sk4nz/skz-sloptrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Cleanup capabilities

Browse Source
This commit is contained in:
Samuel Aubertin
2026-03-10 16:51:17 +01:00
parent b080f06613
commit 87d1577546
10 changed files with 466 additions and 165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

366
sloptrap
View File

@@ -351,6 +351,7 @@ write_embedded_helper() {
cat <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
helper_pid=""
helperd_bin=${SLOPTRAP_HELPERD_BIN:-/usr/local/bin/sloptrap-helperd}
@@ -394,6 +395,7 @@ EOF
#!/usr/bin/env bash
set -euo pipefail
umask 077
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
helper_dir=${SLOPTRAP_HELPER_DIR:-/tmp/sloptrap-helper}
queue_dir="$helper_dir/queue"
@@ -482,15 +484,15 @@ release_request_dir() {
local owner_gid=$3
local path
[[ $owner_uid =~ ^[0-9]+$ && $owner_gid =~ ^[0-9]+$ ]] || return 0
for path in "$request_dir" "$request_dir/status" "$request_dir/stdout" "$request_dir/stderr"; do
[[ -e $path && ! -L $path ]] || continue
chown "$owner_uid:$owner_gid" "$path" 2>/dev/null || true
done
chmod 700 "$request_dir" 2>/dev/null || true
for path in "$request_dir/status" "$request_dir/stdout" "$request_dir/stderr"; do
[[ -e $path && ! -L $path ]] || continue
chmod 600 "$path" 2>/dev/null || true
done
for path in "$request_dir" "$request_dir/status" "$request_dir/stdout" "$request_dir/stderr"; do
[[ -e $path && ! -L $path ]] || continue
chown "$owner_uid:$owner_gid" "$path" 2>/dev/null || true
done
}
init_request_outputs() {
@@ -537,6 +539,7 @@ write_status() {
run_apt_install() {
local request_dir=$1
local apt_get_bin
has_capability "apt-install" || {
printf 'capability apt-install is not active\n' >"$request_dir/stderr"
write_status "$request_dir" 126
@@ -566,8 +569,18 @@ run_apt_install() {
return
fi
done
if apt-get update >"$request_dir/stdout" 2>"$request_dir/stderr" \
&& apt-get install -y --no-install-recommends "${packages[@]}" >>"$request_dir/stdout" 2>>"$request_dir/stderr"; then
apt_get_bin=${SLOPTRAP_APT_GET_BIN:-}
if [[ -z $apt_get_bin ]]; then
apt_get_bin=$(command -v apt-get 2>/dev/null || true)
fi
if [[ -z $apt_get_bin || ! -x $apt_get_bin ]]; then
printf 'apt-get is not available in this image\n' >"$request_dir/stderr"
write_status "$request_dir" 127
log_action "apt-install" "packages=missing-tool" 127
return
fi
if "$apt_get_bin" update >"$request_dir/stdout" 2>"$request_dir/stderr" \
&& "$apt_get_bin" install -y --no-install-recommends "${packages[@]}" >>"$request_dir/stdout" 2>>"$request_dir/stderr"; then
write_status "$request_dir" 0
log_action "apt-install" "packages=${packages[*]}" 0
return
@@ -578,6 +591,7 @@ run_apt_install() {
run_packet_capture() {
local request_dir=$1
local tcpdump_bin
has_capability "packet-capture" || {
printf 'capability packet-capture is not active\n' >"$request_dir/stderr"
write_status "$request_dir" 126
@@ -609,7 +623,17 @@ run_packet_capture() {
log_action "packet-capture" "interface=$iface stdout=invalid" 2
return
fi
local -a cmd=(tcpdump -i "$iface")
tcpdump_bin=${SLOPTRAP_TCPDUMP_BIN:-}
if [[ -z $tcpdump_bin ]]; then
tcpdump_bin=$(command -v tcpdump 2>/dev/null || true)
fi
if [[ -z $tcpdump_bin || ! -x $tcpdump_bin ]]; then
printf 'tcpdump is not available in this image\n' >"$request_dir/stderr"
write_status "$request_dir" 127
log_action "packet-capture" "interface=$iface tool=missing" 127
return
fi
local -a cmd=("$tcpdump_bin" -p -i "$iface")
if [[ -s $output_file ]]; then
local capture_path
capture_path=$(read_request_value "$output_file" || true)
@@ -704,6 +728,7 @@ EOF
cat <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
helper_dir=${SLOPTRAP_HELPER_DIR:-/tmp/sloptrap-helper}
queue_dir="$helper_dir/queue"
@@ -721,50 +746,8 @@ ensure_helper_ready() {
if [[ -w $queue_dir ]] && helper_running; then
return 0
fi
if [[ -z ${SLOPTRAP_ACTIVE_CAPABILITIES:-} ]]; then
printf 'slop-apt: capability helper is not available in this session\n' >&2
exit 1
fi
if ! command -v setpriv >/dev/null 2>&1; then
printf 'slop-apt: setpriv is required to bootstrap the capability helper\n' >&2
exit 1
fi
setpriv --reuid 0 --regid 0 --clear-groups -- env \
SLOPTRAP_HELPER_DIR="$helper_dir" \
SLOPTRAP_ACTIVE_CAPABILITIES="${SLOPTRAP_ACTIVE_CAPABILITIES:-}" \
SLOPTRAP_AUDIT_LOG="${SLOPTRAP_AUDIT_LOG:-/codex/state/capabilities.log}" \
SLOPTRAP_CAPTURE_DIR="${SLOPTRAP_CAPTURE_DIR:-/codex/state/captures}" \
SLOPTRAP_WORKDIR="${SLOPTRAP_WORKDIR:-/workspace}" \
SLOPTRAP_HOST_UID="${SLOPTRAP_HOST_UID:-$(id -u)}" \
SLOPTRAP_HOST_GID="${SLOPTRAP_HOST_GID:-$(id -g)}" \
bash -c '
set -euo pipefail
helper_dir=${SLOPTRAP_HELPER_DIR:-/tmp/sloptrap-helper}
queue_dir="$helper_dir/queue"
pidfile="$helper_dir/helperd.pid"
helper_bin=$(command -v sloptrap-helperd)
[[ -n $helper_bin ]] || exit 1
mkdir -p "$queue_dir"
chmod 711 "$helper_dir"
chmod 1733 "$queue_dir"
if [[ -r $pidfile ]]; then
pid=$(<"$pidfile")
if [[ -n $pid ]] && kill -0 "$pid" 2>/dev/null; then
exit 0
fi
fi
"$helper_bin" >/dev/null 2>&1 &
for ((i=0; i<30; i+=1)); do
if [[ -r $pidfile ]]; then
pid=$(<"$pidfile")
if [[ -n $pid ]] && kill -0 "$pid" 2>/dev/null; then
exit 0
fi
fi
sleep 0.1
done
exit 1
'
printf 'slop-apt: capability helper is unavailable; start a fresh sloptrap session with apt-install enabled\n' >&2
exit 1
}
if [[ ${1-} != "install" ]]; then
@@ -811,12 +794,14 @@ EOF
cat <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
helper_dir=${SLOPTRAP_HELPER_DIR:-/tmp/sloptrap-helper}
helper_dir=${SLOPTRAP_CAPTURE_HELPER_DIR:-/codex/state/capture-helper}
queue_dir="$helper_dir/queue"
default_output=${SLOPTRAP_CAPTURE_DIR:-/codex/state/captures}
workspace_root=${SLOPTRAP_WORKDIR:-/workspace}
pidfile="$helper_dir/helperd.pid"
packet_capture_enabled=${SLOPTRAP_PACKET_CAPTURE_ENABLED:-0}
mkdir -p "$default_output"
helper_running() {
@@ -828,53 +813,15 @@ helper_running() {
}
ensure_helper_ready() {
if [[ $packet_capture_enabled != "1" ]]; then
printf 'slopcap: packet capture is not enabled in this session\n' >&2
exit 1
fi
if [[ -w $queue_dir ]] && helper_running; then
return 0
fi
if [[ -z ${SLOPTRAP_ACTIVE_CAPABILITIES:-} ]]; then
printf 'slopcap: capability helper is not available in this session\n' >&2
exit 1
fi
if ! command -v setpriv >/dev/null 2>&1; then
printf 'slopcap: setpriv is required to bootstrap the capability helper\n' >&2
exit 1
fi
setpriv --reuid 0 --regid 0 --clear-groups -- env \
SLOPTRAP_HELPER_DIR="$helper_dir" \
SLOPTRAP_ACTIVE_CAPABILITIES="${SLOPTRAP_ACTIVE_CAPABILITIES:-}" \
SLOPTRAP_AUDIT_LOG="${SLOPTRAP_AUDIT_LOG:-/codex/state/capabilities.log}" \
SLOPTRAP_CAPTURE_DIR="${SLOPTRAP_CAPTURE_DIR:-/codex/state/captures}" \
SLOPTRAP_WORKDIR="${SLOPTRAP_WORKDIR:-/workspace}" \
SLOPTRAP_HOST_UID="${SLOPTRAP_HOST_UID:-$(id -u)}" \
SLOPTRAP_HOST_GID="${SLOPTRAP_HOST_GID:-$(id -g)}" \
bash -c '
set -euo pipefail
helper_dir=${SLOPTRAP_HELPER_DIR:-/tmp/sloptrap-helper}
queue_dir="$helper_dir/queue"
pidfile="$helper_dir/helperd.pid"
helper_bin=$(command -v sloptrap-helperd)
[[ -n $helper_bin ]] || exit 1
mkdir -p "$queue_dir"
chmod 711 "$helper_dir"
chmod 1733 "$queue_dir"
if [[ -r $pidfile ]]; then
pid=$(<"$pidfile")
if [[ -n $pid ]] && kill -0 "$pid" 2>/dev/null; then
exit 0
fi
fi
"$helper_bin" >/dev/null 2>&1 &
for ((i=0; i<30; i+=1)); do
if [[ -r $pidfile ]]; then
pid=$(<"$pidfile")
if [[ -n $pid ]] && kill -0 "$pid" 2>/dev/null; then
exit 0
fi
fi
sleep 0.1
done
exit 1
'
printf 'slopcap: capture helper is unavailable; start a fresh sloptrap session with packet-capture enabled\n' >&2
exit 1
}
resolve_requested_path() {
@@ -1174,6 +1121,45 @@ ensure_capability_trust() {
prompt_capability_trust
}
host_network_packet_capture_active() {
$ALLOW_HOST_NETWORK && capability_list_contains "$ENABLED_CAPABILITIES" "packet-capture"
}
prompt_runtime_packet_capture_ack() {
local tty_path="/dev/tty"
printf '%s' "$PREFIX_TEXT" >"$tty_path"
printf '%b' "$COLOR_TEXT" >"$tty_path"
printf 'Warning: host networking + packet-capture is a high-trust mode.\n' >"$tty_path"
printf 'If you continue, code inside this session can capture host-network traffic, including plaintext protocols and requests to local services.\n' >"$tty_path"
printf 'It can also transmit spoofed packets into the host network namespace for the duration of this run.\n' >"$tty_path"
printf 'This is not a normal sandboxed session boundary.\n' >"$tty_path"
printf 'Continue with host-network packet capture for this run? [y/N]: ' >"$tty_path"
printf '%b' "$RESET" >"$tty_path"
local input
if ! IFS= read -r input <"$tty_path"; then
error "host-network packet capture requires an interactive terminal acknowledgement"
fi
case "${input,,}" in
y|yes)
RUNTIME_PACKET_CAPTURE_ACKNOWLEDGED=true
;;
*)
error "host-network packet capture not acknowledged"
;;
esac
}
ensure_runtime_packet_capture_ack() {
host_network_packet_capture_active || return 0
$RUNTIME_PACKET_CAPTURE_ACKNOWLEDGED && return 0
if $DRY_RUN; then
warn "host networking with packet capture would require an interactive acknowledgement at runtime"
RUNTIME_PACKET_CAPTURE_ACKNOWLEDGED=true
return 0
fi
prompt_runtime_packet_capture_ack
}
write_capability_build_stamp() {
ensure_capability_state_paths
if $DRY_RUN; then
@@ -1732,8 +1718,12 @@ EOF
declare -a CONTAINER_SHARED_OPTS=()
declare -a BASE_CONTAINER_CMD=()
declare -a CAPTURE_POD_CREATE_CMD=()
declare -a CAPTURE_HELPER_BASE_CMD=()
SLOPTRAP_IMAGE_NAME=""
SLOPTRAP_CONTAINER_NAME=""
SLOPTRAP_CAPTURE_CONTAINER_NAME=""
SLOPTRAP_POD_NAME=""
SLOPTRAP_DOCKERFILE_PATH=""
SLOPTRAP_BUILD_CONTEXT=""
SLOPTRAP_DOCKERFILE_SOURCE=""
@@ -1759,6 +1749,10 @@ SLOPTRAP_TMPFS_PATHS=""
SLOPTRAP_ROOTFS_READONLY=""
SLOPTRAP_ROOTFS_READONLY_DEFAULT=""
SLOPTRAP_RUN_AS_ROOT=false
SLOPTRAP_MAIN_ACTIVE_CAPABILITIES=""
SLOPTRAP_PACKET_CAPTURE_ENABLED=false
SLOPTRAP_CAPTURE_HELPER_DIR_CONT=""
SLOPTRAP_CAPTURE_HELPER_DIR_HOST=""
get_env_default() {
local var=$1
@@ -1821,6 +1815,87 @@ run_or_print() {
"$@"
}
append_auth_mount_arg() {
local writable=$1
local -n out=$2
local suffix=""
if [[ $CONTAINER_ENGINE == "podman" ]]; then
suffix=":Z"
if [[ $writable != true ]]; then
suffix=":Z,ro"
fi
elif [[ $writable != true ]]; then
suffix=":ro"
fi
out+=(-v "$CODEX_AUTH_FILE_HOST:$SLOPTRAP_CODEX_HOME_CONT/auth.json$suffix")
}
ensure_capability_engine_supported() {
[[ -n $REQUESTED_CAPABILITIES ]] || return 0
if [[ $CONTAINER_ENGINE != "podman" ]]; then
error "capability-enabled runs require podman; docker is not supported for capabilities"
fi
}
packet_capture_enabled() {
capability_list_contains "$ENABLED_CAPABILITIES" "packet-capture"
}
stop_packet_capture_helper() {
[[ -n $SLOPTRAP_POD_NAME ]] || return 0
if $DRY_RUN; then
print_command "$CONTAINER_ENGINE" pod rm -f "$SLOPTRAP_POD_NAME"
return 0
fi
"$CONTAINER_ENGINE" pod rm -f "$SLOPTRAP_POD_NAME" >/dev/null 2>&1 || true
}
wait_for_path() {
local path=$1
local attempts=${2:-50}
local delay=${3:-0.1}
local i
for ((i=0; i<attempts; i+=1)); do
[[ -e $path ]] && return 0
sleep "$delay"
done
return 1
}
start_packet_capture_helper() {
packet_capture_enabled || return 0
ensure_runtime_packet_capture_ack
ensure_codex_directory "$SLOPTRAP_CAPTURE_HELPER_DIR_HOST" "capture helper state"
if $DRY_RUN; then
print_command "${CAPTURE_POD_CREATE_CMD[@]}"
print_command "${CAPTURE_HELPER_BASE_CMD[@]}"
return 0
fi
stop_packet_capture_helper
"${CAPTURE_POD_CREATE_CMD[@]}" >/dev/null
if ! "${CAPTURE_HELPER_BASE_CMD[@]}" >/dev/null; then
stop_packet_capture_helper
return 1
fi
if ! wait_for_path "$SLOPTRAP_CAPTURE_HELPER_DIR_HOST/helperd.pid"; then
stop_packet_capture_helper
error "packet capture helper failed to start"
fi
}
run_runtime_container_cmd() {
local -a cmd=("$@")
start_packet_capture_helper
local status=0
if run_or_print "${cmd[@]}"; then
status=0
else
status=$?
fi
stop_packet_capture_helper
return "$status"
}
ensure_codex_directory() {
local path=$1
local label=$2
@@ -2057,7 +2132,17 @@ prepare_container_runtime() {
SLOPTRAP_IMAGE_NAME=$(sanitize_engine_name "$SLOPTRAP_IMAGE_NAME")
SLOPTRAP_CONTAINER_NAME=$(sanitize_engine_name "$SLOPTRAP_CONTAINER_NAME")
local -a network_opts=(--network "$SLOPTRAP_NETWORK_NAME" --init)
SLOPTRAP_CAPTURE_CONTAINER_NAME=$(sanitize_engine_name "${PROJECT_NAME}-sloptrap-capture")
SLOPTRAP_POD_NAME=$(sanitize_engine_name "${PROJECT_NAME}-sloptrap-pod")
SLOPTRAP_CAPTURE_HELPER_DIR_CONT="$SLOPTRAP_CODEX_HOME_CONT/state/capture-helper"
SLOPTRAP_CAPTURE_HELPER_DIR_HOST="$CODEX_STATE_HOME_HOST/state/capture-helper"
local -a network_opts=(--init)
if packet_capture_enabled; then
network_opts+=(--pod "$SLOPTRAP_POD_NAME")
else
network_opts+=(--network "$SLOPTRAP_NETWORK_NAME")
fi
local -a security_opts=(--cap-drop=ALL)
local -a capability_opts=()
if [[ -n $SLOPTRAP_SECURITY_OPTS_EXTRA ]]; then
@@ -2082,13 +2167,19 @@ prepare_container_runtime() {
done
fi
SLOPTRAP_MAIN_ACTIVE_CAPABILITIES=""
SLOPTRAP_PACKET_CAPTURE_ENABLED=false
if capability_list_contains "$ENABLED_CAPABILITIES" "apt-install"; then
SLOPTRAP_ROOTFS_READONLY=0
SLOPTRAP_RUN_AS_ROOT=true
SLOPTRAP_MAIN_ACTIVE_CAPABILITIES="apt-install"
fi
if capability_list_contains "$ENABLED_CAPABILITIES" "packet-capture"; then
capability_opts+=(--cap-add NET_RAW --cap-add NET_ADMIN)
SLOPTRAP_RUN_AS_ROOT=true
SLOPTRAP_PACKET_CAPTURE_ENABLED=true
fi
local packet_capture_flag="0"
if $SLOPTRAP_PACKET_CAPTURE_ENABLED; then
packet_capture_flag="1"
fi
security_opts+=(--security-opt no-new-privileges)
if $SLOPTRAP_RUN_AS_ROOT; then
@@ -2096,8 +2187,6 @@ prepare_container_runtime() {
--cap-add SETUID
--cap-add SETGID
--cap-add CHOWN
--cap-add DAC_OVERRIDE
--cap-add FOWNER
)
fi
@@ -2117,7 +2206,6 @@ prepare_container_runtime() {
local -a volume_opts=(
-v "$SLOPTRAP_SHARED_DIR_ABS:$SLOPTRAP_WORKDIR$SLOPTRAP_VOLUME_LABEL"
-v "$CODEX_STATE_HOME_HOST:$SLOPTRAP_CODEX_HOME_CONT$SLOPTRAP_VOLUME_LABEL"
-v "$CODEX_AUTH_FILE_HOST:$SLOPTRAP_CODEX_HOME_CONT/auth.json$SLOPTRAP_VOLUME_LABEL"
)
local -a env_args=(
@@ -2128,7 +2216,9 @@ prepare_container_runtime() {
-e "CODEX_HOME=$SLOPTRAP_CODEX_HOME_CONT"
-e "SLOPTRAP_WORKDIR=$SLOPTRAP_WORKDIR"
-e "SLOPTRAP_HELPER_DIR=/tmp/sloptrap-helper"
-e "SLOPTRAP_ACTIVE_CAPABILITIES=$ENABLED_CAPABILITIES"
-e "SLOPTRAP_ACTIVE_CAPABILITIES=$SLOPTRAP_MAIN_ACTIVE_CAPABILITIES"
-e "SLOPTRAP_PACKET_CAPTURE_ENABLED=$packet_capture_flag"
-e "SLOPTRAP_CAPTURE_HELPER_DIR=$SLOPTRAP_CAPTURE_HELPER_DIR_CONT"
-e "SLOPTRAP_CAPTURE_DIR=$SLOPTRAP_CODEX_HOME_CONT/state/captures"
-e "SLOPTRAP_AUDIT_LOG=$SLOPTRAP_CODEX_HOME_CONT/state/capabilities.log"
-e "SLOPTRAP_PREFER_CODEX_HOME=1"
@@ -2156,6 +2246,55 @@ prepare_container_runtime() {
fi
fi
CAPTURE_POD_CREATE_CMD=()
CAPTURE_HELPER_BASE_CMD=()
if $SLOPTRAP_PACKET_CAPTURE_ENABLED; then
local -a capture_env_args=(
-e "HOME=$SLOPTRAP_CODEX_HOME_CONT"
-e "XDG_CONFIG_HOME=$SLOPTRAP_CODEX_HOME_CONT/config"
-e "XDG_CACHE_HOME=$SLOPTRAP_CODEX_HOME_CONT/cache"
-e "XDG_STATE_HOME=$SLOPTRAP_CODEX_HOME_CONT/state"
-e "CODEX_HOME=$SLOPTRAP_CODEX_HOME_CONT"
-e "SLOPTRAP_WORKDIR=$SLOPTRAP_WORKDIR"
-e "SLOPTRAP_HELPER_DIR=$SLOPTRAP_CAPTURE_HELPER_DIR_CONT"
-e "SLOPTRAP_ACTIVE_CAPABILITIES=packet-capture"
-e "SLOPTRAP_CAPTURE_DIR=$SLOPTRAP_CODEX_HOME_CONT/state/captures"
-e "SLOPTRAP_AUDIT_LOG=$SLOPTRAP_CODEX_HOME_CONT/state/capabilities.log"
-e "SLOPTRAP_HOST_UID=$uid"
-e "SLOPTRAP_HOST_GID=$gid"
)
if [[ -n $user ]]; then
capture_env_args+=(-e "SLOPTRAP_HOST_USER=$user")
fi
local -a capture_user_opts=(--userns="keep-id:uid=$uid,gid=$gid")
CAPTURE_POD_CREATE_CMD=(
"$CONTAINER_ENGINE" pod create
--name "$SLOPTRAP_POD_NAME"
--network "$SLOPTRAP_NETWORK_NAME"
)
CAPTURE_HELPER_BASE_CMD=(
"$CONTAINER_ENGINE" run -d --rm
--name "$SLOPTRAP_CAPTURE_CONTAINER_NAME"
--pod "$SLOPTRAP_POD_NAME"
--cap-drop=ALL
--cap-add NET_RAW
--cap-add SETUID
--cap-add SETGID
--cap-add CHOWN
--security-opt no-new-privileges
"${resource_opts[@]}"
--read-only
"${tmpfs_opts[@]}"
"${volume_opts[@]}"
"${IGNORE_MOUNT_ARGS[@]}"
"${capture_env_args[@]}"
"${capture_user_opts[@]}"
-w "$SLOPTRAP_WORKDIR"
"$SLOPTRAP_IMAGE_NAME"
sleep infinity
)
fi
CONTAINER_SHARED_OPTS=(
"${network_opts[@]}"
"${security_opts[@]}"
@@ -2301,6 +2440,7 @@ build_if_missing() {
}
stop_container() {
stop_packet_capture_helper
if $DRY_RUN; then
print_command "$CONTAINER_ENGINE" stop "$SLOPTRAP_CONTAINER_NAME"
return 0
@@ -2343,15 +2483,17 @@ prune_sloptrap_images() {
run_codex_command() {
local -a extra_args=("$@")
local -a source_args=("$SLOPTRAP_IMAGE_NAME")
local -a auth_mount=()
ensure_codex_storage_paths
local -a cmd=("${BASE_CONTAINER_CMD[@]}" "${source_args[@]}" "codex")
append_auth_mount_arg false auth_mount
local -a cmd=("${BASE_CONTAINER_CMD[@]}" "${auth_mount[@]}" "${source_args[@]}" "codex")
if [[ ${#CODEX_ARGS_ARRAY[@]} -gt 0 ]]; then
cmd+=("${CODEX_ARGS_ARRAY[@]}")
fi
if [[ ${#extra_args[@]} -gt 0 ]]; then
cmd+=("${extra_args[@]}")
fi
run_or_print "${cmd[@]}"
run_runtime_container_cmd "${cmd[@]}"
}
run_codex() {
@@ -2366,21 +2508,25 @@ run_codex() {
run_login_target() {
ensure_codex_storage_paths
local -a source_args=("$SLOPTRAP_IMAGE_NAME")
local -a auth_mount=()
if ! $DRY_RUN; then
status_line "Login %s\n" "$SLOPTRAP_IMAGE_NAME"
fi
local -a cmd=("${BASE_CONTAINER_CMD[@]}" "${source_args[@]}" "codex" login)
run_or_print "${cmd[@]}"
append_auth_mount_arg true auth_mount
local -a cmd=("${BASE_CONTAINER_CMD[@]}" "${auth_mount[@]}" "${source_args[@]}" "codex" login)
run_runtime_container_cmd "${cmd[@]}"
}
run_shell_target() {
ensure_codex_storage_paths
local -a source_args=("$SLOPTRAP_IMAGE_NAME")
local -a auth_mount=()
if ! $DRY_RUN; then
status_line "Shell %s\n" "$SLOPTRAP_IMAGE_NAME"
fi
local -a cmd=("${BASE_CONTAINER_CMD[@]}" "${source_args[@]}" /bin/bash)
run_or_print "${cmd[@]}"
append_auth_mount_arg false auth_mount
local -a cmd=("${BASE_CONTAINER_CMD[@]}" "${auth_mount[@]}" "${source_args[@]}" /bin/bash)
run_runtime_container_cmd "${cmd[@]}"
}
run_resume_target() {
@@ -2447,6 +2593,7 @@ DRY_RUN=false
PRINT_CONFIG=false
SKIP_BUILD_BANNER=false
TRUST_CAPABILITIES=false
RUNTIME_PACKET_CAPTURE_ACKNOWLEDGED=false
while [[ $# -gt 0 ]]; do
case "$1" in
@@ -2599,6 +2746,7 @@ if [[ -n $PACKAGES_EXTRA ]]; then
validate_package_list "packages_extra" "$PACKAGES_EXTRA"
fi
CONTAINER_ENGINE="$(detect_container_engine)"
ensure_capability_engine_supported
CODEX_ARGS_ARRAY=("${DEFAULT_CODEX_ARGS[@]}")
ensure_safe_sandbox "${CODEX_ARGS_ARRAY[@]}"
CODEX_ARGS_DISPLAY=$DEFAULT_CODEX_ARGS_DISPLAY