commit: 64474aa40c9dab64ebdc115b0fef5b82d37a4a13
parent 4ed12cfffbdb41cb59b776f8fe86f571c3b5022d
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Thu, 4 Nov 2021 00:18:49 +0100
server.sh: Use bwrap for sandboxing
Diffstat:
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/server.sh b/server.sh
@@ -12,6 +12,24 @@
export GEMDIR="/srv/gemini"
+bubblewrap() {
+ bwrap \
+ --unshare-user --uid 65534 --gid 65534 \
+ --unshare-ipc --unshare-pid --unshare-uts --unshare-cgroup-try \
+ --ro-bind /bin /bin \
+ --ro-bind /lib /lib \
+ --ro-bind /lib64 /lib64 \
+ --ro-bind /usr /usr \
+ --ro-bind /git /git \
+ --ro-bind /etc /etc \
+ --ro-bind "${GEMDIR}" "${GEMDIR}" \
+ --chdir "${GEMDIR}" \
+ --proc /proc \
+ --dev /dev \
+ --die-with-parent \
+ "$@"
+}
+
IFS=#'
' read -r line
# ' hack for vis editor to reset hightlighting…
@@ -35,12 +53,11 @@ then
then
if [ -x "$path" -a -f "$path" ]
then
- cd "${GEMDIR}/"
if echo $query | egrep -q '\?'
then
- sandbox --ns-on --ns-ipc-on --ns-mnt-on --ns-pid-on --ns-user-on "./${query//\?*}" "${query//*\?}"
+ bubblewrap "./${query//\?*}" "${query//*\?}"
else
- sandbox --ns-on --ns-ipc-on --ns-mnt-on --ns-pid-on --ns-user-on "./${query}" ""
+ bubblewrap "./${query//\?*}" ""
fi
status="x$?"
else
