Mount newroot read-only unless USE_OVERLAYFS is enabled

This commit is contained in:
Kron4ek 2023-06-11 00:45:29 +05:00
parent 79bbe80d21
commit 6acd7b38d3

View file

@ -24,7 +24,7 @@ script_version="1.24.2"
# size to 0 # size to 0
init_size=40000 init_size=40000
bash_size=1339208 bash_size=1339208
script_size=36068 script_size=36878
busybox_size=1161112 busybox_size=1161112
utils_size=4101345 utils_size=4101345
@ -41,16 +41,16 @@ fi
script_name="$(basename "${script_literal}")" script_name="$(basename "${script_literal}")"
script="$(readlink -f "${script_literal}")" script="$(readlink -f "${script_literal}")"
# MD5 of the last 1 MB of the file # MD5 of the first 4 MB and the last 1 MB of the script
script_md5="$(tail -c 1000000 "${script}" | md5sum | head -c 7)" script_md5="$(head -c 4000000 "${script}" | md5sum | head -c 7)"_"$(tail -c 1000000 "${script}" | md5sum | head -c 7)"
script_id="$$" script_id="$$"
# Working directory where the utils will be extracted # Working directory where the utils will be extracted
# And where the image will be mounted # And where the image will be mounted
# The default path is /tmp/scriptname_username_scriptmd5 # The default path is /tmp/conty_username_scriptmd5
# And if /tmp is mounted with noexec, the default path # And if /tmp is mounted with noexec, the default path
# is ~/.local/share/Conty/scriptname_username_scriptmd5 # is ~/.local/share/Conty/conty_username_scriptmd5
conty_dir_name="$(basename "${script}")"_"${USER}"_"${script_md5}" conty_dir_name=conty_"${USER}"_"${script_md5}"
if [ -z "${BASE_DIR}" ]; then if [ -z "${BASE_DIR}" ]; then
export working_dir=/tmp/"${conty_dir_name}" export working_dir=/tmp/"${conty_dir_name}"
@ -725,6 +725,12 @@ run_bwrap () {
newroot_path="${mount_point}" newroot_path="${mount_point}"
fi fi
if [ "${RW_ROOT}" = 1 ]; then
bind_root=(--bind "${newroot_path}" /)
else
bind_root=(--ro-bind "${newroot_path}" /)
fi
conty_variables="BASE_DIR DISABLE_NET DISABLE_X11 HOME_DIR QUIET_MODE \ conty_variables="BASE_DIR DISABLE_NET DISABLE_X11 HOME_DIR QUIET_MODE \
SANDBOX SANDBOX_LEVEL USE_OVERLAYFS NVIDIA_HANDLER \ SANDBOX SANDBOX_LEVEL USE_OVERLAYFS NVIDIA_HANDLER \
USE_SYS_UTILS XEPHYR_SIZE CUSTOM_MNT" USE_SYS_UTILS XEPHYR_SIZE CUSTOM_MNT"
@ -736,7 +742,7 @@ run_bwrap () {
show_msg show_msg
launch_wrapper "${bwrap}" \ launch_wrapper "${bwrap}" \
--bind "${newroot_path}" / \ "${bind_root[@]}" \
--dev-bind /dev /dev \ --dev-bind /dev /dev \
--ro-bind /sys /sys \ --ro-bind /sys /sys \
--bind-try /tmp /tmp \ --bind-try /tmp /tmp \
@ -1043,6 +1049,7 @@ if [ "$(ls "${mount_point}" 2>/dev/null)" ] || launch_wrapper "${mount_command[@
if [ "${USE_OVERLAYFS}" = 1 ]; then if [ "${USE_OVERLAYFS}" = 1 ]; then
if mount_overlayfs; then if mount_overlayfs; then
show_msg "Using unionfs" show_msg "Using unionfs"
RW_ROOT=1
else else
echo "Failed to mount unionfs" echo "Failed to mount unionfs"
unset USE_OVERLAYFS unset USE_OVERLAYFS
@ -1119,7 +1126,7 @@ if [ "$(ls "${mount_point}" 2>/dev/null)" ] || launch_wrapper "${mount_command[@
export nvidia_driver_version export nvidia_driver_version
export -f nvidia_driver_handler export -f nvidia_driver_handler
DISABLE_NET=0 QUIET_MODE=1 run_bwrap --tmpfs /tmp --tmpfs /var --tmpfs /run \ DISABLE_NET=0 QUIET_MODE=1 RW_ROOT=1 run_bwrap --tmpfs /tmp --tmpfs /var --tmpfs /run \
--bind "${nvidia_drivers_dir}" "${nvidia_drivers_dir}" \ --bind "${nvidia_drivers_dir}" "${nvidia_drivers_dir}" \
bash -c nvidia_driver_handler bash -c nvidia_driver_handler