mirror of
https://github.com/RGBCube/serenity
synced 2025-07-25 16:47:36 +00:00
Utilities+Base: Add unveil utility
This utility essentially creates a filesystem sandbox for a specified command, so it can be tested with only the unveiled paths the user specifies beforehand.
This commit is contained in:
parent
7d7127b463
commit
8e16588757
3 changed files with 68 additions and 0 deletions
29
Base/usr/share/man/man1/unveil.md
Normal file
29
Base/usr/share/man/man1/unveil.md
Normal file
|
@ -0,0 +1,29 @@
|
|||
## Name
|
||||
|
||||
unveil - unveil certain paths when running a command
|
||||
|
||||
## Synopsis
|
||||
|
||||
```**sh
|
||||
$ unveil [--path] [command...]
|
||||
```
|
||||
|
||||
## Description
|
||||
|
||||
Run a command under certain path restrictions by using [`unveil`(2)](help://man/2/unveil).
|
||||
|
||||
## Options
|
||||
|
||||
* `-u`, `--path`: Unveil a path, with the format of `permissions,path`
|
||||
|
||||
## Examples
|
||||
|
||||
Run `ls -la /sys/kernel` with restricted access to certain paths:
|
||||
```sh
|
||||
$ unveil --path=r,/etc/timezone --path=r,/usr/lib --path=r,/sys/ --path=r,/etc/passwd --path=r,/etc/group ls -la /sys/kernel
|
||||
```
|
||||
|
||||
Run `ps -ef` with restricted access to certain paths:
|
||||
```sh
|
||||
$ unveil --path=r,/etc/timezone --path=r,/usr/lib --path=r,/sys/ --path=r,/etc/passwd --path=r,/etc/group ps -ef
|
||||
```
|
|
@ -120,6 +120,7 @@ target_link_libraries(telws PRIVATE LibProtocol LibLine)
|
|||
target_link_libraries(test-fuzz PRIVATE LibGemini LibGfx LibHTTP LibIPC LibJS LibMarkdown LibRegex LibShell)
|
||||
target_link_libraries(test-imap PRIVATE LibIMAP)
|
||||
target_link_libraries(test-pthread PRIVATE LibThreading)
|
||||
target_link_libraries(unveil PRIVATE LibMain)
|
||||
target_link_libraries(unzip PRIVATE LibArchive LibCompress)
|
||||
target_link_libraries(update-cpp-test-results PRIVATE LibCpp)
|
||||
target_link_libraries(useradd PRIVATE LibCrypt)
|
||||
|
|
38
Userland/Utilities/unveil.cpp
Normal file
38
Userland/Utilities/unveil.cpp
Normal file
|
@ -0,0 +1,38 @@
|
|||
/*
|
||||
* Copyright (c) 2022, Liav A. <liavalb@hotmail.co.il>
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-2-Clause
|
||||
*/
|
||||
|
||||
#include <LibCore/ArgsParser.h>
|
||||
#include <LibCore/File.h>
|
||||
#include <LibCore/MappedFile.h>
|
||||
#include <LibCore/System.h>
|
||||
#include <LibELF/Image.h>
|
||||
#include <LibMain/Main.h>
|
||||
|
||||
ErrorOr<int> serenity_main(Main::Arguments arguments)
|
||||
{
|
||||
Vector<String> unveil_paths;
|
||||
Vector<StringView> command;
|
||||
|
||||
Core::ArgsParser args_parser;
|
||||
args_parser.set_stop_on_first_non_option(true);
|
||||
args_parser.add_option(unveil_paths, "Path to unveil [permissions,path]", "path", 'u', "");
|
||||
args_parser.add_positional_argument(command, "Command to execute", "command");
|
||||
args_parser.parse(arguments);
|
||||
|
||||
if (unveil_paths.is_empty()) {
|
||||
return Error::from_string_view("No unveil paths were specified."sv);
|
||||
}
|
||||
|
||||
for (auto& path : unveil_paths) {
|
||||
auto parts = path.split_view(',');
|
||||
if (parts.size() != 2)
|
||||
return Error::from_string_literal("Unveil path being specified is invalid.");
|
||||
TRY(Core::System::unveil_after_exec(parts[1], parts[0]));
|
||||
}
|
||||
|
||||
TRY(Core::System::exec(command[0], command, Core::System::SearchInPath::Yes));
|
||||
return 0;
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue