From c07c8ed1e7a15d4a4caeb41061a35edc09e95ffa Mon Sep 17 00:00:00 2001 From: "Alexander \"PapaTutuWawa" Date: Mon, 6 Sep 2021 21:15:24 +0200 Subject: [PATCH] packages: Add a sandbox wrapper --- packages/default.nix | 5 +++-- packages/sandbox.nix | 26 +++++++++++++++----------- 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/packages/default.nix b/packages/default.nix index 7cee3c0..9cbd534 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -36,13 +36,14 @@ in { superpaper = pkgs.callPackage ./applications/desktop/superpaper { system_hotkey = system_hotkey; }; - discord-system-electron-wrapped = wrapInSandbox "${discord-system-electron}/bin/discord" { + discord-system-electron-wrapped = wrapInSandbox { name = "discord"; + package = discord-system-electron; + binaryName = "discord"; mountInHome = [ ".config/discord" ]; additionalBlacklist = [ "/mnt" ]; chdirTo = "/home/$USER"; - pkg = discord-system-electron; version = "1.0.1"; copyIntoSandbox = [ "share/pixmaps" ]; desktopFileArgs = { diff --git a/packages/sandbox.nix b/packages/sandbox.nix index 10d2c2a..3acfa4d 100644 --- a/packages/sandbox.nix +++ b/packages/sandbox.nix @@ -4,12 +4,13 @@ , bubblewrap, coreutils, glibc, pkgsi686Linux }: -runScript: { +{ name +, package +, binaryName , version ? "1.0.0" -, desktopFileArgs ? {} -, pkg ? null -, copyIntoSandbox ? [] +, desktopFileArgs ? null +, copyIntoSandbox ? null , unshareUser ? true , unshareIpc ? true , unsharePid ? true @@ -87,13 +88,14 @@ let EOF ldconfig &> /dev/null ''; - init = run: writeShellScriptBin "${name}-init" '' + init = run: writeShellScriptBin "${binaryName}-init" '' source /etc/profile ${createLdConfCache} exec ${run} "$@" ''; extraEnvString = lib.foldl (acc: val: acc + val + "\n") "" (lib.mapAttrsToList (name: value: "--setenv ${name} \"${value}\"") extraEnv); mountHome = mountInHome == []; + initStr = init "${package}/bin/${binaryName}"; bwrapCmd = { initArgs ? "" }: '' blacklist=(/nix /dev /proc /etc ${lib.optionalString (!mountHome) "/home"} ${builtins.toString additionalBlacklist}) ro_mounts=() @@ -156,7 +158,7 @@ let "''${symlinks[@]}" "''${auto_mounts[@]}" ${extraEnvString} - ${init runScript}/bin/${name}-init ${initArgs} + ${initStr}/bin/${name}-init ${initArgs} ) exec "''${cmd[@]}" ''; @@ -164,6 +166,7 @@ let desktopItem = makeDesktopItem (desktopFileArgs // { exec = "${bin}/bin/${name}"; }); + copyIntoSandboxString = lib.concatStrings (map (x: "cp -Lr ${package}/${x} $out/${x}\n") copyIntoSandbox); in stdenv.mkDerivation { pname = "${name}-sandboxed"; version = version; @@ -172,9 +175,10 @@ in stdenv.mkDerivation { dontBuild = true; installPhase = '' - mkdir -p $out/bin - ln -s ${bin}/bin/${name} $out/bin/${name} - mkdir -p $out/share/ - cp -r ${desktopItem}/share/applications $out/share - '' + (lib.concatStrings (map (x: "cp -Lr ${pkg}/${x} $out/${x}\n") copyIntoSandbox)); + mkdir -p $out/bin + ln -s ${bin}/bin/${name} $out/bin/${name} + '' + lib.strings.optionalString (!(builtins.isNull desktopFileArgs)) '' + mkdir -p $out/share/ + cp -r ${desktopItem}/share/applications $out/share + '' + lib.strings.optionalString (!(builtins.isNull copyIntoSandbox)) copyIntoSandboxString; }