daklib.sandbox¶

Sandbox external commands via systemd-run –user

Functions

`build_sandbox_command`(sandbox, original_cmd)
`run`(cmd, , sandbox, *kwargs)

Classes

Sandbox([inaccessible_paths, ...])

class daklib.sandbox.Sandbox(inaccessible_paths: collections.abc.Sequence[str] | None = None, extra_inaccessible_paths: collections.abc.Sequence[str] = (), temporary_file_systems: collections.abc.Sequence[str] | None = None, extra_temporary_file_systems: collections.abc.Sequence[str] = (), read_only_paths: collections.abc.Sequence[str] | None = None, extra_read_only_paths: collections.abc.Sequence[str] = (), read_write_paths: collections.abc.Sequence[str] | None = None, extra_read_write_paths: collections.abc.Sequence[str] = (), bind_read_only_paths: collections.abc.Sequence[str] | None = None, extra_bind_read_only_paths: collections.abc.Sequence[str] = (), bind_read_write_paths: collections.abc.Sequence[str] | None = None, extra_bind_read_write_paths: collections.abc.Sequence[str] = (), restrict_address_families: collections.abc.Sequence[str] | None = (), system_call_filter: collections.abc.Sequence[str] | None = ('@system-service',))[source]¶

bind_read_only_paths: Sequence[str] | None = None¶

bind_read_write_paths: Sequence[str] | None = None¶

extra_bind_read_only_paths: Sequence[str] = ()¶

extra_bind_read_write_paths: Sequence[str] = ()¶

extra_inaccessible_paths: Sequence[str] = ()¶

extra_read_only_paths: Sequence[str] = ()¶

extra_read_write_paths: Sequence[str] = ()¶

extra_temporary_file_systems: Sequence[str] = ()¶

inaccessible_paths: Sequence[str] | None = None¶

private_devices = True¶

private_ipc = True¶

private_network = True¶

read_only_paths: Sequence[str] | None = None¶

read_write_paths: Sequence[str] | None = None¶

restrict_address_families: Sequence[str] | None = ()¶

system_call_filter: Sequence[str] | None = ('@system-service',)¶

temporary_file_systems: Sequence[str] | None = None¶

daklib.sandbox._default_sandbox() → Sandbox[source]¶

daklib.sandbox._effective(paths: Sequence[str] | None, extra_paths: Sequence[str], default_paths: Sequence[str] | None) → Sequence[str][source]¶

daklib.sandbox._run_sandboxed(sandbox: Sandbox, cmd: Sequence[str], **kwargs) → CompletedProcess[source]¶

daklib.sandbox._sandbox_enabled() → bool[source]¶

daklib.sandbox.build_sandbox_command(sandbox: Sandbox, original_cmd: Sequence[str]) → list[str][source]¶

daklib.sandbox.run(cmd: Sequence[str], *, sandbox: Sandbox, **kwargs) → CompletedProcess[source]¶