packages: Add a sandbox wrapper

This commit is contained in:
PapaTutuWawa 2021-09-06 21:15:24 +02:00
parent f61c62266f
commit c07c8ed1e7
2 changed files with 18 additions and 13 deletions

View File

@ -36,13 +36,14 @@ in {
superpaper = pkgs.callPackage ./applications/desktop/superpaper {
system_hotkey = system_hotkey;
};
discord-system-electron-wrapped = wrapInSandbox "${discord-system-electron}/bin/discord" {
discord-system-electron-wrapped = wrapInSandbox {
name = "discord";
package = discord-system-electron;
binaryName = "discord";
mountInHome = [ ".config/discord" ];
additionalBlacklist = [ "/mnt" ];
chdirTo = "/home/$USER";
pkg = discord-system-electron;
version = "1.0.1";
copyIntoSandbox = [ "share/pixmaps" ];
desktopFileArgs = {

View File

@ -4,12 +4,13 @@
, bubblewrap, coreutils, glibc, pkgsi686Linux
}:
runScript: {
{
name
, package
, binaryName
, version ? "1.0.0"
, desktopFileArgs ? {}
, pkg ? null
, copyIntoSandbox ? []
, desktopFileArgs ? null
, copyIntoSandbox ? null
, unshareUser ? true
, unshareIpc ? true
, unsharePid ? true
@ -87,13 +88,14 @@ let
EOF
ldconfig &> /dev/null
'';
init = run: writeShellScriptBin "${name}-init" ''
init = run: writeShellScriptBin "${binaryName}-init" ''
source /etc/profile
${createLdConfCache}
exec ${run} "$@"
'';
extraEnvString = lib.foldl (acc: val: acc + val + "\n") "" (lib.mapAttrsToList (name: value: "--setenv ${name} \"${value}\"") extraEnv);
mountHome = mountInHome == [];
initStr = init "${package}/bin/${binaryName}";
bwrapCmd = { initArgs ? "" }: ''
blacklist=(/nix /dev /proc /etc ${lib.optionalString (!mountHome) "/home"} ${builtins.toString additionalBlacklist})
ro_mounts=()
@ -156,7 +158,7 @@ let
"''${symlinks[@]}"
"''${auto_mounts[@]}"
${extraEnvString}
${init runScript}/bin/${name}-init ${initArgs}
${initStr}/bin/${name}-init ${initArgs}
)
exec "''${cmd[@]}"
'';
@ -164,6 +166,7 @@ let
desktopItem = makeDesktopItem (desktopFileArgs // {
exec = "${bin}/bin/${name}";
});
copyIntoSandboxString = lib.concatStrings (map (x: "cp -Lr ${package}/${x} $out/${x}\n") copyIntoSandbox);
in stdenv.mkDerivation {
pname = "${name}-sandboxed";
version = version;
@ -174,7 +177,8 @@ in stdenv.mkDerivation {
installPhase = ''
mkdir -p $out/bin
ln -s ${bin}/bin/${name} $out/bin/${name}
'' + lib.strings.optionalString (!(builtins.isNull desktopFileArgs)) ''
mkdir -p $out/share/
cp -r ${desktopItem}/share/applications $out/share
'' + (lib.concatStrings (map (x: "cp -Lr ${pkg}/${x} $out/${x}\n") copyIntoSandbox));
'' + lib.strings.optionalString (!(builtins.isNull copyIntoSandbox)) copyIntoSandboxString;
}