mat2/libmat2/subprocess.py, branch mastermat2 is a metadata removal tool, supporting a wide range of commonly used file formats, written in python3: at its core, it's a library, used by an eponymous command-line interface, as well as several file manager extensions.
http://git.dustri.org/mat2/atom?h=master2019-10-12T23:13:49ZAdd a way to disable the sandbox2019-10-12T23:13:49Zjvoisin2019-10-12T23:13:49Zurn:sha1:5f0b3beb46d09af26107fe5f80e63ddccb127a59
Due to bubblewrap's pickiness, mat2 can now be run
without a sandbox, even if bubblewrap is installed.
Mount a new tmpfs on /tmp and drop all capabilities2019-10-05T13:21:40Zmadaidan2019-09-21T13:33:49Zurn:sha1:58773088ac1ee1fff8a2f1913442d68b2726daf6
This mounts a new tmpfs on /tmp so any files residing there would be hidden
from the sandbox. Many programs store some files in there that might be useful
to an attacker. It also drops all capabilities incase it is ever run with
extra capabilities for whatever reason.
Fix bubblewrap2019-09-21T12:14:39Zjvoisin2019-09-21T12:14:39Zurn:sha1:37145531854879081fddd6019bdb9ba693210cf2
On some machines (like mine), `/proc` has to be mounted. Also, since
sandboxing with bubblewrap is best effort and assumes that an attacker doesn't
have control outside of the file to clean, it's safe to __try__ to enable some
bubblewrap features, and to silently fail otherwise.
Streamline a bit the previous commit2019-02-09T14:23:16Zjvoisin2019-02-09T14:23:16Zurn:sha1:6e63e03b86916c697e411b9f382f98a4834779ffbind mount /etc/ld.so.cache to the sandbox2019-02-09T08:49:51ZPoncho2019-02-09T08:47:40Zurn:sha1:a71488d4592cef29d6db0981cd0721250eebaff4
without /etc/ld.so.cache available in the sandbox, tests fail on gentoo with:
/usr/bin/ffmpeg: error while loading shared libraries: libstdc++.so.6:
cannot open shared object file: No such file or directory
Whenever possible, use bwrap for subprocesses2019-02-03T18:18:41Zintrigeri2019-02-03T09:43:27Zurn:sha1:e8c1bb0e3c4cae579e81ce6a4b01b829900ff922
This should closes #90