mrtoth/agent-sandbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Consolidate whitelist mode setup into add_whitelist_mode

Browse Source
This commit is contained in:
Kristóf Tóth
2026-03-25 23:43:48 +01:00
parent 960b034a80
commit 5fc7eb3c11
1 changed files with 15 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
src/sandbox.rs
View File

@@ -22,15 +22,6 @@ pub fn build_command(config: &SandboxConfig) -> Result<Command, SandboxError> {
SandboxMode::Whitelist => add_whitelist_mode(&mut cmd)?, SandboxMode::Whitelist => add_whitelist_mode(&mut cmd)?,
} }
if matches!(config.mode, SandboxMode::Whitelist) {
cmd.args(["--tmpfs", "/tmp"]);
cmd.args(["--tmpfs", "/var/tmp"]);
cmd.args(["--dev", "/dev"]);
cmd.args(["--tmpfs", "/dev/shm"]);
cmd.args(["--tmpfs", "/run"]);
cmd.args(["--proc", "/proc"]);
}
for path in agents::agent_rw_paths() { for path in agents::agent_rw_paths() {
cmd.arg("--bind-try").arg(&path).arg(&path); cmd.arg("--bind-try").arg(&path).arg(&path);
} }
@@ -107,34 +98,23 @@ fn add_whitelist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
"/etc/ld.so.conf", "/etc/ld.so.conf",
"/etc/ld.so.conf.d", "/etc/ld.so.conf.d",
"/etc/alternatives", "/etc/alternatives",
] { "/etc/ssl",
cmd.args(["--ro-bind-try", path, path]);
}
cmd.args(["--ro-bind-try", "/etc/ssl", "/etc/ssl"]);
cmd.args([
"--ro-bind-try",
"/etc/ca-certificates", "/etc/ca-certificates",
"/etc/ca-certificates", "/etc/resolv.conf",
]); "/etc/nsswitch.conf",
cmd.args(["--ro-bind-try", "/etc/resolv.conf", "/etc/resolv.conf"]); "/etc/passwd",
cmd.args(["--ro-bind-try", "/etc/nsswitch.conf", "/etc/nsswitch.conf"]); "/etc/group",
cmd.args(["--ro-bind-try", "/etc/passwd", "/etc/passwd"]);
cmd.args(["--ro-bind-try", "/etc/group", "/etc/group"]);
for path in [
"/etc/hosts", "/etc/hosts",
"/etc/gai.conf", "/etc/gai.conf",
"/etc/services", "/etc/services",
"/etc/protocols", "/etc/protocols",
"/etc/hostname",
"/etc/localtime",
"/etc/machine-id",
] { ] {
cmd.args(["--ro-bind-try", path, path]); cmd.args(["--ro-bind-try", path, path]);
} }
for path in ["/etc/hostname", "/etc/localtime", "/etc/machine-id"] {
cmd.args(["--ro-bind-try", path, path]);
}
cmd.args(["--ro-bind-try", "/sys", "/sys"]); cmd.args(["--ro-bind-try", "/sys", "/sys"]);
let local_bin = format!("{home}/.local/bin"); let local_bin = format!("{home}/.local/bin");
@@ -143,6 +123,13 @@ fn add_whitelist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
let cache_dir = format!("{home}/.cache"); let cache_dir = format!("{home}/.cache");
cmd.arg("--tmpfs").arg(&cache_dir); cmd.arg("--tmpfs").arg(&cache_dir);
cmd.args(["--tmpfs", "/tmp"]);
cmd.args(["--tmpfs", "/var/tmp"]);
cmd.args(["--dev", "/dev"]);
cmd.args(["--tmpfs", "/dev/shm"]);
cmd.args(["--tmpfs", "/run"]);
cmd.args(["--proc", "/proc"]);
Ok(()) Ok(())
} }