sandboxed cpio example

scpio.sh

#!/bin/bash

if ! which nsjail >/dev/null 2>&1; then
  echo "you need nsjail (security/nsjail in OBS) for this wrapper to work"
  exit 1
fi

# we need to create a temporary config file since mounts with
# : don't work on the command line
TMPFILE=`mktemp -t is_maintained.nsjail.XXXXXXXXXX` || exit 1
trap "rm -f -- '$TMPFILE'" EXIT

PKGROOT=$PWD

cat <<END_CONFIG > $TMPFILE
name: "RPM secure sandbox"

description: "This policy allows to run cpio in a secure way"

time_limit: 120

envar: "HOME=$HOME"
envar: "PATH=$PATH"
cwd: "$PWD"

#mount {
#        src: "/home/mgerstner"
#        dst: "/home/mgerstner"
#        rw: false
#        is_bind: true
#}
mount {
        src: "/bin"
        dst: "/bin"
        rw: false
        is_bind: true
}
mount {
        src: "/lib"
        dst: "/lib"
        rw: false
        is_bind: true
}
mount {
        src: "/lib64"
        dst: "/lib64"
        rw: false
        is_bind: true
}
mount {
        src: "/usr"
        dst: "/usr"
        rw: false
        is_bind: true
}
mount {
        src: "/sbin"
        dst: "/sbin"
        rw: false
        is_bind: true
}
mount {
        src: "/dev/null"
        dst: "/dev/null"
        rw: true
        is_bind: true
}
mount {
        src: "/dev/urandom"
        dst: "/dev/urandom"
        rw: true
        is_bind: true
}
mount {
        src: "/etc"
        dst: "/etc"
        rw: false
        is_bind: true
}
mount {
        dst: "/tmp"
        fstype: "tmpfs"
        rw: true
        is_bind: false
}
mount {
        dst: "/var/tmp"
        fstype: "tmpfs"
        rw: true
        is_bind: false
}
mount {
	src: "$PKGROOT"
	dst: "$PKGROOT"
	rw: true
	is_bind: true
}

rlimit_as_type: HARD
rlimit_core_type: HARD
rlimit_cpu_type: HARD
rlimit_fsize_type: HARD
rlimit_nofile_type: HARD
rlimit_nproc_type: HARD
rlimit_stack_type: HARD
clone_newnet: false
END_CONFIG

ARGS="-Q -Mo --config $TMPFILE"

#exec nsjail $ARGS -- /bin/bash
#set -x
nsjail $ARGS -- /bin/cpio $@