Last active
February 8, 2019 16:13
-
-
Save gdamjan/c660283e0ee71c699cb745d3b1add1c1 to your computer and use it in GitHub Desktop.
try to jail yay (and similar aur helpers)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/sh | |
| ## custom nsjail for yay | |
| BASE_JAIL=( | |
| --symlink /usr/bin:/bin | |
| --symlink /usr/lib:/lib64 | |
| --bindmount_ro /dev/null | |
| --bindmount_ro /usr | |
| --bindmount_ro /etc/passwd | |
| --bindmount_ro /etc/group | |
| --bindmount_ro /etc/ssl/certs/ca-certificates.crt | |
| --bindmount_ro /etc/resolv.conf | |
| --bindmount_ro /etc/nsswitch.conf | |
| --tmpfsmount /tmp | |
| --tmpfsmount $HOME | |
| --cwd $HOME | |
| --env HOME | |
| --quiet | |
| ) | |
| INTERACTIVE=( | |
| --env TERM | |
| --env EDITOR | |
| --skip_setsid | |
| ) | |
| SECCOMP=( | |
| # disable dmesg | |
| --seccomp_string "ERRNO(0) { syslog } DEFAULT ALLOW" | |
| ) | |
| OTHER=( | |
| --disable_proc | |
| --rlimit_as max | |
| --rlimit_fsize max | |
| --rlimit_nofile max | |
| --disable_clone_newnet | |
| ) | |
| YAY=( | |
| --bindmount_ro /etc/makepkg.conf | |
| --bindmount_ro /etc/pacman.conf | |
| --bindmount_ro /etc/pacman.d/ | |
| --bindmount_ro /var/lib/pacman | |
| --bindmount_ro ~/.config/yay/ | |
| --bindmount ~/.cache/yay/ | |
| ) | |
| nsjail "${BASE_JAIL[@]}" "${INTERACTIVE[@]}" "${SECCOMP[@]}" "${OTHER[@]}" "${YAY[@]}" -- /usr/bin/bash | |
| #nsjail "${BASE_JAIL[@]}" "${SECCOMP[@]}" "${OTHER[@]}" "${YAY[@]}" -- /usr/bin/yay "$@" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment