Move require_run_user to lib.rs and make blacklist module private
This commit is contained in:
@@ -42,10 +42,7 @@ pub fn resolve_overlays(ctx: &PathContext) -> Result<BlacklistOverlays, SandboxE
|
||||
|
||||
pub fn resolve_path_context() -> Result<PathContext, SandboxError> {
|
||||
let home = crate::require_home()?;
|
||||
let run_user = std::env::var("XDG_RUNTIME_DIR")
|
||||
.ok()
|
||||
.or_else(resolve_run_user_from_proc)
|
||||
.ok_or(SandboxError::RunUserNotFound)?;
|
||||
let run_user = crate::require_run_user()?;
|
||||
Ok(PathContext { home, run_user })
|
||||
}
|
||||
|
||||
@@ -88,17 +85,6 @@ fn is_under_tmpfs_dir(path: &Path, tmpfs_dirs: &[PathBuf]) -> bool {
|
||||
tmpfs_dirs.iter().any(|dir| path.starts_with(dir))
|
||||
}
|
||||
|
||||
fn resolve_run_user_from_proc() -> Option<String> {
|
||||
let status = fs::read_to_string("/proc/self/status").ok()?;
|
||||
for line in status.lines() {
|
||||
if let Some(rest) = line.strip_prefix("Uid:") {
|
||||
let uid = rest.split_whitespace().next()?;
|
||||
return Some(format!("/run/user/{uid}"));
|
||||
}
|
||||
}
|
||||
None
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Curated sensitive paths from firejail disable-common.inc + disable-programs.inc.
|
||||
// Goal: protect secrets, credentials, and session tokens from agentic access.
|
||||
|
||||
21
src/lib.rs
21
src/lib.rs
@@ -1,5 +1,5 @@
|
||||
mod agents;
|
||||
pub mod blacklist;
|
||||
mod blacklist;
|
||||
mod errors;
|
||||
mod preflight;
|
||||
mod sandbox;
|
||||
@@ -8,6 +8,7 @@ pub use errors::SandboxError;
|
||||
|
||||
use std::env;
|
||||
use std::ffi::OsString;
|
||||
use std::fs;
|
||||
use std::os::unix::process::CommandExt;
|
||||
use std::path::PathBuf;
|
||||
|
||||
@@ -35,6 +36,24 @@ pub fn require_home() -> Result<String, SandboxError> {
|
||||
.ok_or(SandboxError::HomeNotSet)
|
||||
}
|
||||
|
||||
pub fn require_run_user() -> Result<String, SandboxError> {
|
||||
env::var("XDG_RUNTIME_DIR")
|
||||
.ok()
|
||||
.or_else(resolve_run_user_from_proc)
|
||||
.ok_or(SandboxError::RunUserNotFound)
|
||||
}
|
||||
|
||||
fn resolve_run_user_from_proc() -> Option<String> {
|
||||
let status = fs::read_to_string("/proc/self/status").ok()?;
|
||||
for line in status.lines() {
|
||||
if let Some(rest) = line.strip_prefix("Uid:") {
|
||||
let uid = rest.split_whitespace().next()?;
|
||||
return Some(format!("/run/user/{uid}"));
|
||||
}
|
||||
}
|
||||
None
|
||||
}
|
||||
|
||||
pub fn run(config: SandboxConfig) -> Result<(), SandboxError> {
|
||||
preflight::check(&config)?;
|
||||
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
use std::fs;
|
||||
use std::process::Command;
|
||||
|
||||
use agent_sandbox::blacklist;
|
||||
use tempfile::TempDir;
|
||||
|
||||
fn sandbox(extra_args: &[&str]) -> Command {
|
||||
@@ -391,8 +390,8 @@ fn blacklist_run_dbus_socket_accessible() {
|
||||
|
||||
#[test]
|
||||
fn blacklist_runuser_is_tmpfs() {
|
||||
let ctx = blacklist::resolve_path_context().expect("failed to resolve path context");
|
||||
let script = format!("ls -A {} | grep -v '^bus$'", ctx.run_user);
|
||||
let run_user = agent_sandbox::require_run_user().expect("failed to determine XDG_RUNTIME_DIR");
|
||||
let script = format!("ls -A {} | grep -v '^bus$'", run_user);
|
||||
|
||||
let output = sandbox(&[])
|
||||
.args(["--", "bash", "-c", &script])
|
||||
@@ -403,7 +402,7 @@ fn blacklist_runuser_is_tmpfs() {
|
||||
assert!(
|
||||
stdout.is_empty(),
|
||||
"expected only 'bus' (or empty) in {}, got unexpected entries: {stdout}",
|
||||
ctx.run_user
|
||||
run_user
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user