From 028accfd58fc446cd6b9b8bcc4cbbab1bff7911e Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Sun, 31 Dec 2017 17:41:55 -0200
Subject: Adds kvmx-restricted-shell

---
 kvmx | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

(limited to 'kvmx')

diff --git a/kvmx b/kvmx
index f8d1167..1c30ad6 100755
--- a/kvmx
+++ b/kvmx
@@ -1642,6 +1642,10 @@ function kvmx_version {
 
 # Shell
 function kvmx_shell {
+  local restricted="$1"
+  local restricted_actions=":status:start:stop:poweroff:suspend:resume:console:monitor"
+        restricted_actions="$restricted_actions:wipe:shred:app_base:version:list_image:kill:"
+
   # While a "quit" command isn't entered, read STDIN
   while read -rep "kvmx:/${USER}@${VM}> " STDIN; do
     if [ "$STDIN" == "quit" ] || [ "$STDIN" == "exit" ] || [ "$STDIN" == "bye" ]; then
@@ -1651,7 +1655,17 @@ function kvmx_shell {
     elif [[ -n "$STDIN" && "$STDIN" != "#"* ]]; then
       # If line is not empty or commented, process command
       STDIN=($STDIN)
-      $APP_BASE/kvmx ${STDIN[0]} $VM ${STDIN[@]:1}
+
+      # But check first if we're in a restricted shell
+      if [ "$restricted" == "restricted" ]; then
+        if ! echo $restricted_actions | grep -q ":${STDIN[0]}:"; then
+          echo "Running in restricted shell mode."
+          echo "Allowed commands are only `echo $restricted_actions | tr ':' ' '`"
+        fi
+      else
+        # Process command
+        $APP_BASE/kvmx ${STDIN[0]} $VM ${STDIN[@]:1}
+      fi
     fi
   done
 }
-- 
cgit v1.2.3