nix-files/pkgs/additional/sanebox/default.nix

{ lib, stdenv
, bash
, bubblewrap
, firejail
, landlock-sandboxer
, libcap
, substituteAll
, profileDir ? "/share/sanebox/profiles"
}:

let
  sanebox = substituteAll {
    src = ./sanebox;
    inherit bash bubblewrap firejail libcap;
    landlockSandboxer = landlock-sandboxer;
    firejailProfileDirs = "/run/current-system/sw/etc/firejail /etc/firejail ${firejail}/etc/firejail";
  };
  self = stdenv.mkDerivation {
    pname = "sanebox";
    version = "0.1";

    src = sanebox;
    dontUnpack = true;

    buildPhase = ''
      runHook preBuild
      substituteAll "$src" sanebox \
        --replace-fail '@out@' "$out"
      runHook postBuild
    '';

    installPhase = ''
      runHook preInstall
      install -d "$out"
      install -d "$out/bin"
      install -m 755 sanebox $out/bin/sanebox
      runHook postInstall
    '';

    passthru = {
      inherit landlock-sandboxer;
      withProfiles = profiles: self.overrideAttrs (base: {
        inherit profiles;
        postInstall = (base.postInstall or "") + ''
          install -d $out/share/sanebox
          ln -s "${profiles}/${profileDir}" "$out/${profileDir}"
        '';
      });
    };

    meta = {
      description = ''
        helper program to run some other program in a sandbox.
        factoring this out allows:
        1. to abstract over the particular sandbox implementation (bwrap, firejail, ...).
        2. to modify sandbox settings without forcing a rebuild of the sandboxed package.
      '';
      mainProgram = "sanebox";
    };
  };
in self
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds 2024-01-23 08:01:23 +00:00			`{ lib, stdenv`
modules/programs: sane-sandboxed: optimize "normPath" to not invoke subshells each subshell causes like 5ms just on my laptop, which really adds up. this implementation still forks internally, but doesn't exec. runtime decreases from 150ms -> 90ms for `time librewolf --sane-sandbox-replace-cli true` 2024-02-18 12:07:19 +00:00			`, bash`
programs: allow programs to specify "sandbox.method = "bwrap"" for bubblewrap sandboxing 2024-01-23 10:44:13 +00:00			`, bubblewrap`
programs: introduce a sane-sandboxed helper not yet used, but will be soon 2024-01-23 02:29:33 +00:00			`, firejail`
sane-sandboxed: add support for landlock backend 2024-01-27 03:39:26 +00:00			`, landlock-sandboxer`
programs: landlock: restrict the capabilities of sandboxed processes 2024-01-27 09:49:51 +00:00			`, libcap`
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds 2024-01-23 08:01:23 +00:00			`, substituteAll`
sane-sandboxed -> sanebox 2024-05-15 01:41:40 +00:00			`, profileDir ? "/share/sanebox/profiles"`
programs: introduce a sane-sandboxed helper not yet used, but will be soon 2024-01-23 02:29:33 +00:00			`}:`

sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds 2024-01-23 08:01:23 +00:00			`let`
sane-sandboxed -> sanebox 2024-05-15 01:41:40 +00:00			`sanebox = substituteAll {`
			`src = ./sanebox;`
modules/programs: sane-sandboxed: optimize "normPath" to not invoke subshells each subshell causes like 5ms just on my laptop, which really adds up. this implementation still forks internally, but doesn't exec. runtime decreases from 150ms -> 90ms for `time librewolf --sane-sandbox-replace-cli true` 2024-02-18 12:07:19 +00:00			`inherit bash bubblewrap firejail libcap;`
sane-sandboxed: add support for landlock backend 2024-01-27 03:39:26 +00:00			`landlockSandboxer = landlock-sandboxer;`
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds 2024-01-23 08:01:23 +00:00			`firejailProfileDirs = "/run/current-system/sw/etc/firejail /etc/firejail ${firejail}/etc/firejail";`
			`};`
			`self = stdenv.mkDerivation {`
sane-sandboxed -> sanebox 2024-05-15 01:41:40 +00:00			`pname = "sanebox";`
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds 2024-01-23 08:01:23 +00:00			`version = "0.1";`
programs: introduce a sane-sandboxed helper not yet used, but will be soon 2024-01-23 02:29:33 +00:00
sane-sandboxed -> sanebox 2024-05-15 01:41:40 +00:00			`src = sanebox;`
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds 2024-01-23 08:01:23 +00:00			`dontUnpack = true;`
programs: introduce a sane-sandboxed helper not yet used, but will be soon 2024-01-23 02:29:33 +00:00
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds 2024-01-23 08:01:23 +00:00			`buildPhase = ''`
			`runHook preBuild`
sane-sandboxed -> sanebox 2024-05-15 01:41:40 +00:00			`substituteAll "$src" sanebox \`
nits: update `--replace` uses to `--replace-{fail,quiet}` as appropriate 2024-03-24 12:49:18 +00:00			`--replace-fail '@out@' "$out"`
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds 2024-01-23 08:01:23 +00:00			`runHook postBuild`
			`'';`
programs: introduce a sane-sandboxed helper not yet used, but will be soon 2024-01-23 02:29:33 +00:00
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds 2024-01-23 08:01:23 +00:00			`installPhase = ''`
			`runHook preInstall`
			`install -d "$out"`
			`install -d "$out/bin"`
sane-sandboxed -> sanebox 2024-05-15 01:41:40 +00:00			`install -m 755 sanebox $out/bin/sanebox`
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds 2024-01-23 08:01:23 +00:00			`runHook postInstall`
programs: introduce a sane-sandboxed helper not yet used, but will be soon 2024-01-23 02:29:33 +00:00			`'';`
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds 2024-01-23 08:01:23 +00:00
fixup landlock-sandboxer to work well for all systems downgrade lappy/desko/servo back to default linux; zfs doesn't support latest build landlock-sandboxer against the specific kernel being deployed; it's less noisy that way 2024-01-31 21:19:10 +00:00			`passthru = {`
			`inherit landlock-sandboxer;`
			`withProfiles = profiles: self.overrideAttrs (base: {`
			`inherit profiles;`
			`postInstall = (base.postInstall or "") + ''`
sane-sandboxed -> sanebox 2024-05-15 01:41:40 +00:00			`install -d $out/share/sanebox`
fixup landlock-sandboxer to work well for all systems downgrade lappy/desko/servo back to default linux; zfs doesn't support latest build landlock-sandboxer against the specific kernel being deployed; it's less noisy that way 2024-01-31 21:19:10 +00:00			`ln -s "${profiles}/${profileDir}" "$out/${profileDir}"`
			`'';`
			`});`
			`};`
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds 2024-01-23 08:01:23 +00:00
			`meta = {`
			`description = ''`
			`helper program to run some other program in a sandbox.`
			`factoring this out allows:`
			`1. to abstract over the particular sandbox implementation (bwrap, firejail, ...).`
			`2. to modify sandbox settings without forcing a rebuild of the sandboxed package.`
			`'';`
sane-sandboxed -> sanebox 2024-05-15 01:41:40 +00:00			`mainProgram = "sanebox";`
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds 2024-01-23 08:01:23 +00:00			`};`
programs: introduce a sane-sandboxed helper not yet used, but will be soon 2024-01-23 02:29:33 +00:00			`};`
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds 2024-01-23 08:01:23 +00:00			`in self`