feat(net): add option -x to unshare network (#130)

* feat(net): add option -x to unshare network * feat(net): add test * feat(net): add docs and autocomplete --------- Co-authored-by: Michael Greenberg <[email protected]>
binpash · Oct 31, 2023 · b976c39 · b976c39
1 parent f4bfbd3
commit b976c39
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 4 deletions.
diff --git a/completions/try.bash b/completions/try.bash
@@ -17,7 +17,7 @@ _try() {
 
     case "${cmd}" in
         (try)
-            opts="-n -y -v -h -i -D -U summary commit explore"
+            opts="-n -y -v -h -x -i -D -U summary commit explore"
             if [[ ${cur} == -* || ${COMP_CWORD} -eq 1 ]]
             then
                 COMPREPLY=( $(compgen -W "${opts}" -- "${cur}") )

diff --git a/docs/try.1.md b/docs/try.1.md
@@ -37,6 +37,10 @@ While using *try* you can choose to commit the result to the filesystem or compl
 
 : Show a usage message (and exit).
 
+-x
+
+: Prevent network access (by unsharing the network namespace).
+
 
 ## Options
 

diff --git a/test/network.sh b/test/network.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+TRY_TOP="${TRY_TOP:-$(git rev-parse --show-toplevel --show-superproject-working-tree)}"
+TRY="$TRY_TOP/try"
+
+# Test if network works normally
+# using curl due to #131 (1.1 expands to 1.0.0.1)
+"$TRY" curl 1.1 || return 1
+
+# Test if curl fails when network is unshared
+# curl exit code 7 means Failed to connect to host.
+"$TRY" -x curl 1.1
+if [ $? -eq 7 ]
+then
+    return 0
+else
+    return 1
+fi
diff --git a/try b/try
@@ -233,7 +233,7 @@ EOF
     # --pid: create a new process namespace (needed fr procfs to work right)
     # --fork: necessary if we do --pid
     #         "Creation of a persistent PID namespace will fail if the --fork option is not also specified."
-    unshare --mount --map-root-user --user --pid --fork "$mount_and_execute"
+    unshare --mount --map-root-user --user --pid --fork $EXTRA_NS "$mount_and_execute"
     TRY_EXIT_STATUS=$?
 
     ################################################################################
@@ -476,10 +476,11 @@ error() {
 
 usage() {
     cat >&2 <<EOF
-Usage: $TRY_COMMAND [-nvhy] [-i PATTERN] [-D DIR] [-U PATH] CMD [ARG ...]
+Usage: $TRY_COMMAND [-nvhyx] [-i PATTERN] [-D DIR] [-U PATH] CMD [ARG ...]
 
   -n                don't commit or prompt for commit (overrides -y)
   -y                assume yes to all prompts (overrides -n)
+  -x                prevent network access (by unsharing the network namespace)
   -i PATTERN        ignore paths that match PATTERN on summary and commit
   -D DIR            work in DIR (implies -n)
   -U PATH           path to unionfs helper (e.g., mergerfs, unionfs-fuse)
@@ -508,7 +509,7 @@ NO_COMMIT="interactive"
 # Includes all patterns given using the `-i` flag; will be used with `grep -f`
 IGNORE_FILE="$(mktemp)"
 
-while getopts ":yvnhi:D:U:" opt
+while getopts ":yvnhxi:D:U:" opt
 do
     case "$opt" in
         (y)   NO_COMMIT="commit";;
@@ -528,6 +529,7 @@ do
               fi
               UNION_HELPER="$OPTARG"
               export UNION_HELPER;;
+        (x)   EXTRA_NS="--net";;
         (h|*) usage
               exit 0;;
     esac
-Original file line number
+Diff line change
@@ Expand Up @@
     : Show a usage message (and exit).
+    -x
+    : Prevent network access (by unsharing the network namespace).
     ## Options
@@ Expand Down @@