vagrant-lxc-ng/templates/sudoers.rb.erb

#!<%= cmd_paths['ruby'] %>
# Automatically created by vagrant-lxc

class Whitelist
  class << self
    def add(command, *args)
      list[command] ||= []
      list[command] << args
    end

    def add_regex(regex, *args)
      regex_list << [regex, [args]]
    end

    def list
      @list ||= {}
    end

    def regex_list
      @regex_list ||= []
    end

    def allowed(command)
      list[command] || allowed_regex(command) || []
    end

    def allowed_regex(command)
      found = regex_list.find { |r| r[0] =~ command }
      return found[1] if found
    end

    def run!(argv)
      begin
        command, args = `which #{argv.shift}`.chomp, argv || []
        check!(command, args)
        system "#{command} #{args.join(" ")}"

        exit_code = $?.to_i
        exit_code = 1 if exit_code == 256

        exit exit_code
      rescue => e
        STDERR.puts e.message
        exit 1
      end
    end

    private
    def check!(command, args)
      allowed(command).each do |checks|
        return if valid_args?(args, checks)
      end
      raise_invalid(command, args)
    end

    def valid_args?(args, checks)
      return false unless valid_length?(args, checks)
      check = nil
      args.each_with_index do |provided, i|
        check = checks[i] unless check == '**'
        return false unless match?(provided, check)
      end
      true
    end

    def valid_length?(args, checks)
      args.length == checks.length || checks.last == '**'
    end

    def match?(arg, check)
      check == '**' || check.is_a?(Regexp) && !!check.match(arg) || arg == check
    end

    def raise_invalid(command, args)
      raise "Invalid arguments for command #{command}, " <<
      "provided args: #{args.inspect}"
    end
  end
end

base = "<%= lxc_base_path %>"
base_path = %r{\A#{base}/.*\z}

##
# Commands from provider.rb
# - Check lxc is installed
Whitelist.add '<%= cmd_paths['which'] %>', /\Alxc-\w+\z/

##
# Commands from driver.rb
# - Container config file
Whitelist.add '<%= cmd_paths['cat'] %>', base_path
# - Shared folders
Whitelist.add '<%= cmd_paths['mkdir'] %>', '-p', base_path
# - Container config customizations and pruning
Whitelist.add '<%= cmd_paths['cp'] %>', '-f', %r{/tmp/.*}, base_path
Whitelist.add '<%= cmd_paths['chown'] %>', 'root:root', base_path
# - Packaging
Whitelist.add '<%= cmd_paths['tar'] %>', '--numeric-owner', '-cvzf', %r{/tmp/.*/rootfs.tar.gz}, '-C', base_path, './rootfs'
Whitelist.add '<%= cmd_paths['chown'] %>', /\A\d+:\d+\z/, %r{\A/tmp/.*/rootfs\.tar\.gz\z}
# - Private network script and commands
Whitelist.add '<%= cmd_paths['ip'] %>', 'addr', 'add', /(\d+|\.)+\/24/, 'dev', /.+/
Whitelist.add '<%= cmd_paths['ip'] %>', 'link', 'set', /.+/, /(up|down)/
Whitelist.add '<%= cmd_paths['brctl'] %>', /(addbr|delbr)/, /.+/
Whitelist.add_regex %r{<%= pipework_regex %>}, '**'

##
# Commands from driver/cli.rb
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-version'
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-ls'
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-info', '--name', /.*/
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-info', '--name', /.*/, '-iH'
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-create', '-B', /.*/, '--template', /.*/, '--name', /.*/, '**'
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-create', '--version'
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-destroy', '--name', /.*/
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-start', '-d', '--name', /.*/, '**'
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-stop', '--name', /.*/
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-shutdown', '--name', /.*/
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-attach', '--name', /.*/, '**'
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-attach', '-h'
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-config', 'lxc.lxcpath'

##
# Commands from driver/action/remove_temporary_files.rb
Whitelist.add '<%= cmd_paths['rm'] %>', '-rf', %r{\A#{base}/.*/rootfs/tmp/.*}

# Watch out for stones
Whitelist.run!(ARGV)