Last active
January 5, 2025 07:27
-
-
Save versusvoid/2e61f8f7f0d11330ba2521ff35db2ede to your computer and use it in GitHub Desktop.
Revisions
-
versusvoid revised this gist
Jan 5, 2025 . 1 changed file with 10 additions and 10 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,20 +8,20 @@ end # running as current (unprivileged?) user set args --user # running in foreground set -a args --pty # read-only file system set -a args --property=ProtectSystem=strict # read-only $HOME and /run/user/$UID ($XDG_RUNTIME_DIR) set -a args --property=ProtectHome=read-only # disable external network set -a args --property=PrivateNetwork=true # disable user's groups' privileges set -a args --property=PrivateUsers=true # separate writable /tmp set -a args --property=PrivateTmp=true # providing access to X server set -a args --property=BindReadOnlyPaths=/tmp/.X11-unix set exe $argv[1] # if command is a relative path @@ -32,7 +32,7 @@ if string match -q --regex '^[^/]+/' $exe # running isolated process in $PWD # will fail, if $PWD and $exe both in $HOME, but in different subtrees # because only $exe subtree will be mounted set -a args --same-dir end # NB: main use-case @@ -45,12 +45,12 @@ if test (string sub -l (string length $HOME/) $exe) = $HOME/ # making empty writable dir for mounting as $HOME mkdir -p $exe-home-tree set -a args "--property=BindPaths=$exe-home-tree:$HOME" # mounting read-only dir containing $exe (potentially with libraries and resources) # inside writable $HOME set dir (dirname $exe) set -a args "--property=BindReadOnlyPaths=$dir" end systemd-run $args $argv -
Jan 5, 2025 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,56 @@ #!/bin/fish if test (count $argv) -lt 1 echo run-sus-command '*proc*' >&2 exit 1 end # running as current (unprivileged?) user set args --user # running in foreground set args $args --pty # read-only file system set args $args --property=ProtectSystem=strict # read-only $HOME and /run/user/$UID ($XDG_RUNTIME_DIR) set args $args --property=ProtectHome=read-only # disable external network set args $args --property=PrivateNetwork=true # disable user's groups' privileges set args $args --property=PrivateUsers=true # separate writable /tmp set args $args --property=PrivateTmp=true # providing access to X server set args $args --property=BindReadOnlyPaths=/tmp/.X11-unix set exe $argv[1] # if command is a relative path if string match -q --regex '^[^/]+/' $exe # resolving canonical path set exe (readlink -f $PWD/$exe) # running isolated process in $PWD # will fail, if $PWD and $exe both in $HOME, but in different subtrees # because only $exe subtree will be mounted set args $args --same-dir end # NB: main use-case # if command is an executable file in $HOME if test (string sub -l (string length $HOME/) $exe) = $HOME/ if string match -q --regex ':' $exe echo Nope. Just no. >&2 exit 2 end # making empty writable dir for mounting as $HOME mkdir -p $exe-home-tree set args $args "--property=BindPaths=$exe-home-tree:$HOME" # mounting read-only dir containing $exe (potentially with libraries and resources) # inside writable $HOME set dir (dirname $exe) set args $args "--property=BindReadOnlyPaths=$dir" end systemd-run $args $argv