mrtoth/isolated-protonmail-bridge
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Mount root as tmpfs, allow real rw in home directory only

Browse Source
This commit is contained in:
Kristóf Tóth 2020-05-23 01:14:50 +02:00
parent 69fac8189a
commit 9d41b2bae2
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
isolated-protonmail-bridge.sh
View File

@ -5,20 +5,19 @@ HERE="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")"
JAIL_HOME=/home/proton JAIL_HOME=/home/proton
BIN="${BIN:-entrypoint.sh}" BIN="${BIN:-entrypoint.sh}"
if [[ -z "${ROOTFS:-}" ]]; then if [[ -z "${BRIDGE_HOME:-}" ]]; then
echo "Please set the ROOTFS envvar!" echo "Please set the BRIDGE_HOME envvar!"
exit 1 exit 1
else else
ROOTFS="$(realpath "${ROOTFS}")" BRIDGE_HOME="$(realpath "${BRIDGE_HOME}")"
fi fi
rm -rf "${ROOTFS}/dev/fd"
nsjail -Mo \ nsjail -Mo \
--disable_clone_newnet \ --disable_clone_newnet \
--chroot "${ROOTFS}" --rw \
--cwd "${JAIL_HOME}" \ --cwd "${JAIL_HOME}" \
--tmpfsmount / \
--tmpfsmount /tmp --tmpfsmount /run \ --tmpfsmount /tmp --tmpfsmount /run \
--bindmount "${BRIDGE_HOME}:${JAIL_HOME}" \
--symlink /proc/self/fd:/dev/fd \ --symlink /proc/self/fd:/dev/fd \
--bindmount_ro "${HERE}/entrypoint.sh:${JAIL_HOME}/entrypoint.sh" \ --bindmount_ro "${HERE}/entrypoint.sh:${JAIL_HOME}/entrypoint.sh" \
--bindmount_ro "${HERE}/gpg-keygen-params.txt:${JAIL_HOME}/gpg-keygen-params.txt" \ --bindmount_ro "${HERE}/gpg-keygen-params.txt:${JAIL_HOME}/gpg-keygen-params.txt" \