commit ae79ed2bb0c3a21275afb441386b728225725512
parent 647195a3dc27c4382ae40cc1bf786c5cdd87ac24
Author: Jan Pobrislo <ccx@te2000.cz>
Date: Wed, 30 Apr 2025 00:34:35 +0000
Erase old sandbox code
Diffstat:
1 file changed, 0 insertions(+), 50 deletions(-)
diff --git a/command/pthbs-setup-gen.awk b/command/pthbs-setup-gen.awk
@@ -157,56 +157,6 @@ function sandbox( s) {
}
/^$/ {
sandbox_cmd = sandbox()
- if(settings["sandbox"]) {
- if(length(ENVIRON["PTHBS_SYD"])) {
- sandbox_cmd=" SYD_NO_SYSLOG=1 SYD_LOG_FD=3 3>syd.log"
- sandbox_cmd=sandbox_cmd " " ENVIRON["PTHBS_SYD"]
- sandbox_cmd=sandbox_cmd " -m sandbox/force:off"
- sandbox_cmd=sandbox_cmd " -m sandbox/stat:off"
- sandbox_cmd=sandbox_cmd " -m sandbox/exec:off"
- sandbox_cmd=sandbox_cmd " -m sandbox/truncate:off"
- sandbox_cmd=sandbox_cmd " -m sandbox/utime:off"
- sandbox_cmd=sandbox_cmd " -m sandbox/chown:off"
- sandbox_cmd=sandbox_cmd " -m sandbox/chgrp:off"
- sandbox_cmd=sandbox_cmd " -m sandbox/ioctl:off"
- sandbox_cmd=sandbox_cmd " -m " q("allow/read+/proc/loadavg")
- sandbox_cmd=sandbox_cmd " -m " q("allow/read+/etc/passwd")
- sandbox_cmd=sandbox_cmd " -m " q("allow/read+/etc/group")
- sandbox_cmd=sandbox_cmd " -m " q("allow/read+"ENVIRON["script"])
- sydbox_rw_tree(ENVIRON["workdir"])
- sydbox_rw_tree("/tmp")
- sydbox_rw_tree("/dev")
- sydbox_rw_tree("/proc")
- sydbox_ro_tree(dirname(ENVIRON["envdir"]))
- sandbox_cmd=sandbox_cmd " -munshare/user:1"
- sandbox_cmd=sandbox_cmd " -munshare/mount:1"
- sandbox_cmd=sandbox_cmd " -mbind+" q(ENVIRON["pthbs_workdir"]"/bin:/bin:ro,nosuid,nodev")
- sydbox_ro_tree("/bin")
- sandbox_cmd=sandbox_cmd " -munshare/net:1 -munshare/ipc:1"
- } else if(sandbox_mode == "userns") {
- sandbox_cmd=" "q(ENVIRON["pthbs_source"]"/sandbox/ns_sandbox.py")" --mode=userns"
- sandbox_cmd=sandbox_cmd" --versions="q(ENVIRON["pthbs_versions"])
- sandbox_cmd=sandbox_cmd" --extra-mount=tmpfs:"q(ENVIRON["pthbs_workdir"])
- sandbox_cmd=sandbox_cmd" --extra-mount=ro_bind:"q(ENVIRON["pthbs_pkgdir"]":"ENVIRON["pthbs_pkgdir"])
- sandbox_cmd=sandbox_cmd" --extra-mount=rw_bind:"q(ENVIRON["workdir"]":"ENVIRON["workdir"])
- sandbox_cmd=sandbox_cmd" --extra-mount=rw_bind:"q(ENVIRON["workdir"]"/.tmp:/tmp")
- sandbox_cmd=sandbox_cmd" -- "q(ENVIRON["pthbs_workdir"]"/root")
- printf "%s\n", "mkdir -p "q(ENVIRON["workdir"]"/.tmp")" "q(ENVIRON["pthbs_workdir"]"/root")
- } else if(sandbox_mode == "root") {
- sandbox_cmd=" "q(ENVIRON["pthbs_cache"]"/venv/bin/python")" "q(ENVIRON["pthbs_source"]"/sandbox/ns_sandbox.py")" --mode=root"
- sandbox_cmd=sandbox_cmd" --versions="q(ENVIRON["pthbs_versions"])
- sandbox_cmd=sandbox_cmd" --untar="q(ENVIRON["pthbs_source"]"/sandbox/root.tar")
- sandbox_cmd=sandbox_cmd" --chdir="q(ENVIRON["workdir"])
- sandbox_cmd=sandbox_cmd" --extra-mount=tmpfs:"q(ENVIRON["pthbs_workdir"])
- sandbox_cmd=sandbox_cmd" --extra-mount=ro_bind:"q(ENVIRON["pthbs_pkgdir"]":"ENVIRON["pthbs_pkgdir"])
- sandbox_cmd=sandbox_cmd" --extra-mount=rw_bind:"q(ENVIRON["workdir"]":"ENVIRON["workdir"])
- sandbox_cmd=sandbox_cmd" --extra-mount=rw_bind:"q(ENVIRON["workdir"]"/.tmp:/tmp")
- sandbox_cmd=sandbox_cmd" -- "q(ENVIRON["pthbs_workdir"]"/root")
- printf "%s\n", "mkdir -p "q(ENVIRON["workdir"]"/.tmp")" "q(ENVIRON["pthbs_workdir"]"/root")
- } else {
- fatal("unrecognized sanbox_mode " sandbox_mode)
- }
- }
if(ENVIRON["pthbs_uid"]) {
printf "%s\n", "chown -R \"$pthbs_uid:$pthbs_gid\" "q(ENVIRON["workdir"])
}
