#!<%= cmd_paths['ruby'] %> # Automatically created by vagrant-lxc class Whitelist class << self def add(command, *args) list[command] ||= [] list[command] << args end def add_regex(regex, *args) regex_list << [regex, [args]] end def list @list ||= {} end def regex_list @regex_list ||= [] end def allowed(command) list[command] || allowed_regex(command) || [] end def allowed_regex(command) found = regex_list.find { |r| r[0] =~ command } return found[1] if found end def run!(argv) begin command, args = `which #{argv.shift}`.chomp, argv || [] check!(command, args) system "#{command} #{args.join(" ")}" exit_code = $?.to_i exit_code = 1 if exit_code == 256 exit exit_code rescue => e STDERR.puts e.message exit 1 end end private def check!(command, args) allowed(command).each do |checks| return if valid_args?(args, checks) end raise_invalid(command, args) end def valid_args?(args, checks) return false unless valid_length?(args, checks) check = nil args.each_with_index do |provided, i| check = checks[i] unless check == '**' return false unless match?(provided, check) end true end def valid_length?(args, checks) args.length == checks.length || checks.last == '**' end def match?(arg, check) check == '**' || check.is_a?(Regexp) && !!check.match(arg) || arg == check end def raise_invalid(command, args) raise "Invalid arguments for command #{command}, " << "provided args: #{args.inspect}" end end end base = "<%= lxc_base_path %>" base_path = %r{\A#{base}/.*\z} ## # Commands from provider.rb # - Check lxc is installed Whitelist.add '<%= cmd_paths['which'] %>', /\Alxc-\w+\z/ ## # Commands from driver.rb # - Container config file Whitelist.add '<%= cmd_paths['cat'] %>', base_path # - Shared folders Whitelist.add '<%= cmd_paths['mkdir'] %>', '-p', base_path # - Container config customizations and pruning Whitelist.add '<%= cmd_paths['cp'] %>', '-f', %r{/tmp/.*}, base_path Whitelist.add '<%= cmd_paths['chown'] %>', 'root:root', base_path # - Packaging Whitelist.add '<%= cmd_paths['tar'] %>', '--numeric-owner', '-cvzf', %r{/tmp/.*/rootfs.tar.gz}, '-C', base_path, './rootfs' Whitelist.add '<%= cmd_paths['chown'] %>', /\A\d+:\d+\z/, %r{\A/tmp/.*/rootfs\.tar\.gz\z} # - Private network script and commands Whitelist.add '<%= cmd_paths['ip'] %>', 'addr', 'add', /(\d+|\.)+\/24/, 'dev', /.+/ Whitelist.add '<%= cmd_paths['ip'] %>', 'link', 'set', /.+/, /(up|down)/ Whitelist.add '<%= cmd_paths['brctl'] %>', /(addbr|delbr)/, /.+/ Whitelist.add_regex %r{<%= pipework_regex %>}, '**' ## # Commands from driver/cli.rb Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-version' Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-ls' Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-info', '--name', /.*/ Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-info', '--name', /.*/, '-iH' Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-create', '-B', /.*/, '--template', /.*/, '--name', /.*/, '**' Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-create', '--version' Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-destroy', '--name', /.*/ Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-start', '-d', '--name', /.*/, '**' Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-stop', '--name', /.*/ Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-shutdown', '--name', /.*/ Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-attach', '--name', /.*/, '**' Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-attach', '-h' Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-config', 'lxc.lxcpath' Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-update-config', '-c', /.*/ ## # Commands from driver/action/remove_temporary_files.rb Whitelist.add '<%= cmd_paths['rm'] %>', '-rf', %r{\A#{base}/.*/rootfs/tmp/.*} # Watch out for stones Whitelist.run!(ARGV)