# Configuration file for sandboxctl(8). # # Copyright (c) 2020-2025 Kimmo Suominen # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # This configuration file provides a sample setup to build a NetBSD sandbox. # OS="$(uname -s)" USER="${USER:-kim}" SHELL="${SHELL:-/bin/sh}" NBGRP=netbsd NBGID="$(getent group "${NBGRP}" | cut -d: -f3)" NBROOT=/p/netbsd NBRELS="${NBROOT}/releases" PKGSRC="${NBROOT}/cvs/pkgsrc" SBBASE=/p/sandbox SBDIST="${SBBASE}/pub/distfiles" SBPKGS="${SBBASE}/pub/packages/${OS}/${REL}" SBHOME="${SBBASE}/home" SANDBOX_ROOT="${SBBASE}/chroot/${SANDBOX}" SCRATCH=/p/scratch/sandbox #SANDBOX_TMP=/private/tmp SANDBOX_TMP=/tmp HOST_ARCH="$(uname -m)" HOST_REL="$(uname -r)" case "${ARCH:-}" in '') shtk_cli_error "Please set the ARCH variable" ;; esac case "${REL:-}" in '') shtk_cli_error "Please set the REL variable" ;; esac case "${SANDBOX:-}" in '') shtk_cli_error "Please set the SANDBOX variable" ;; nb*-*) ;; *) shtk_cli_error "Don't know how to setup ${SANDBOX}" ;; esac case "${SANDBOX:-}" in *-amd64) case "${HOST_ARCH}" in amd64) ;; *) shtk_cli_error "Cannot run amd64 under ${HOST_ARCH}" ;; esac ;; *-i386) case "${HOST_ARCH}" in amd64|i386) ;; *) shtk_cli_error "Cannot run i386 under ${HOST_ARCH}" ;; esac ;; *) shtk_cli_error "Don't know how to setup ${SANDBOX} under ${HOST_ARCH}" ;; esac case "${ARCH}" in amd64) CPU=x86_64 ;; *) CPU="${ARCH}" ;; esac #case "${SANDBOX}" in #"nb${HOST_REL%%.*}") # SANDBOX_TYPE=netbsd-native # ;; #*) SANDBOX_TYPE=netbsd-release # ;; #esac # Sample settings for the netbsd-native sandbox type. #NETBSD_NATIVE_RELEASEDIR="${NBRELS}/${OS}-${REL}/${ARCH}" # Sample settings for the netbsd-release sandbox type. for reldir in sandbox snapshots releases do NETBSD_RELEASE_RELEASEDIR="${NBRELS}/${reldir}/${OS}-${REL}/${ARCH}" if [ -d "${NETBSD_RELEASE_RELEASEDIR}" ] then break fi done NETBSD_RELEASE_SETS="base comp etc xbase xcomp xetc" # Setup pkgsrc directories refresh_etc() { for i in \ etc/mk.conf \ etc/pkgin/repositories.conf \ etc/pkgpath.conf \ etc/resolv.conf \ etc/shells \ ; \ do cp -p "/${i}" "${SANDBOX_ROOT}/${i}" done sed -e ' /^#*PKG_PATH=/ c\ '"PKG_PATH=${SBPKGS}/${ARCH}/All"' /^PKG_PATH=/ d ' /etc/pkg_install.conf > "${SANDBOX_ROOT}/etc/pkg_install.conf" } post_create_hook() { local i for i in \ /etc/pkgin \ /home \ /usr/obj \ "${PKGSRC}" \ "${SBDIST}" \ "${SBPKGS}" \ "${SANDBOX_TMP}" \ ; \ do if [ ! -d "${SANDBOX_ROOT}${i}" ] then mkdir -p "${SANDBOX_ROOT}${i}" fi done case "${SANDBOX_TMP}" in /private/tmp) for i in "${SANDBOX_ROOT}/tmp" "${SANDBOX_ROOT}/var/tmp" do if [ "$(readlink "${i}")" != /private/tmp/@ruid ]; then rm -rf "${i}" ln -s /private/tmp/@ruid "${i}" fi done ;; esac refresh_etc chroot "${SANDBOX_ROOT}" groupadd -g "${NBGID}" "${NBGRP}" chroot "${SANDBOX_ROOT}" useradd -D -g =uid chroot "${SANDBOX_ROOT}" useradd -G wheel -G "${NBGRP}" -s "${SHELL}" "${USER}" case "$(uname -r)-$(uname -m)" in "${REL}-${ARCH}") ;; *) env LD_LIBRARY_PATH="${SANDBOX_ROOT}/lib:${SANDBOX_ROOT}/usr/lib" \ "${SANDBOX_ROOT}/usr/sbin/pkg_add" \ -C "${SANDBOX_ROOT}/etc/pkg_install.conf" \ -P "${SANDBOX_ROOT}" \ -m "${CPU}" \ libkver ;; esac } post_mount_hook() { local i objs sandbox_bindfs -o rw "/dev/pts" "${SANDBOX_ROOT}/dev/pts" sandbox_bindfs -o ro "${PKGSRC}" "${SANDBOX_ROOT}${PKGSRC}" sandbox_bindfs -o rw "${SBDIST}" "${SANDBOX_ROOT}${SBDIST}" sandbox_bindfs -o rw "${SBPKGS}" "${SANDBOX_ROOT}${SBPKGS}" sandbox_bindfs -o rw "${SBHOME}" "${SANDBOX_ROOT}/home" objs="${SCRATCH}/${SANDBOX}" if [ ! -d "${objs}" ] then install -d -m 1777 "${objs}" fi sandbox_bindfs -o rw "${objs}" "${SANDBOX_ROOT}/usr/obj" if [ ! -d "${SANDBOX_TMP}" ] then install -d -m 0755 "${SANDBOX_TMP}" fi case "${SANDBOX_TMP}" in /private/tmp) if [ ! -d "/private/tmp/sandbox/${SANDBOX}" ] then install -d -m 0555 "/private/tmp/sandbox/${SANDBOX}" fi sandbox_bindfs -o rw \ "/private/tmp/sandbox/${SANDBOX}" \ "${SANDBOX_ROOT}/private/tmp" ;; *) if [ ! -d "${SANDBOX_TMP}/sandbox/${SANDBOX}" ] then install -d -m 1777 "${SANDBOX_TMP}/sandbox/${SANDBOX}" fi for i in tmp var/tmp do sandbox_bindfs -o rw \ "${SANDBOX_TMP}/sandbox/${SANDBOX}" \ "${SANDBOX_ROOT}/${i}" done ;; esac refresh_etc if [ -e "${SANDBOX_ROOT}/home/sandbox/bin/sandbox-prep" ] then case "$(uname -r)-$(uname -m)" in "${REL}-${ARCH}") chroot "${SANDBOX_ROOT}" \ /home/sandbox/bin/sandbox-prep ;; *) chroot "${SANDBOX_ROOT}" \ /usr/pkg/sbin/kver -r "${REL}" -m "${ARCH}" \ /home/sandbox/bin/sandbox-prep ;; esac fi } pre_unmount_hook() { if [ -e "${SANDBOX_ROOT}/home/sandbox/bin/sandbox-exit" ] then case "$(uname -r)-$(uname -m)" in "${REL}-${ARCH}") chroot "${SANDBOX_ROOT}" \ /home/sandbox/bin/sandbox-exit ;; *) chroot "${SANDBOX_ROOT}" \ /usr/pkg/sbin/kver -r "${REL}" -m "${ARCH}" \ /home/sandbox/bin/sandbox-exit ;; esac fi }