ENH: Use $SANDBOX_RO_BIND environment variable

kernc · kernc · commit 6f74efff5668 · 2025-10-13T15:51:00.000+02:00
diff --git a/README.md b/README.md
@@ -125,6 +125,7 @@ You can run `sandbox-run bash` to spawn **interactive shell inside the sandbox**
 #### Environment variables
 
 * `BWRAP_ARGS=`– Extra arguments passed to `bwrap` process; space or line-delimited (if arguments such as paths themselves contain spaces).
+* `SANDBOX_RO_BIND=`– List of additional path glob expressions to mount read-only inside the sandbox.
 * `VERBOSE=`– Print full `exec bwrap` command line right before execution.
 
 
diff --git a/sandbox-run b/sandbox-run
@@ -34,6 +34,10 @@ format_args () {
 formatted_cmdline="$(format_args "$@")"
 warn () { echo "sandbox-run: $*" >&2; }
 
+lf='
+'
+split_args_by_lf () { printf '%s' "$1" | case "$1" in *$lf*) cat ;; *) tr ' ' '\n' ;; esac; }
+
 # RO-bind select paths
 paths='
 /etc/resolv.conf
@@ -51,14 +55,13 @@ paths='
 /usr
 '
 
-lf='
-'
-split_args_by_lf () { printf '%s' "$1" | case "$1" in *$lf*) cat ;; *) tr ' ' '\n' ;; esac; }
 # Support BWRAP_ARGS passed to the process as well as via .env file
 prev_BWRAP_ARGS="${BWRAP_ARGS:-}"
 # Init env from dotenv file
 # shellcheck disable=SC2046
 [ ! -e "$cwd/.env" ] || { . "$cwd/.env"; export $(grep -Pzo '(?m)^\w*(?==)' "$cwd/.env" | tr '\0' '\n'); }
+paths="$(split_args_by_lf "${SANDBOX_RO_BIND:-}" | tr ',' '\n')
+$paths"  # Add paths from SANDBOX_RO_BIND
 IFS="$lf"  # Split args only on newline
 # shellcheck disable=SC2046
 set -- $(split_args_by_lf "${BWRAP_ARGS:-}") $(split_args_by_lf "${prev_BWRAP_ARGS:-}") "$bin" "$@"
@@ -82,7 +85,7 @@ for var in $(env -0 |
                                         paste -z -s -d '|'))$" |
                          paste -z -s -d '|'))=" |
         grep -Ezv -e '^(_|LS_COLORS|PS1)=' |
-        grep -Ezv -e '^(BWRAP_ARGS)=' |
+        grep -Ezv -e '^(BWRAP_ARGS|SANDBOX_RO_BIND)=' |
         tr '\0' '\037'); do
     set -- --setenv "${var%%=*}" "${var#*=}" "$@"
 done
diff --git a/tests/test-ro-bind-env-var.sh b/tests/test-ro-bind-env-var.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+set -eu
+
+. "${0%/*}/_init.sh"
+
+SANDBOX_RO_BIND='/etc/shad*,/etc/motd*' \
+    sandbox-run sh -c 'test -f /etc/shadow; test -f /etc/motd'
