mrrl

Minimal Reliable Reproducible Linux
git clone https://ccx.te2000.cz/git/mrrl
Log | Files | Refs | Submodules | README

commit 78a10160a9acf9251b49ebb32025b0b3029e8cd8
parent ace52357ff2fee2586f9f453358e70fd8080aa5a
Author: Jan Pobříslo <ccx@te2000.cz>
Date:   Tue, 20 Feb 2024 19:27:33 +0100

Update sydbox

Diffstat:
Mcommand/pthbs-build | 28++++++++++++++++------------
1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/command/pthbs-build b/command/pthbs-build @@ -122,18 +122,22 @@ function at_filehash(hash_type, file_hash, dst, dstdir){ if(length(ENVIRON["PTHBS_SYD"])) { sandbox_cmd=" SYD_NO_SYSLOG=1 SYD_LOG_FD=3 3>syd.log" sandbox_cmd=sandbox_cmd " " ENVIRON["PTHBS_SYD"] " -m sandbox/stat:off -m sandbox/exec:off" - sandbox_cmd=sandbox_cmd " -m trace/allow_unsafe_chmod:1" # Allow sticky bit on directories - sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+"ENVIRON["workdir"]"/***") - sandbox_cmd=sandbox_cmd " -m " q("allowlist/write+"ENVIRON["workdir"]"/***") - sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+/proc/loadavg") - sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+/etc/passwd") - sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+/etc/group") - sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+/tmp/***") - sandbox_cmd=sandbox_cmd " -m " q("allowlist/write+/tmp/***") - sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+/dev/***") - sandbox_cmd=sandbox_cmd " -m " q("allowlist/write+/dev/***") - sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+"ENVIRON["script"]) - sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+"dirname(ENVIRON["envdir"])"/***") + sandbox_cmd=sandbox_cmd " -m " q("allow/read+"ENVIRON["workdir"]"/***") + sandbox_cmd=sandbox_cmd " -m " q("allow/write+"ENVIRON["workdir"]"/***") + sandbox_cmd=sandbox_cmd " -m " q("allow/read+/proc/loadavg") + sandbox_cmd=sandbox_cmd " -m " q("allow/read+/etc/passwd") + sandbox_cmd=sandbox_cmd " -m " q("allow/read+/etc/group") + sandbox_cmd=sandbox_cmd " -m " q("allow/read+/tmp/***") + sandbox_cmd=sandbox_cmd " -m " q("allow/write+/tmp/***") + sandbox_cmd=sandbox_cmd " -m " q("allow/read+/dev/***") + sandbox_cmd=sandbox_cmd " -m " q("allow/write+/dev/***") + sandbox_cmd=sandbox_cmd " -m " q("allow/read+"ENVIRON["script"]) + sandbox_cmd=sandbox_cmd " -m " q("allow/read+"dirname(ENVIRON["envdir"])"/***") + sandbox_cmd=sandbox_cmd " -munshare/user:1" + sandbox_cmd=sandbox_cmd " -munshare/mount:1" + sandbox_cmd=sandbox_cmd " -mbind+" q(dirname(ENVIRON["envdir"]"/work/bin")":/bin:ro,nosetuid,nodev") + sandbox_cmd=sandbox_cmd " -m " q("allow/read+"/bin/***") + sandbox_cmd=sandbox_cmd " -munshare/net:1 -munshare/ipc:1 } else { fatal("set $PTHBS_SYD to enable sandboxing") }