-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsandbox_runner.py
More file actions
63 lines (25 loc) · 1.05 KB
/
sandbox_runner.py
File metadata and controls
63 lines (25 loc) · 1.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
set -euo pipefail
SANDBOX_DIR=$(jq -r '.sandbox_dir' config/permissions.json)
ACTION=$1
TARGET=$2
SIMULATE=${3:-false}
if [[ ! $TARGET = $SANDBOX_DIR* ]]; then
echo "Error: Target $TARGET outside sandbox $SANDBOX_DIR" >&2
exit 1
fi
if [[ $SIMULATE == "true" ]]; then
echo "Simulate: Would $ACTION $TARGET"
exit 0
fi
case $ACTION in
read_file)
bwrap --ro-bind /usr /usr --ro-bind /lib /lib --ro-bind /lib64 /lib64 --ro-bind "$SANDBOX_DIR" /sandbox --chdir /sandbox cat "${TARGET#$SANDBOX_DIR/}"
;;
modify_file)
echo "Modified content" | bwrap --bind "$SANDBOX_DIR" /sandbox --chdir /sandbox tee "${TARGET#$SANDBOX_DIR/}" >/dev/null
;;
*)
echo "Unsupported action: $ACTION" >&2
exit 1
;;
esac