lib: Improve the sandbox derivation
This commit is contained in:
parent
a34bf2d319
commit
b63b2e0d9c
@ -41,12 +41,16 @@
|
||||
sublime-music
|
||||
anki
|
||||
gnome-podcasts
|
||||
gimp
|
||||
#psst
|
||||
|
||||
evolution
|
||||
|
||||
# Proprietary stuff (yikes)
|
||||
discord-wrapped discord-app-wrapped spotify-wrapped
|
||||
discord-wrapped #discord-app-wrapped
|
||||
spotify-wrapped
|
||||
vortex-wrapped
|
||||
zoom-vm
|
||||
];
|
||||
|
||||
ptw = {
|
||||
|
130
lib/sandbox.nix
130
lib/sandbox.nix
@ -5,38 +5,38 @@
|
||||
}:
|
||||
|
||||
{
|
||||
name
|
||||
, package
|
||||
, binaryName
|
||||
, version ? "1.0.0"
|
||||
, desktopFileArgs ? null
|
||||
, copyIntoSandbox ? null
|
||||
name # Name of the sandboxed package, e.g. "package-wrapped"
|
||||
, launchScriptName # Name of the script that will be placed in $out/bin
|
||||
, binary # The binary to execute inside the sandbox
|
||||
, extraArgs ? [] # Extra arguments to add to the argv
|
||||
, desktopFileAttributes ? {} # Arguments to apply to the desktop file
|
||||
, preDesktopFilePhase ? "" # Code to run during the install phase before building the desktop file
|
||||
, enableDesktopFile ? false # Whether to build a desktop file
|
||||
, copyIntoSandbox ? {} # Source -> destination relative to $out
|
||||
, unshareUser ? true
|
||||
, unshareIpc ? true
|
||||
, unsharePid ? true
|
||||
, unshareNet ? false
|
||||
, unshareUts ? true
|
||||
, unshareCgroup ? true
|
||||
, dieWithParent ? true
|
||||
, mountInHome ? []
|
||||
, chdirTo ? "\"$(pwd)\""
|
||||
, additionalBlacklist ? []
|
||||
, additionalMounts ? []
|
||||
, extraEnv ? {}
|
||||
, dieWithParent ? true # Should bubblewrap exit when the parents exits
|
||||
, mountInHome ? [] # Files, directories to mount inside the sandbox
|
||||
, chdirTo ? "\"$(pwd)\"" # What should be the CWD when entering the sandbox
|
||||
, additionalBlacklist ? [] # Root directories that should not be mounted
|
||||
, additionalMounts ? [] # Files, directories outside the home directory to mount inside the sandbox
|
||||
, extraEnv ? {} # Extra environment variables to set inside the sandbox
|
||||
, enableAlsa ? true # Mount ALSA files from /etc/
|
||||
, enableSudo ? true # Mount sudo files from /etc/
|
||||
, enableShells ? true # Mount shell related files from /etc/
|
||||
, enableNix ? true # Mount nix related files from /etc/
|
||||
, enableOsInfo ? true # Mount /etc/{machine-id,os-release}
|
||||
}:
|
||||
|
||||
let
|
||||
mountHome = mountInHome == [];
|
||||
|
||||
etcBindFlags = let
|
||||
files = [
|
||||
# NixOS Compatibility
|
||||
"static"
|
||||
"nix" # mainly for nixUnstable users, but also for access to nix/netrc
|
||||
# Shells
|
||||
"bashrc"
|
||||
"zshenv"
|
||||
"zshrc"
|
||||
"zinputrc"
|
||||
"zprofile"
|
||||
# Users, Groups, NSS
|
||||
"passwd"
|
||||
"group"
|
||||
@ -46,29 +46,22 @@ let
|
||||
"nsswitch.conf"
|
||||
# User profiles
|
||||
"profiles"
|
||||
# Sudo & Su
|
||||
"login.defs"
|
||||
"sudoers"
|
||||
"sudoers.d"
|
||||
# Time
|
||||
"localtime"
|
||||
"zoneinfo"
|
||||
# Other Core Stuff
|
||||
"machine-id"
|
||||
"os-release"
|
||||
# PAM
|
||||
"pam.d"
|
||||
# Fonts
|
||||
"fonts"
|
||||
# ALSA
|
||||
"alsa"
|
||||
"asound.conf"
|
||||
# SSL
|
||||
"ssl/certs"
|
||||
"pki"
|
||||
];
|
||||
in builtins.concatStringsSep "\n "
|
||||
(map (file: "--ro-bind-try /etc/${file} /etc/${file}") files);
|
||||
]
|
||||
++ (lib.optionals enableNix [ "static" "nix" ])
|
||||
++ (lib.optionals enableShells [ "bashrc" "zshenv" "zshrc" "zinputrc" "zprofile" ])
|
||||
++ (lib.optionals enableSudo [ "login.defs" "sudoers" "sudoers.d" ])
|
||||
++ (lib.optionals enableAlsa [ "alsa" "asound.conf" ])
|
||||
++ (lib.optionals enableOsInfo [ "machine-id" "os-release" ])
|
||||
# Only add SSL stuff when we have networking enabled
|
||||
++ (lib.optionals (!unshareNet) [ "ssl/certs" "pki" ]);
|
||||
in builtins.concatStringsSep "\n " (map (file: "--ro-bind-try /etc/${file} /etc/${file}") files);
|
||||
|
||||
# Create this on the fly instead of linking from /nix
|
||||
# The container might have to modify it and re-run ldconfig if there are
|
||||
@ -88,15 +81,21 @@ let
|
||||
EOF
|
||||
ldconfig &> /dev/null
|
||||
'';
|
||||
init = run: writeShellScriptBin "${binaryName}-init" ''
|
||||
sandboxInitScriptName = "${name}-wrapped-init.sh";
|
||||
sandboxInitScript = writeShellScriptBin sandboxInitScriptName ''
|
||||
source /etc/profile
|
||||
${createLdConfCache}
|
||||
exec ${run} "$@"
|
||||
exec ${binary} "$@"
|
||||
'';
|
||||
|
||||
|
||||
sandboxScriptName = "${name}-wrapped.sh";
|
||||
sandboxScript = let
|
||||
extraEnvString = lib.foldl (acc: val: acc + val + "\n") "" (lib.mapAttrsToList (name: value: "--setenv ${name} \"${value}\"") extraEnv);
|
||||
mountHome = mountInHome == [];
|
||||
initStr = init "${package}/bin/${binaryName}";
|
||||
bwrapCmd = { initArgs ? "" }: ''
|
||||
stringify = x: "\"${x}\"";
|
||||
safeAdditionalMounts = map stringify additionalMounts;
|
||||
safeMountInHome = map stringify mountInHome;
|
||||
in writeShellScriptBin sandboxScriptName ''
|
||||
blacklist=(/nix /dev /proc /etc ${lib.optionalString (!mountHome) "/home"} ${builtins.toString additionalBlacklist})
|
||||
ro_mounts=()
|
||||
symlinks=()
|
||||
@ -112,13 +111,13 @@ let
|
||||
done
|
||||
|
||||
if [[ "${lib.optionalString (!mountHome) "1"}" = "1" ]]; then
|
||||
for entry in ${builtins.toString mountInHome}; do
|
||||
for entry in ${builtins.toString safeMountInHome}; do
|
||||
auto_mounts+=(--bind "/home/$USER/$entry" "/home/$USER/$entry")
|
||||
done
|
||||
fi
|
||||
|
||||
if [[ ! -z "${builtins.toString additionalMounts}" ]]; then
|
||||
for entry in ${builtins.toString additionalMounts}; do
|
||||
for entry in ${builtins.toString safeAdditionalMounts}; do
|
||||
auto_mounts+=(--bind "$entry" "$entry")
|
||||
done
|
||||
fi
|
||||
@ -158,27 +157,40 @@ let
|
||||
"''${symlinks[@]}"
|
||||
"''${auto_mounts[@]}"
|
||||
${extraEnvString}
|
||||
${initStr}/bin/${name}-init ${initArgs}
|
||||
${sandboxInitScript}/bin/${sandboxInitScriptName}
|
||||
)
|
||||
exec "''${cmd[@]}"
|
||||
exec "''${cmd[@]}" $@
|
||||
'';
|
||||
bin = writeShellScriptBin name (bwrapCmd { initArgs = ''"$@"''; });
|
||||
desktopItem = makeDesktopItem (desktopFileArgs // {
|
||||
exec = "${bin}/bin/${name}";
|
||||
});
|
||||
copyIntoSandboxString = lib.concatStrings (map (x: "cp -Lr ${package}/${x} $out/${x}\n") copyIntoSandbox);
|
||||
in stdenv.mkDerivation {
|
||||
pname = "${name}-sandboxed";
|
||||
version = version;
|
||||
pname = name;
|
||||
version = "1.0.0";
|
||||
|
||||
unpackPhase = ":";
|
||||
dontBuild = true;
|
||||
|
||||
installPhase = ''
|
||||
installPhase = let
|
||||
desktopFilePhase = let
|
||||
desktopFile = makeDesktopItem (desktopFileAttributes // {
|
||||
exec = "${sandboxScript}/bin/${sandboxScriptName}";
|
||||
});
|
||||
in ''
|
||||
cp -r ${desktopFile}/share/applications $out/share
|
||||
'';
|
||||
copyIntoSandboxPhase = let
|
||||
attrs = builtins.attrNames copyIntoSandbox;
|
||||
cps = map (x: "cp -Lr ${x} $out/${copyIntoSandbox."${x}"}\n") attrs;
|
||||
in lib.concatStrings cps;
|
||||
in ''
|
||||
mkdir -p $out/bin
|
||||
ln -s ${bin}/bin/${name} $out/bin/${name}
|
||||
'' + lib.strings.optionalString (!(builtins.isNull desktopFileArgs)) ''
|
||||
mkdir -p $out/share/
|
||||
cp -r ${desktopItem}/share/applications $out/share
|
||||
'' + lib.strings.optionalString (!(builtins.isNull copyIntoSandbox)) copyIntoSandboxString;
|
||||
ln -s ${sandboxScript}/bin/${sandboxScriptName} $out/bin/${launchScriptName}
|
||||
|
||||
|
||||
# Generate the desktop file, if enabled
|
||||
${lib.optionalString enableDesktopFile "mkdir -p $out/share"}
|
||||
${lib.optionalString enableDesktopFile preDesktopFilePhase}
|
||||
${lib.optionalString enableDesktopFile desktopFilePhase}
|
||||
|
||||
# Copy extra files if they are specified
|
||||
${lib.optionalString (copyIntoSandbox != {}) copyIntoSandboxPhase}
|
||||
'';
|
||||
}
|
||||
|
@ -3,27 +3,7 @@ final: prev:
|
||||
let
|
||||
wrapInSandbox = prev.callPackage ../lib/sandbox.nix {};
|
||||
in {
|
||||
discord-wrapped = wrapInSandbox {
|
||||
name = "discord";
|
||||
package = prev.discord;
|
||||
#package = discord-system-electron;
|
||||
binaryName = "discord";
|
||||
mountInHome = [ ".config/discord" ".config/BetterDiscord" ];
|
||||
additionalBlacklist = [ "/mnt" ];
|
||||
chdirTo = "/home/$USER";
|
||||
|
||||
version = "1.0.1";
|
||||
copyIntoSandbox = [ "share/pixmaps" ];
|
||||
desktopFileArgs = {
|
||||
name = "discord-wrapped";
|
||||
#exec = "discord";
|
||||
icon = "discord";
|
||||
desktopName = "Discord (wrapped)";
|
||||
genericName = "Instant Messenger";
|
||||
categories = [ "Network" "InstantMessaging" ];
|
||||
};
|
||||
};
|
||||
|
||||
/*
|
||||
discord-app-wrapped = wrapInSandbox {
|
||||
name = "discord-app";
|
||||
package = prev.discord-app;
|
||||
@ -50,48 +30,135 @@ in {
|
||||
mountInHome = [ ".local/share/minecraft" ".minecraft" ];
|
||||
additionalBlacklist = [ "/mnt" ];
|
||||
chdirTo = "/home/$USER";
|
||||
};
|
||||
};*/
|
||||
|
||||
steam-wrapped = wrapInSandbox {
|
||||
name = "steam";
|
||||
package = prev.steam;
|
||||
binaryName = "steam";
|
||||
name = "steam-wrapped";
|
||||
binary = "${prev.steam}/bin/steam";
|
||||
launchScriptName = "steam";
|
||||
mountInHome = [ ".steam" ".local/share/Steam" ];
|
||||
additionalBlacklist = [ "/mnt" ];
|
||||
additionalMounts = [ "/mnt/Storage/Games/SteamLibrary" ];
|
||||
chdirTo = "/home/$USER";
|
||||
extraEnv = {
|
||||
DRI_PRIME = "1";
|
||||
};
|
||||
|
||||
copyIntoSandbox = [ "/share" ];
|
||||
preDesktopFilePhase = ''
|
||||
cp -Lr ${prev.steam}/share/icons $out/share/icons
|
||||
'';
|
||||
desktopFileAttributes = {
|
||||
name = "steam-wrapped";
|
||||
icon = "steam";
|
||||
desktopName = "Steam (wrapped)";
|
||||
};
|
||||
|
||||
android-studio-wrapped = wrapInSandbox {
|
||||
name = "android-studio";
|
||||
package = prev.android-studio;
|
||||
binaryName = "android-studio";
|
||||
additionalBlacklist = [ "/mnt" ];
|
||||
mountInHome = [ "Development/Personal/Android" ".android" ];
|
||||
chdirTo = "/home/$USER";
|
||||
enableDesktopFile = true;
|
||||
};
|
||||
|
||||
spotify-wrapped = wrapInSandbox {
|
||||
name = "spotify";
|
||||
package = prev.spotify;
|
||||
binaryName = "spotify";
|
||||
name = "spotify-wrapped";
|
||||
launchScriptName = "spotify";
|
||||
binary = "${prev.spotify}/bin/spotify";
|
||||
additionalBlacklist = [ "/mnt" ];
|
||||
mountInHome = [ ".config/spotify" ];
|
||||
chdirTo = "/home/$USER";
|
||||
|
||||
preDesktopFilePhase = ''
|
||||
cp -Lr ${prev.spotify}/share/icons $out/share/icons
|
||||
'';
|
||||
desktopFileAttributes = {
|
||||
name = "spotify-wrapped";
|
||||
icon = "spotify";
|
||||
desktopName = "Spotify (wrapped)";
|
||||
};
|
||||
enableDesktopFile = true;
|
||||
};
|
||||
|
||||
lutris-free-wrapped = wrapInSandbox {
|
||||
name = "lutris-free";
|
||||
package = prev.lutris-free;
|
||||
binaryName = "lutris";
|
||||
name = "lutris-free-wrapped";
|
||||
launchScriptName = "lutris";
|
||||
binary = "${prev.lutris-free}/bin/lutris";
|
||||
additionalBlacklist = [ "/mnt" ];
|
||||
additionalMounts = [ "/mnt/Storage/Games/UPlay" ];
|
||||
mountInHome = [ ".local/share/lutris" ".config/lutris" ];
|
||||
additionalMounts = [ "/mnt/Storage/Games/" ];
|
||||
mountInHome = [ ".local/share/lutris" ".config/lutris" "Games" ];
|
||||
chdirTo = "/home/$USER";
|
||||
|
||||
preDesktopFilePhase = ''
|
||||
mkdir -p $out/share/
|
||||
cp -Lr ${prev.lutris-free}/share/icons $out/share/icons/
|
||||
'';
|
||||
desktopFileAttributes = {
|
||||
name = "lutris-wrapped";
|
||||
icon = "lutris";
|
||||
desktopName = "Lutris (wrapped)";
|
||||
};
|
||||
enableDesktopFile = true;
|
||||
};
|
||||
|
||||
discord-wrapped = let
|
||||
discordPkg = prev.discord;
|
||||
in wrapInSandbox {
|
||||
name = "discord-wrapped";
|
||||
launchScriptName = "discord";
|
||||
binary = "${discordPkg}/bin/discord";
|
||||
mountInHome = [ ".config/discord" ".config/BetterDiscord" ];
|
||||
additionalBlacklist = [ "/mnt" ];
|
||||
chdirTo = "/home/$USER";
|
||||
|
||||
preDesktopFilePhase = ''
|
||||
mkdir -p $out/share/icons
|
||||
cp -L ${discordPkg}/share/pixmaps/discord.png $out/share/icons/discord.png
|
||||
'';
|
||||
desktopFileAttributes = {
|
||||
name = "discord-wrapped";
|
||||
#exec = "discord";
|
||||
icon = "discord";
|
||||
desktopName = "Discord (wrapped)";
|
||||
genericName = "Instant Messenger";
|
||||
#categories = [ "Network" "InstantMessaging" ];
|
||||
};
|
||||
enableDesktopFile = true;
|
||||
};
|
||||
|
||||
vortex-wrapped = let
|
||||
# The path to the wine prefix Vortex is installed in
|
||||
prefixPath = "/mnt/Storage/Games/NewVortex";
|
||||
|
||||
vortexStartScript = prev.writeShellScriptBin "start-vortex.sh" ''
|
||||
WINEARCH=win64 \
|
||||
WINEPREFIX=${prefixPath} \
|
||||
${prev.wineWowPackages.staging}/bin/wine "C:\Program Files\Black Tree Gaming Ltd\Vortex\Vortex.exe"
|
||||
'';
|
||||
vortexIcon = builtins.fetchurl {
|
||||
url = "https://www.nexusmods.com/bootstrap/images/vortex/vortex-logomark.svg";
|
||||
sha256 = "0237wbbyvgapmmjsq5xab0izzaciqjx1si163r75wa2g7xvz4s22";
|
||||
};
|
||||
in wrapInSandbox {
|
||||
name = "vortex-wrapped";
|
||||
launchScriptName = "vortex";
|
||||
binary = "${vortexStartScript}/bin/start-vortex.sh";
|
||||
|
||||
chdirTo = "/mnt/Storage/Games/";
|
||||
additionalBlacklist = [ "/mnt" ];
|
||||
additionalMounts = [
|
||||
# Wine prefix
|
||||
"/mnt/Storage/Games/NewVortex"
|
||||
# Mod cache
|
||||
"/mnt/Storage/Vortex Mods"
|
||||
# Only access Skyrim: SE
|
||||
"/mnt/Storage/Games/SteamLibrary/SteamLibrary/steamapps/common/Skyrim\ Special\ Edition/"
|
||||
];
|
||||
mountInHome = [
|
||||
# Mod downloads
|
||||
"Downloads/Skyrim Mods"
|
||||
];
|
||||
|
||||
preDesktopFilePhase = ''
|
||||
mkdir -p $out/share/icons
|
||||
cp ${vortexIcon} $out/share/icons/vortex.svg
|
||||
'';
|
||||
desktopFileAttributes = {
|
||||
name = "vortex-wrapped";
|
||||
icon = "vortex";
|
||||
desktopName = "Vortex Mod Manager (wrapped)";
|
||||
};
|
||||
enableDesktopFile = true;
|
||||
};
|
||||
}
|
||||
|
@ -66,4 +66,6 @@ in {
|
||||
discord-app = prev.callPackage applications/networking/instant-messengers/discord-app {
|
||||
chromium = prev.ungoogled-chromium;
|
||||
};
|
||||
|
||||
zoom-vm = prev.callPackage scripts/zoom-vm {};
|
||||
}
|
||||
|
46
packages/scripts/zoom-vm/default.nix
Normal file
46
packages/scripts/zoom-vm/default.nix
Normal file
@ -0,0 +1,46 @@
|
||||
{
|
||||
stdenv, lib
|
||||
, makeDesktopItem, writeShellScriptBin
|
||||
, virt-manager, libvirt, notify-desktop
|
||||
}:
|
||||
|
||||
let
|
||||
zoomVmScript = writeShellScriptBin "start-zoom-vm.sh" ''
|
||||
${notify-desktop}/bin/notify-desktop "Zoom VM" "Starting VM..."
|
||||
output=$(/run/wrappers/bin/pkexec virsh start zoom 2>&1)
|
||||
if [[ ! "$?" = "0" ]]; then
|
||||
${notify-desktop}/bin/notify-desktop -u critical "Zoom VM" "$output"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
${virt-manager}/bin/virt-manager --connect qemu:///system --show-domain-console zoom
|
||||
'';
|
||||
zoomIcon = builtins.fetchurl {
|
||||
url = "https://dl.flathub.org/repo/appstream/x86_64/icons/128x128/us.zoom.Zoom.png";
|
||||
sha256 = "0d94vhjna2196s4wnq0vkga345ad5lpb7b5qp6cymwf1hnpg9lyh";
|
||||
};
|
||||
in stdenv.mkDerivation rec {
|
||||
pname = "zoom-vm";
|
||||
version = "1.0.0";
|
||||
|
||||
unpackPhase = ":";
|
||||
dontBuild = true;
|
||||
|
||||
desktopItem = makeDesktopItem {
|
||||
name = "zoom-vm";
|
||||
desktopName = "Zoom (VM)";
|
||||
exec = "start-zoom-vm";
|
||||
icon = "us.zoom.Zoom";
|
||||
};
|
||||
|
||||
installPhase = ''
|
||||
# Install the script
|
||||
mkdir -p $out/bin
|
||||
cp ${zoomVmScript}/bin/start-zoom-vm.sh $out/bin/start-zoom-vm
|
||||
|
||||
# Install the desktop file
|
||||
mkdir -p $out/share/icons
|
||||
cp ${zoomIcon} $out/share/icons/us.zoom.Zoom.png
|
||||
cp -r ${desktopItem}/share/applications $out/share
|
||||
'';
|
||||
}
|
Loading…
Reference in New Issue
Block a user