packages: Add a sandbox wrapper
This commit is contained in:
parent
f61c62266f
commit
c07c8ed1e7
@ -36,13 +36,14 @@ in {
|
||||
superpaper = pkgs.callPackage ./applications/desktop/superpaper {
|
||||
system_hotkey = system_hotkey;
|
||||
};
|
||||
discord-system-electron-wrapped = wrapInSandbox "${discord-system-electron}/bin/discord" {
|
||||
discord-system-electron-wrapped = wrapInSandbox {
|
||||
name = "discord";
|
||||
package = discord-system-electron;
|
||||
binaryName = "discord";
|
||||
mountInHome = [ ".config/discord" ];
|
||||
additionalBlacklist = [ "/mnt" ];
|
||||
chdirTo = "/home/$USER";
|
||||
|
||||
pkg = discord-system-electron;
|
||||
version = "1.0.1";
|
||||
copyIntoSandbox = [ "share/pixmaps" ];
|
||||
desktopFileArgs = {
|
||||
|
||||
@ -4,12 +4,13 @@
|
||||
, bubblewrap, coreutils, glibc, pkgsi686Linux
|
||||
}:
|
||||
|
||||
runScript: {
|
||||
{
|
||||
name
|
||||
, package
|
||||
, binaryName
|
||||
, version ? "1.0.0"
|
||||
, desktopFileArgs ? {}
|
||||
, pkg ? null
|
||||
, copyIntoSandbox ? []
|
||||
, desktopFileArgs ? null
|
||||
, copyIntoSandbox ? null
|
||||
, unshareUser ? true
|
||||
, unshareIpc ? true
|
||||
, unsharePid ? true
|
||||
@ -87,13 +88,14 @@ let
|
||||
EOF
|
||||
ldconfig &> /dev/null
|
||||
'';
|
||||
init = run: writeShellScriptBin "${name}-init" ''
|
||||
init = run: writeShellScriptBin "${binaryName}-init" ''
|
||||
source /etc/profile
|
||||
${createLdConfCache}
|
||||
exec ${run} "$@"
|
||||
'';
|
||||
extraEnvString = lib.foldl (acc: val: acc + val + "\n") "" (lib.mapAttrsToList (name: value: "--setenv ${name} \"${value}\"") extraEnv);
|
||||
mountHome = mountInHome == [];
|
||||
initStr = init "${package}/bin/${binaryName}";
|
||||
bwrapCmd = { initArgs ? "" }: ''
|
||||
blacklist=(/nix /dev /proc /etc ${lib.optionalString (!mountHome) "/home"} ${builtins.toString additionalBlacklist})
|
||||
ro_mounts=()
|
||||
@ -156,7 +158,7 @@ let
|
||||
"''${symlinks[@]}"
|
||||
"''${auto_mounts[@]}"
|
||||
${extraEnvString}
|
||||
${init runScript}/bin/${name}-init ${initArgs}
|
||||
${initStr}/bin/${name}-init ${initArgs}
|
||||
)
|
||||
exec "''${cmd[@]}"
|
||||
'';
|
||||
@ -164,6 +166,7 @@ let
|
||||
desktopItem = makeDesktopItem (desktopFileArgs // {
|
||||
exec = "${bin}/bin/${name}";
|
||||
});
|
||||
copyIntoSandboxString = lib.concatStrings (map (x: "cp -Lr ${package}/${x} $out/${x}\n") copyIntoSandbox);
|
||||
in stdenv.mkDerivation {
|
||||
pname = "${name}-sandboxed";
|
||||
version = version;
|
||||
@ -172,9 +175,10 @@ in stdenv.mkDerivation {
|
||||
dontBuild = true;
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
ln -s ${bin}/bin/${name} $out/bin/${name}
|
||||
mkdir -p $out/share/
|
||||
cp -r ${desktopItem}/share/applications $out/share
|
||||
'' + (lib.concatStrings (map (x: "cp -Lr ${pkg}/${x} $out/${x}\n") copyIntoSandbox));
|
||||
mkdir -p $out/bin
|
||||
ln -s ${bin}/bin/${name} $out/bin/${name}
|
||||
'' + lib.strings.optionalString (!(builtins.isNull desktopFileArgs)) ''
|
||||
mkdir -p $out/share/
|
||||
cp -r ${desktopItem}/share/applications $out/share
|
||||
'' + lib.strings.optionalString (!(builtins.isNull copyIntoSandbox)) copyIntoSandboxString;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user