Mount root as tmpfs, allow real rw in home directory only

2020-05-23 01:14:50 +02:00 · 2020-05-23 01:14:50 +02:00 · 9d41b2bae2
commit 9d41b2bae2
parent 69fac8189a
1 changed files with 5 additions and 6 deletions
--- a/isolated-protonmail-bridge.sh
+++ b/isolated-protonmail-bridge.sh
@ -5,20 +5,19 @@ HERE="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")"
 JAIL_HOME=/home/proton
 BIN="${BIN:-entrypoint.sh}"

-if [[ -z "${ROOTFS:-}" ]]; then
-    echo "Please set the ROOTFS envvar!"
+if [[ -z "${BRIDGE_HOME:-}" ]]; then
+    echo "Please set the BRIDGE_HOME envvar!"
    exit 1
 else
-    ROOTFS="$(realpath "${ROOTFS}")"
+    BRIDGE_HOME="$(realpath "${BRIDGE_HOME}")"
 fi

-rm -rf "${ROOTFS}/dev/fd"
-
 nsjail -Mo                                                                                     \
       --disable_clone_newnet                                                                  \
-       --chroot "${ROOTFS}" --rw                                                               \
       --cwd "${JAIL_HOME}"                                                                    \
+       --tmpfsmount /                                                                          \
       --tmpfsmount /tmp --tmpfsmount /run                                                     \
+       --bindmount "${BRIDGE_HOME}:${JAIL_HOME}"                                               \
       --symlink /proc/self/fd:/dev/fd                                                         \
       --bindmount_ro "${HERE}/entrypoint.sh:${JAIL_HOME}/entrypoint.sh"                       \
       --bindmount_ro "${HERE}/gpg-keygen-params.txt:${JAIL_HOME}/gpg-keygen-params.txt"       \