pthbs

Packaging Through Hashed Build Scripts
git clone https://ccx.te2000.cz/git/pthbs
Log | Files | Refs | Submodules | README
commit 78a10160a9acf9251b49ebb32025b0b3029e8cd8
parent ace52357ff2fee2586f9f453358e70fd8080aa5a
Author: Jan Pobříslo <ccx@te2000.cz>
Date:   Tue, 20 Feb 2024 19:27:33 +0100

Update sydbox

Diffstat:

Mcommand/pthbs-build | 28++++++++++++++++------------


1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/command/pthbs-build b/command/pthbs-build
@@ -122,18 +122,22 @@ function at_filehash(hash_type, file_hash, dst,    dstdir){
 		if(length(ENVIRON["PTHBS_SYD"])) {
 			sandbox_cmd=" SYD_NO_SYSLOG=1 SYD_LOG_FD=3 3>syd.log"
 			sandbox_cmd=sandbox_cmd " " ENVIRON["PTHBS_SYD"] " -m sandbox/stat:off -m sandbox/exec:off"
-			sandbox_cmd=sandbox_cmd " -m trace/allow_unsafe_chmod:1"  # Allow sticky bit on directories
-			sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+"ENVIRON["workdir"]"/***")
-			sandbox_cmd=sandbox_cmd " -m " q("allowlist/write+"ENVIRON["workdir"]"/***")
-			sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+/proc/loadavg")
-			sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+/etc/passwd")
-			sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+/etc/group")
-			sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+/tmp/***")
-			sandbox_cmd=sandbox_cmd " -m " q("allowlist/write+/tmp/***")
-			sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+/dev/***")
-			sandbox_cmd=sandbox_cmd " -m " q("allowlist/write+/dev/***")
-			sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+"ENVIRON["script"])
-			sandbox_cmd=sandbox_cmd " -m " q("allowlist/read+"dirname(ENVIRON["envdir"])"/***")
+			sandbox_cmd=sandbox_cmd " -m " q("allow/read+"ENVIRON["workdir"]"/***")
+			sandbox_cmd=sandbox_cmd " -m " q("allow/write+"ENVIRON["workdir"]"/***")
+			sandbox_cmd=sandbox_cmd " -m " q("allow/read+/proc/loadavg")
+			sandbox_cmd=sandbox_cmd " -m " q("allow/read+/etc/passwd")
+			sandbox_cmd=sandbox_cmd " -m " q("allow/read+/etc/group")
+			sandbox_cmd=sandbox_cmd " -m " q("allow/read+/tmp/***")
+			sandbox_cmd=sandbox_cmd " -m " q("allow/write+/tmp/***")
+			sandbox_cmd=sandbox_cmd " -m " q("allow/read+/dev/***")
+			sandbox_cmd=sandbox_cmd " -m " q("allow/write+/dev/***")
+			sandbox_cmd=sandbox_cmd " -m " q("allow/read+"ENVIRON["script"])
+			sandbox_cmd=sandbox_cmd " -m " q("allow/read+"dirname(ENVIRON["envdir"])"/***")
+			sandbox_cmd=sandbox_cmd " -munshare/user:1"
+			sandbox_cmd=sandbox_cmd " -munshare/mount:1"
+			sandbox_cmd=sandbox_cmd " -mbind+" q(dirname(ENVIRON["envdir"]"/work/bin")":/bin:ro,nosetuid,nodev")
+			sandbox_cmd=sandbox_cmd " -m " q("allow/read+"/bin/***")
+			sandbox_cmd=sandbox_cmd " -munshare/net:1 -munshare/ipc:1
 		} else {
 			fatal("set $PTHBS_SYD to enable sandboxing")
 		}