sandbox: start sandbox in a pseudoterminal
This commit is contained in:
Bo Anderson
parent
a1e34bdd10
commit
0f900edfa2
@ -2,6 +2,8 @@
|
|||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
require "erb"
|
require "erb"
|
||||||
|
require "io/console"
|
||||||
|
require "pty"
|
||||||
require "tempfile"
|
require "tempfile"
|
||||||
|
|
||||||
# Helper class for running a sub-process inside of a sandboxed environment.
|
# Helper class for running a sub-process inside of a sandboxed environment.
|
||||||
@ -95,12 +97,26 @@ class Sandbox
|
|||||||
seatbelt.close
|
seatbelt.close
|
||||||
@start = Time.now
|
@start = Time.now
|
||||||
|
|
||||||
|
$stdin.raw!
|
||||||
|
stdin_thread = T.let(nil, T.nilable(Thread))
|
||||||
|
|
||||||
begin
|
begin
|
||||||
T.unsafe(self).safe_system SANDBOX_EXEC, "-f", seatbelt.path, *args
|
command = [SANDBOX_EXEC, "-f", seatbelt.path, *args]
|
||||||
|
T.unsafe(PTY).spawn(*command) do |r, w, pid|
|
||||||
|
w.winsize = $stdout.winsize
|
||||||
|
trap(:WINCH) { w.winsize = $stdout.winsize }
|
||||||
|
stdin_thread = Thread.new { IO.copy_stream($stdin, w) }
|
||||||
|
r.each_char { |c| print(c) }
|
||||||
|
Process.wait(pid)
|
||||||
|
end
|
||||||
|
raise ErrorDuringExecution.new(command, status: $CHILD_STATUS) unless $CHILD_STATUS.success?
|
||||||
rescue
|
rescue
|
||||||
@failed = true
|
@failed = true
|
||||||
raise
|
raise
|
||||||
ensure
|
ensure
|
||||||
|
stdin_thread&.kill
|
||||||
|
$stdin.cooked!
|
||||||
|
|
||||||
seatbelt.unlink
|
seatbelt.unlink
|
||||||
sleep 0.1 # wait for a bit to let syslog catch up the latest events.
|
sleep 0.1 # wait for a bit to let syslog catch up the latest events.
|
||||||
syslog_args = [
|
syslog_args = [
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user