[perso/Immae/Config/Nix.git] / systems / eldiron / pub / restrict

#!/usr/bin/env bash
user="$1"
rootuser="$HOME/$user/"
mkdir -p $rootuser

orig="$SSH_ORIGINAL_COMMAND"
if [ -z "$orig" ]; then
  orig="/bin/bash -l"
fi
if [ "${orig:0:7}" = "command" ]; then
  orig="${orig:8}"
fi

case "$orig" in
rsync*)
        rrsync $HOME/$user/
        ;;
*)
        nix_store_paths() {
          nix-store -q -R \
               /run/current-system/sw \
               /etc/profiles/per-user/pub \
               /etc/ssl/certs/ca-bundle.crt \
               | while read i; do
            printf '%s--ro-bind\0'$i'\0'$i'\0' ''
          done
          if [ -e "/run/current-system/pub/$user" ]; then
            nix-store -q -R "/run/current-system/pub/$user" \
                | while read i; do
              printf '%s--ro-bind\0'$i'\0'$i'\0' ''
            done
            printf '%s--ro-bind\0/run/current-system/pub/'$user'/bin\0/bin-pub-'$user'\0' ''
          fi
        }

        set -euo pipefail
        (exec -c bwrap --ro-bind /usr /usr \
              --args 10 \
              --dir /tmp \
              --dir /var \
              --symlink ../tmp var/tmp \
              --proc /proc \
              --dev /dev \
              --ro-bind /etc/resolv.conf /etc/resolv.conf \
              --ro-bind /etc/zoneinfo /etc/zoneinfo \
              --ro-bind /etc/ssl /etc/ssl \
              --ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \
              --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
              --ro-bind /run/current-system/sw/bin /bin \
              --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \
              --bind /var/lib/pub/$user /var/lib/pub \
              --dir /var/lib/commons \
              --ro-bind $TMUX_RESTRICT /var/lib/commons/tmux.restrict.conf \
              --chdir /var/lib/pub \
              --unshare-all \
              --share-net \
              --dir /run/user/$(id -u) \
              --setenv TERM "$TERM" \
              --setenv LOCALE_ARCHIVE "/etc/locale-archive" \
              --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
              --setenv PS1 "$user@pub $ " \
              --setenv PATH "/bin-pub-$user:/bin:/bin-pub" \
              --setenv HOME "/var/lib/pub" \
              --file 11 /etc/passwd \
              --file 12 /etc/group \
              -- $orig) \
              10< <(nix_store_paths | sort | uniq) \
              11< <(getent passwd $UID 65534) \
              12< <(getent group $(id -g) 65534)
        ;;
esac
Commit	Line	Data
5ccc61bb IB	1	#!/usr/bin/env bash
	2	user="$1"
	3	rootuser="$HOME/$user/"
	4	mkdir -p $rootuser
	5
	6	orig="$SSH_ORIGINAL_COMMAND"
	7	if [ -z "$orig" ]; then
	8	orig="/bin/bash -l"
	9	fi
	10	if [ "${orig:0:7}" = "command" ]; then
	11	orig="${orig:8}"
	12	fi
	13
	14	case "$orig" in
	15	rsync*)
	16	rrsync $HOME/$user/
	17	;;
	18	*)
	19	nix_store_paths() {
	20	nix-store -q -R \
	21	/run/current-system/sw \
	22	/etc/profiles/per-user/pub \
43e28479	23	/etc/ssl/certs/ca-bundle.crt \
5ccc61bb	24	\| while read i; do
43e28479	25	printf '%s--ro-bind\0'$i'\0'$i'\0' ''
5ccc61bb	26	done
1a64deeb IB	27	if [ -e "/run/current-system/pub/$user" ]; then
	28	nix-store -q -R "/run/current-system/pub/$user" \
	29	\| while read i; do
	30	printf '%s--ro-bind\0'$i'\0'$i'\0' ''
	31	done
	32	printf '%s--ro-bind\0/run/current-system/pub/'$user'/bin\0/bin-pub-'$user'\0' ''
	33	fi
5ccc61bb IB	34	}
	35
	36	set -euo pipefail
	37	(exec -c bwrap --ro-bind /usr /usr \
	38	--args 10 \
	39	--dir /tmp \
	40	--dir /var \
	41	--symlink ../tmp var/tmp \
	42	--proc /proc \
	43	--dev /dev \
	44	--ro-bind /etc/resolv.conf /etc/resolv.conf \
1be1a523	45	--ro-bind /etc/zoneinfo /etc/zoneinfo \
43e28479 IB	46	--ro-bind /etc/ssl /etc/ssl \
43e28479 IB	47	--ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \
5ccc61bb IB	48	--ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
	49	--ro-bind /run/current-system/sw/bin /bin \
	50	--ro-bind /etc/profiles/per-user/pub/bin /bin-pub \
	51	--bind /var/lib/pub/$user /var/lib/pub \
7e5b0260 IB	52	--dir /var/lib/commons \
7e5b0260 IB	53	--ro-bind $TMUX_RESTRICT /var/lib/commons/tmux.restrict.conf \
5ccc61bb IB	54	--chdir /var/lib/pub \
	55	--unshare-all \
	56	--share-net \
	57	--dir /run/user/$(id -u) \
	58	--setenv TERM "$TERM" \
	59	--setenv LOCALE_ARCHIVE "/etc/locale-archive" \
	60	--setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
	61	--setenv PS1 "$user@pub $ " \
1a64deeb	62	--setenv PATH "/bin-pub-$user:/bin:/bin-pub" \
5ccc61bb IB	63	--setenv HOME "/var/lib/pub" \
	64	--file 11 /etc/passwd \
	65	--file 12 /etc/group \
	66	-- $orig) \
1a64deeb	67	10< <(nix_store_paths \| sort \| uniq) \
5ccc61bb IB	68	11< <(getent passwd $UID 65534) \
	69	12< <(getent group $(id -g) 65534)
	70	;;
	71	esac