genpac 0.1.0

Sandbox for Gentoo ebuild development using bubblewrap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

// Copyright (C) 2023 Gokul Das B
// SPDX-License-Identifier: GPL-3.0-or-later
//! Bubblwrap interface
//!
//! This module interfaces the sandbox configuration system with the bubblwrap module, with
//! appropriate vaules of capabilities, environment variables, etc.

use crate::bubblewrap::{launch, HasNeither};
use crate::global::ChrootVerified;
use crate::GlobalsFinal;
use anyhow::Result as AResult;
use std::path::PathBuf;

pub(super) struct BWParams {
    pub(super) chroot: ChrootVerified,
    pub(super) tmpfs_size: usize,
    pub(super) command: String,
    pub(super) mounts: Vec<(PathBuf, PathBuf)>,
}

impl BWParams {
    pub(super) fn dispatch(self, globals: &GlobalsFinal) -> AResult<()> {
        let tag = format!("{}", self.chroot);
        let mut args = HasNeither::new()
            .namespace(&NSCONF)
            .capabilities(&CAPABS)
            .usercfg(&USRCONF)
            .sysmounts(&SYSMOUNTS)
            .add_var("GENPAC", &tag)
            .tmpfs(self.tmpfs_size)
            .resolve()
            .chroot(&self.chroot)
            .command(&self.command);
        for (src, dest) in &self.mounts {
            args = args.add_mount(src, dest);
        }
        let args = args.build();

        launch(args, globals)?;
        Ok(())
    }
}

const NSCONF: [&str; 3] = ["--unshare-all", "--unshare-user", "--share-net"];
const USRCONF: [&str; 4] = ["--uid", "0", "--gid", "0"];
const SYSMOUNTS: [&str; 8] = [
    "--dev", "/dev", "--proc", "/proc", "--perms", "1777", "--tmpfs", "/dev/shm",
];

/// Capabilities to add to superuser inside the chroot
///
/// Refer the following:
/// - `capablilites(7)`
/// - `user_namespaces(7)`
/// - `bwrap(1)`
///
/// The following capabilities are used:
/// - `CAP_SYS_ADMIN`: For nested user namespace for build sandbox. REVIEW: Very broad permissions
/// - `CAP_NET_ADMIN`: Used to configure loopback interface
/// - `CAP_CHOWN`: Needed by portage to change ownership of repos
/// - `CAP_FOWNER`: Needed by portage to change permissions on log file
/// - `CAP_DAC_OVERRIDE`: Used by portage for accessing log file, etc (UID: 250/portage)
/// - `CAP_SETUID`: Used by portage
/// - `CAP_SETGID`: Used by portage
/// - `CAP_SETFCAP`: Needed by portage to setcap on installed packages
const CAPABS: [&str; 8] = [
    "CAP_SYS_ADMIN",
    "CAP_NET_ADMIN",
    "CAP_CHOWN",
    "CAP_FOWNER",
    "CAP_DAC_OVERRIDE",
    "CAP_SETUID",
    "CAP_SETGID",
    "CAP_SETFCAP",
];