diff options
Diffstat (limited to 'sandboxlib/linux_user_chroot.py')
| -rw-r--r-- | sandboxlib/linux_user_chroot.py | 34 |
1 files changed, 13 insertions, 21 deletions
diff --git a/sandboxlib/linux_user_chroot.py b/sandboxlib/linux_user_chroot.py index 3397a1a..4b88e50 100644 --- a/sandboxlib/linux_user_chroot.py +++ b/sandboxlib/linux_user_chroot.py @@ -27,10 +27,6 @@ implementation here also uses 'unshare --mount', which can only be run as linux-user-chroot to handle creating the new mount namespace and processing any extra mounts would be a useful fix. -Supported mounts settings: 'undefined', 'isolated'. - -Supported network settings: 'undefined', 'isolated'. - Much of this code is adapted from Morph, from the Baserock project, from code written by Joe Burmeister, Richard Maw, Lars Wirzenius and others. @@ -45,11 +41,16 @@ import tempfile import sandboxlib -def maximum_possible_isolation(): - return { - 'mounts': 'isolated', - 'network': 'isolated', - } +CAPABILITIES = { + 'network': ['isolated', 'undefined'], + 'mounts': ['isolated', 'undefined'], + 'writable_paths': ['all', 'any'], +} + + +def degrade_config_for_capabilities(in_config, warn=True): + # This backend has the most features, right now! + return in_config def tmpfs_for_user(): @@ -116,13 +117,9 @@ def process_mount_config(mounts, extra_mounts): # linux-user-chroot always calls clone(CLONE_NEWNS) which creates a new # mount namespace. It also ensures that all mount points inside the sandbox # are private, by calling mount("/", MS_PRIVATE | MS_REC). So 'isolated' is - # the only option. - supported_values = ['undefined', 'isolated'] + # the only option for 'mounts'. - assert mounts in supported_values, \ - "'%s' is an unsupported value for 'mounts' in the " \ - "'linux-user-chroot' backend. Supported values: %s" \ - % (mounts, ', '.join(supported_values)) + sandboxlib.utils.check_parameter('mounts', mounts, CAPABILITIES['mounts']) # This is only used if there are tmpfs mounts, but it's simpler to # create it unconditionally. @@ -150,12 +147,7 @@ def process_network_config(network): # blocked'? Or does it mean 'working, with /etc/resolv.conf correctly set # up'? So that's not handled yet. - supported_values = ['undefined', 'isolated'] - - assert network in supported_values, \ - "'%s' is an unsupported value for 'network' in the " \ - "'linux-user-chroot' backend. Supported values: %s" \ - % (network, ', '.join(supported_values)) + sandboxlib.utils.check_parameter('network', network, CAPABILITIES['network']) if network == 'isolated': # This is all we need to do for network isolation |