packages: Add a sandbox wrapper

This commit is contained in:
PapaTutuWawa 2021-09-06 21:15:24 +02:00
parent f61c62266f
commit c07c8ed1e7
2 changed files with 18 additions and 13 deletions

View File

@ -36,13 +36,14 @@ in {
superpaper = pkgs.callPackage ./applications/desktop/superpaper { superpaper = pkgs.callPackage ./applications/desktop/superpaper {
system_hotkey = system_hotkey; system_hotkey = system_hotkey;
}; };
discord-system-electron-wrapped = wrapInSandbox "${discord-system-electron}/bin/discord" { discord-system-electron-wrapped = wrapInSandbox {
name = "discord"; name = "discord";
package = discord-system-electron;
binaryName = "discord";
mountInHome = [ ".config/discord" ]; mountInHome = [ ".config/discord" ];
additionalBlacklist = [ "/mnt" ]; additionalBlacklist = [ "/mnt" ];
chdirTo = "/home/$USER"; chdirTo = "/home/$USER";
pkg = discord-system-electron;
version = "1.0.1"; version = "1.0.1";
copyIntoSandbox = [ "share/pixmaps" ]; copyIntoSandbox = [ "share/pixmaps" ];
desktopFileArgs = { desktopFileArgs = {

View File

@ -4,12 +4,13 @@
, bubblewrap, coreutils, glibc, pkgsi686Linux , bubblewrap, coreutils, glibc, pkgsi686Linux
}: }:
runScript: { {
name name
, package
, binaryName
, version ? "1.0.0" , version ? "1.0.0"
, desktopFileArgs ? {} , desktopFileArgs ? null
, pkg ? null , copyIntoSandbox ? null
, copyIntoSandbox ? []
, unshareUser ? true , unshareUser ? true
, unshareIpc ? true , unshareIpc ? true
, unsharePid ? true , unsharePid ? true
@ -87,13 +88,14 @@ let
EOF EOF
ldconfig &> /dev/null ldconfig &> /dev/null
''; '';
init = run: writeShellScriptBin "${name}-init" '' init = run: writeShellScriptBin "${binaryName}-init" ''
source /etc/profile source /etc/profile
${createLdConfCache} ${createLdConfCache}
exec ${run} "$@" exec ${run} "$@"
''; '';
extraEnvString = lib.foldl (acc: val: acc + val + "\n") "" (lib.mapAttrsToList (name: value: "--setenv ${name} \"${value}\"") extraEnv); extraEnvString = lib.foldl (acc: val: acc + val + "\n") "" (lib.mapAttrsToList (name: value: "--setenv ${name} \"${value}\"") extraEnv);
mountHome = mountInHome == []; mountHome = mountInHome == [];
initStr = init "${package}/bin/${binaryName}";
bwrapCmd = { initArgs ? "" }: '' bwrapCmd = { initArgs ? "" }: ''
blacklist=(/nix /dev /proc /etc ${lib.optionalString (!mountHome) "/home"} ${builtins.toString additionalBlacklist}) blacklist=(/nix /dev /proc /etc ${lib.optionalString (!mountHome) "/home"} ${builtins.toString additionalBlacklist})
ro_mounts=() ro_mounts=()
@ -156,7 +158,7 @@ let
"''${symlinks[@]}" "''${symlinks[@]}"
"''${auto_mounts[@]}" "''${auto_mounts[@]}"
${extraEnvString} ${extraEnvString}
${init runScript}/bin/${name}-init ${initArgs} ${initStr}/bin/${name}-init ${initArgs}
) )
exec "''${cmd[@]}" exec "''${cmd[@]}"
''; '';
@ -164,6 +166,7 @@ let
desktopItem = makeDesktopItem (desktopFileArgs // { desktopItem = makeDesktopItem (desktopFileArgs // {
exec = "${bin}/bin/${name}"; exec = "${bin}/bin/${name}";
}); });
copyIntoSandboxString = lib.concatStrings (map (x: "cp -Lr ${package}/${x} $out/${x}\n") copyIntoSandbox);
in stdenv.mkDerivation { in stdenv.mkDerivation {
pname = "${name}-sandboxed"; pname = "${name}-sandboxed";
version = version; version = version;
@ -172,9 +175,10 @@ in stdenv.mkDerivation {
dontBuild = true; dontBuild = true;
installPhase = '' installPhase = ''
mkdir -p $out/bin mkdir -p $out/bin
ln -s ${bin}/bin/${name} $out/bin/${name} ln -s ${bin}/bin/${name} $out/bin/${name}
mkdir -p $out/share/ '' + lib.strings.optionalString (!(builtins.isNull desktopFileArgs)) ''
cp -r ${desktopItem}/share/applications $out/share mkdir -p $out/share/
'' + (lib.concatStrings (map (x: "cp -Lr ${pkg}/${x} $out/${x}\n") copyIntoSandbox)); cp -r ${desktopItem}/share/applications $out/share
'' + lib.strings.optionalString (!(builtins.isNull copyIntoSandbox)) copyIntoSandboxString;
} }