add_to_path binaries_from
+
+    @args.add :bindir, bindir_mounts
+
+    return unless debug? and !bindir_mounts.empty?
+
+    debug "Using following bindir mounts:\n" \
+          "#{bindir_mounts}\n" \
+          "(Odd is key, even is value)"
   end
 
   # Used by {#handle_system_mounts}.
   private def libdir_mounts
-    return unless @config.libdir_mounts
+    return unless @config&.libdir_mounts
 
     libdir_mounts = %w{
       --ro-bind /lib /lib
@@ -139,9 +137,9 @@ class Bwrap::Args::Bind
 
   private def construct_library_bind
     library_bind = Bwrap::Args::Bind::Library.new @args
-    library_bind.command = @command
     library_bind.config = @config
     library_bind.environment = @environment
+    library_bind.executable = @executable
 
     @library_bind = library_bind
   end

data/lib/bwrap/args/construct.rb

@@ -3,13 +3,16 @@
 require "tempfile"
 
 require "bwrap/output"
+require "bwrap/resolvers/executable"
 require_relative "args"
 require_relative "bind"
 require_relative "environment"
 require_relative "features"
 require_relative "machine_id"
 require_relative "mount"
+require_relative "namespace"
 require_relative "network"
+require_relative "user"
 
 # Constructs arguments for bwrap execution.
 class Bwrap::Args::Construct
@@ -18,6 +21,13 @@ class Bwrap::Args::Construct
 
   attr_writer :config
 
+  def initialize
+    # If a key is not found, it is initialized with an empty array.
+    @args = Bwrap::Args::Args.new
+
+    @executable = Bwrap::Resolvers::Executable.new
+  end
+
   # Command that is executed inside bwrap sandbox.
   #
   # @note This is not used for anything vital, but some things, like
@@ -25,17 +35,14 @@ class Bwrap::Args::Construct
   #   additional data.
   #
   # @param value [Array, String] Command with arguments
-  attr_writer :command
-
-  def initialize
-    # If a key is not found, it is initialized with an empty array.
-    @args = Bwrap::Args::Args.new
+  def command= value
+    @executable.command = value
   end
 
   # Parses data given with {Config} so it can be outputted in proper
   # order by {#bwrap_arguments}.
   #
-  # @note Command given to {Bwrap#run} is set to {Bind#command}.
+  # @note Command given to {Bwrap#run} is set to {Bind#command=}.
   def calculate
     create_objects
 
@@ -51,16 +58,13 @@ class Bwrap::Args::Construct
     @bind.handle_system_mounts
     @features.feature_binds
     @bind.custom_read_only_binds
-    create_user_dir
-    read_only_pulseaudio
-    dev_mount
-    @bind.bind_dev_dri
-    @bind.bind_sys_dev_char
-    @bind.bind_pci_devices
+    @user.create_user_dir
+    @user.read_only_pulseaudio
+    @bind.device_binds
     proc_mount
     tmp_as_tmpfs
     @bind.bind_home_directory
-    @args.add :unshare_all, "--unshare-all" # Practically means that there would be nothing in the sandbox by default.
+    @namespace.shares
     @network.share_net
     @network.hostname
     @args.add :environment, @environment.environment_variables
@@ -70,7 +74,7 @@ class Bwrap::Args::Construct
 
   # Returns arguments to pass to bwrap.
   #
-  # @note Command given to {Bwrap#run} is set to {Bind#command}.
+  # @note Command given to {Bwrap#run} is set to {Bind#command=}.
   def bwrap_arguments
     args = []
 
@@ -124,11 +128,11 @@ class Bwrap::Args::Construct
     @bind&.cleanup
   end
 
-  # Used by {#construct_bwrap_args}.
+  # Used by {#calculate}.
   private def create_objects
     @bind = Bwrap::Args::Bind.new
     @bind.args = @args
-    @bind.command = @command
+    @bind.executable = @executable
     @bind.config = @config
 
     @environment = Bwrap::Args::Environment.new
@@ -142,35 +146,22 @@ class Bwrap::Args::Construct
     @machine_id = Bwrap::Args::MachineId.new
     @machine_id.config = @config
 
+    @namespace = Bwrap::Args::Namespace.new @args
+    @namespace.config = @config
+
     @network = Bwrap::Args::Network.new @args
     @network.config = @config
+
+    @user = Bwrap::Args::User.new @args
+    @user.config = @config
   end
 
   # Arguments for generating .Xauthority file.
   private def xauthority_args
-    return unless @config.xorg_application
+    return unless @config&.xorg_application
 
     xauth_args = %W{ --ro-bind #{Dir.home}/.Xauthority #{Dir.home}/.Xauthority }
     debug "Binding following .Xauthority file: #{Dir.home}/.Xauthority"
     @args.add :xauthority, xauth_args
   end
-
-  # Arguments to create `/run/user/#{uid}`.
-  private def create_user_dir
-    trace "Creating directory /run/user/#{uid}"
-    @args.add :user_dir, %W{ --dir /run/user/#{uid} }
-  end
-
-  # Arguments to bind necessary pulseaudio data for audio support.
-  private def read_only_pulseaudio
-    return unless @config.audio.include? :pulseaudio
-
-    debug "Binding pulseaudio"
-    @args.add :audio, %W{ --ro-bind /run/user/#{uid}/pulse /run/user/#{uid}/pulse }
-  end
-
-  # Returns current user id.
-  private def uid
-    Process.uid
-  end
 end

data/lib/bwrap/args/environment.rb

@@ -27,6 +27,9 @@ class Bwrap::Args::Environment < Hash
 
     env_paths
 
+    # If nothing has been added to path, the map would result to empty --setenv.
+    return self if empty?
+
     map do |key, value|
       if key == "PATH" and value.respond_to? :join
         value = value.join ":"
@@ -38,7 +41,7 @@ class Bwrap::Args::Environment < Hash
 
   # @return [Array] All environment paths added via {Config#add_env_path} and other parsing logic
   def env_paths
-    if @config.env_paths.respond_to? :each
+    if @config and @config.env_paths.respond_to? :each
       self["PATH"] |= @config.env_paths
     end
 
@@ -66,6 +69,7 @@ class Bwrap::Args::Environment < Hash
 
   # Ruby feature specific environment path handling.
   private def ruby_env_paths
+    return unless @config
     return unless @config.features.ruby.enabled?
     return unless @config.features.ruby.gem_env_paths?
 

data/lib/bwrap/args/features/ruby_binds.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "bwrap/resolvers/library"
+
 # Implementation for Ruby feature set.
 #
 # @api private
@@ -33,7 +35,7 @@ class Bwrap::Args::Features::RubyBinds < Bwrap::Args::Features::BindsBase
     ruby_config = @config.features.ruby.ruby_config
 
     library_mounts = []
-    library = Bwrap::Args::Library.new
+    library = Bwrap::Resolvers::Library.new
     stdlib.each do |lib|
       path = "#{ruby_config["rubyarchdir"]}/#{lib}.so"