exec_borg.sh: wrapper script for sandboxing borg

2023-04-06 00:59:34 +02:00 · 2023-04-06 00:59:34 +02:00 · 0a9a5f9a71
commit 0a9a5f9a71
parent b419d2de87
1 changed files with 34 additions and 0 deletions
--- a/exec_borg.sh
+++ b/exec_borg.sh
@ -0,0 +1,34 @@
+#!/bin/bash
+
+SELF="$0"
+NAME="$1"
+shift
+
+die() {
+	echo -e $1 | sed -e 's-^-! -' >&2
+	exit 1
+}
+usage() {
+	echo "usage: $SELF PROFILE_NAME [-h] <borg command> ..." >&2
+	exit 1
+}
+
+[ "x$NAME" == "x" ] && usage
+[ -d /etc/borg/$NAME ] || die "Profile '$NAME' isn't initialized! See init.sh and README.md."
+[ $# == 0 ] && usage
+
+# do some sandboxinng
+exec systemd-run --quiet --pipe --collect --unit=temp-borg-init-sandbox.service \
+	--working-directory=/tmp \
+	-p "ConfigurationDirectory=borg/$NAME" \
+	-p "CacheDirectory=borg/$NAME" \
+	-p "ConfigurationDirectoryMode=550" \
+	-p "CacheDirectoryMode=550" \
+	-p "PrivateTmp=yes" \
+	-p "ReadOnlyDirectories=/" \
+	-p "EnvironmentFile=/etc/borg/$NAME/config.env" \
+	--setenv=BORG_PASSPHRASE_FD=0 \
+	--setenv=BORG_BASE_DIR=/tmp/ \
+	--setenv=BORG_CONFIG_DIR=/etc/borg/$NAME \
+	--setenv=BORG_CACHE_DIR=/var/cache/borg/$NAME \
+	/usr/bin/borg $@ < /etc/borg/$NAME/borg_passphrase