-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsandbox
More file actions
executable file
·398 lines (370 loc) · 9.9 KB
/
sandbox
File metadata and controls
executable file
·398 lines (370 loc) · 9.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
#!/bin/bash
usage()
{
echo "Usage: $0 [OPTIONS]... [COMMAND]"
echo ""
echo "Sandboxes"
echo " -n NAME name the sandbox"
echo " -p permanent sandbox"
echo " -m in-memory sandbox"
echo " -d delete the named sandbox"
echo " -l list all sandboxes"
echo ""
echo "Sandgrains"
echo " -g GRAIN comma separated grains, or 'list' to see all"
echo ""
echo "Sandpits"
echo " -r NAME new sandpit name"
echo " -i PIT initialise sandpit"
echo " -v VARIENT sandpit varient to install (eg. vivid)"
echo ""
echo "X-Session"
echo " -x start an x-session"
echo " -f start fullscreen (xephyr)"
echo ""
echo "Other"
echo " -s PATH set sandbox root directory (eg. usb stick)"
echo " -o opens your filemanager to see the sandbox's filesystem"
echo " -h show this help text"
echo " COMMAND command to run instead of shell"
echo ""
echo "See https://github.com/cal2195/Sandbox for more information!"
}
checkCommand()
{
if command -v $1 >/dev/null 2>&1; then
return 0
fi
if [[ $(( $(date +%s) - $(stat -c %Z $tmprt/var/cache/apt/pkgcache.bin) )) -gt $(( 24 * 60 * 60 )) ]]; then
sudo apt-get update
fi
sudo apt-get install $1
}
commitChanges()
{
echo "*WARNING* You are about to commit all changes from $NAME to host system!"
read -p "Are you sure you want to do this? (y/N)" answer
case ${answer:0:1} in
y|Y)
sudo rsync -aAXvh --no-compress --progress $tmprw/ $SYSROOT
if [ "$?" -eq "0" ]
then
sudo rm -r $tmprw
echo "All changes commited!"
else
echo "Error committing changes! :("
fi
exit
;;
*)
exit
;;
esac
}
checkUnionFuse()
{
if command -v unionfs >/dev/null 2>&1; then
UNION="unionfs"
else
if command -v unionfs-fuse >/dev/null 2>&1; then
UNION="unionfs-fuse"
else
NEEDSDEPS=true
fi
fi
}
installPits()
{
checkCommand debootstrap
sudo debootstrap $PITDIST $SANDBOXROOT/$PITDEST/$SANDPIT
sudo chroot $SANDBOXROOT/$PITDEST/$SANDPIT adduser $USER
sudo chroot $SANDBOXROOT/$PITDEST/$SANDPIT adduser $USER sudo
sudo cp /etc/resolv.conf $SANDBOXROOT/$PITDEST/$SANDPIT/etc/resolv.conf
sudo cp /etc/hosts $SANDBOXROOT/$PITDEST/$SANDPIT/etc/hosts
}
configurePits()
{
if [ "$INSTALLPIT" == true ] && [ "$PITFILE" != "base" ]; then
sudo chroot $SANDBOXROOT/$PITDEST/$SANDPIT apt-get install -y software-properties-common
sudo chroot $SANDBOXROOT/$PITDEST/$SANDPIT add-apt-repository "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc) main universe restricted multiverse"
sudo chroot $SANDBOXROOT/$PITDEST/$SANDPIT apt-get update
checkCommand curl
curl -sL "https://github.com/cal2195/Sandbox/raw/sandpit/sandpits/$PITFILE.pit" | PITDEST=$SANDBOXROOT/$PITDEST/$SANDPIT PITDIST=$PITDIST /bin/bash
fi
}
setupSandboxFolders()
{
if [ "$NAME" == "" ]; then
if [ "$RAMDISK" == true ]; then
tmprw="$MNTDIR/$(cat /dev/urandom | tr -cd 'a-z0-9' | head -c 8)/rw"
tmprt="$MNTDIR/$(cat /dev/urandom | tr -cd 'a-z0-9' | head -c 8)/rt"
NAME="rambox"
else
tmprw="/tmp/$(cat /dev/urandom | tr -cd 'a-z0-9' | head -c 8)/rw"
tmprt="/tmp/$(cat /dev/urandom | tr -cd 'a-z0-9' | head -c 8)/rt"
NAME="tmpbox"
fi
mkdir -p $tmprw
mkdir -p $tmprt
else
mkdir -p $MNTDIR/$NAME/rw
mkdir -p $MNTDIR/$NAME/rt
tmprw="$MNTDIR/$NAME/rw"
tmprt="$MNTDIR/$NAME/rt"
fi
}
mountSandbox()
{
#Mount unionfs
sudo $UNION -o allow_other,default_permissions,cow,max_files=32000,use_ino,suid,dev,nonempty $tmprw=rw:$SYSROOT=ro $tmprt
#Mount system folders
sudo mount -t proc proc $tmprt/proc
sudo mount -t sysfs sys $tmprt/sys
sudo mount --rbind /dev $tmprt/dev
sudo mount --rbind /run $tmprt/run
#sudo mount --rbind /var/run/dbus $tmprt/var/run/dbus
}
configureSandbox()
{
#Change PS1 prompt & set DISPLAY
PSSAND="\"(sandbox) \[\033[38;5;118m\]\u\[$(tput sgr0)\]\[\033[38;5;124m\]@$NAME\[$(tput sgr0)\]\[\033[38;5;15m\]:\[$(tput sgr0)\]\[\033[38;5;6m\][\w]\[$(tput sgr0)\]\[\033[38;5;6m\]>\[$(tput sgr0)\]\[\033[38;5;15m\] \[$(tput sgr0)\]\""
sudo grep -q -F "DISPLAY=${NEWDISPLAY}" $tmprt/etc/environment || echo "DISPLAY=${NEWDISPLAY}" | sudo tee --append $tmprt/etc/environment > /dev/null
sudo grep -q -F "PS1=$PSSAND" $tmprt/etc/environment || echo "PS1=$PSSAND" | sudo tee --append $tmprt/etc/environment > /dev/null
sudo grep -q -F "DISPLAY=${NEWDISPLAY}" $tmprt/$HOME/.bashrc || echo "DISPLAY=${NEWDISPLAY}" | sudo tee --append $tmprt/$HOME/.bashrc > /dev/null
sudo grep -q -F "PS1=$PSSAND" $tmprt/$HOME/.bashrc || echo "PS1=$PSSAND" | sudo tee --append $tmprt/$HOME/.bashrc > /dev/null
}
installSandgrains()
{
if [ "$GRAINS" != "" ]; then
if [[ $(( $(date +%s) - $(stat -c %Z $tmprt/var/cache/apt/pkgcache.bin) )) -gt $(( 24 * 60 * 60 )) ]]; then
sudo chroot $tmprt apt-get update
fi
sudo chroot $tmprt apt-get install -y curl
for grain in $(echo $GRAINS | sed "s/,/ /g")
do
#Install each grain
sudo chroot $tmprt curl -sL "https://github.com/cal2195/Sandbox/raw/master/sandgrains/$grain.grain" | sudo chroot $tmprt /bin/bash
done
fi
}
startXSession()
{
sudo chroot $tmprt rm -r /tmp/.X11-unix/*
sudo chroot $tmprt su - $USER -c "sudo rm .Xauthority*"
if [[ "$(tty)" == *"tty"* ]]; then
sudo chroot $tmprt su - $USER -c "startx -- :2"
else
if command -v Xephyr >/dev/null 2>&1; then
if [ "$USINGPIT" == true ]; then
$XEPHYR &
sudo chroot $tmprt su - $USER -c "./start.sh"
else
xhost +
sudo chroot $tmprt su - $USER -c "DISPLAY=$DISPLAY startx -- /usr/bin/$XEPHYR"
fi
else
echo "-x requires Xephyr installed, unless sandbox is run in a tty! try 'sudo apt-get install xserver-xephyr'"
fi
fi
}
#Default values
REMOVEAFTER=true
PERMANENT=false
DELETENOW=false
LISTBOXES=false
RAMDISK=false
NEEDSDEPS=false
XSESSION=false
VIEWOVERLAY=false
NEWDISPLAY=$DISPLAY
SANDBOXROOT="$HOME/.sandbox"
MNTDIR="/tmp/sandbox"
SYSROOT="/"
COMMITCHANGES=false
ENCRYPT=false
#Default Debootstrap
USINGPIT=false
INSTALLPIT=false
PITFILE="base"
PITDIST="$(lsb_release -sc)"
PITDEST=".pits"
#Commands
XEPHYR="Xephyr -ac -resizeable :1"
#Check for unionfs-fuse
checkUnionFuse
#Parse commands
while getopts ":n:hdlpmg:xor:i:v:s:fce" opt; do
case $opt in
n)
NAME=$OPTARG
REMOVEAFTER=false
;;
d)
DELETENOW=true
;;
p)
PERMANENT=true
;;
m)
RAMDISK=true
echo "Warning - using ram disk. Make sure you know what you're doing!"
;;
l)
LISTBOXES=true
;;
r)
USINGPIT=true
SANDPIT=$OPTARG
;;
i)
if [ "$OPTARG" == "list" ]; then
checkCommand curl
echo "Getting list of sandpits..."
curl -sL "https://github.com/cal2195/Sandbox/raw/sandpit/sandpits/pits.txt"
exit
fi
INSTALLPIT=true
PITFILE=$OPTARG
;;
s)
SANDBOXROOT=$OPTARG
;;
v)
PITDIST=$OPTARG
;;
e)
ENCRYPT=true
;;
g)
if [ "$OPTARG" == "list" ]; then
checkCommand curl
echo "Getting list of sand grains..."
curl -sL "https://github.com/cal2195/Sandbox/raw/master/sandgrains/grains.txt"
exit
fi
GRAINS=$OPTARG
;;
o)
VIEWOVERLAY=true
;;
x)
XSESSION=true
;;
f)
XEPHYR="Xephyr -ac -fullscreen :1"
;;
c)
COMMITCHANGES=true
;;
\?)
echo "Invalid flag: -$OPTARG" >&2
usage
exit
;;
h)
usage
exit
;;
esac
done
shift $(($OPTIND - 1))
#Check for Permanent
if [ "$PERMANENT" == true ]; then
MNTDIR=$SANDBOXROOT
fi
#Check if using pits
if [ "$USINGPIT" == true ]; then
if [ "$INSTALLPIT" == true ]; then
installPits
elif [ ! -d $SANDBOXROOT/$PITDEST/$SANDPIT ]; then
echo "No sandpit named $NAME exist! Try using -i to install one!"
exit
fi
SYSROOT="$SANDBOXROOT/$PITDEST/$SANDPIT"
fi
#Delete if required
if [ "$DELETENOW" == true ]; then
if [ "$RAMDISK" == true ]; then
MNTDIR="/tmp/ram/sandbox"
fi
sudo rm -r $MNTDIR/$NAME/rw
echo "Sandbox deleted!"
exit
fi
#List sandboxes
if [ "$LISTBOXES" == true ]; then
echo "Sandboxes:"
ls $MNTDIR
exit
fi
#Mount and Use Ram Disk
if [ "$RAMDISK" == true ]; then
mkdir -p /tmp/ram/sandbox
sudo mount -t tmpfs tmpfs /tmp/ram/sandbox
MNTDIR="/tmp/ram/sandbox"
fi
#Check if they want to view files
if [ "$VIEWOVERLAY" == true ]; then
xdg-open $MNTDIR/$NAME/rt
exit
fi
#Update NEWDISPLAY
if [ "$XSESSION" == true ]; then
if [[ "$(tty)" == *"tty"* ]]; then
NEWDISPLAY=:2
else
NEWDISPLAY=:1
fi
fi
#Install dependencies & sandbox
if [ "$1" == "install" ]; then
echo "Installing..."
if [ "$NEEDSDEPS" == true ]; then
checkCommand unionfs-fuse
fi
sudo cp $0 /usr/local/bin/$0
echo "Installed!"
exit
elif [ "$1" == "update" ]; then
checkCommand curl
echo "Updating..."
sudo curl -sL -o $0 "https://github.com/cal2195/Sandbox/raw/master/sandbox"
echo "Update Successful!"
exit
else
#Determine sandbox type
setupSandboxFolders
if [ "$COMMITCHANGES" == true ]; then
commitChanges
fi
if [ "$ENCRYPT" == true ]; then
checkCommand encfs
mkdir -p $tmprw.e
sudo encfs $tmprw.e $tmprw
fi
#Let's get going!
mountSandbox
configureSandbox
#Initialise with any sand grains
installSandgrains
#Setup any sandpits
configurePits
#Check if xsession
if [ "$XSESSION" == true ]; then
startXSession
else
#And we're away! :D
if [ "$#" -eq "0" ]; then
sudo chroot $tmprt su - $USER
else
sudo chroot $tmprt su - $USER -c "$@"
fi
fi
#Clean up after exit
if [ "$REMOVEAFTER" == true ]; then
sudo rm -r $tmprw
echo "Sandbox deleted!"
else
echo "Sandbox not deleted - reattach using the name: $NAME"
fi
fi