2024-01-23 08:01:23 +00:00
|
|
|
{ lib, stdenv
|
2024-02-18 12:07:19 +00:00
|
|
|
, bash
|
2024-01-23 10:44:13 +00:00
|
|
|
, bubblewrap
|
2024-01-23 02:29:33 +00:00
|
|
|
, firejail
|
2024-01-27 03:39:26 +00:00
|
|
|
, landlock-sandboxer
|
2024-01-27 09:49:51 +00:00
|
|
|
, libcap
|
2024-01-23 08:01:23 +00:00
|
|
|
, substituteAll
|
|
|
|
, profileDir ? "/share/sane-sandboxed/profiles"
|
2024-01-23 02:29:33 +00:00
|
|
|
}:
|
|
|
|
|
2024-01-23 08:01:23 +00:00
|
|
|
let
|
|
|
|
sane-sandboxed = substituteAll {
|
|
|
|
src = ./sane-sandboxed;
|
2024-02-18 12:07:19 +00:00
|
|
|
inherit bash bubblewrap firejail libcap;
|
2024-01-27 03:39:26 +00:00
|
|
|
landlockSandboxer = landlock-sandboxer;
|
2024-01-23 08:01:23 +00:00
|
|
|
firejailProfileDirs = "/run/current-system/sw/etc/firejail /etc/firejail ${firejail}/etc/firejail";
|
|
|
|
};
|
|
|
|
self = stdenv.mkDerivation {
|
|
|
|
pname = "sane-sandboxed";
|
|
|
|
version = "0.1";
|
2024-01-23 02:29:33 +00:00
|
|
|
|
2024-01-23 08:01:23 +00:00
|
|
|
src = sane-sandboxed;
|
|
|
|
dontUnpack = true;
|
2024-01-23 02:29:33 +00:00
|
|
|
|
2024-01-23 08:01:23 +00:00
|
|
|
buildPhase = ''
|
|
|
|
runHook preBuild
|
|
|
|
substituteAll "$src" sane-sandboxed \
|
|
|
|
--replace '@out@' "$out"
|
|
|
|
runHook postBuild
|
|
|
|
'';
|
2024-01-23 02:29:33 +00:00
|
|
|
|
2024-01-23 08:01:23 +00:00
|
|
|
installPhase = ''
|
|
|
|
runHook preInstall
|
|
|
|
install -d "$out"
|
|
|
|
install -d "$out/bin"
|
|
|
|
install -m 755 sane-sandboxed $out/bin/sane-sandboxed
|
|
|
|
runHook postInstall
|
2024-01-23 02:29:33 +00:00
|
|
|
'';
|
2024-01-23 08:01:23 +00:00
|
|
|
|
2024-01-31 21:19:10 +00:00
|
|
|
passthru = {
|
|
|
|
inherit landlock-sandboxer;
|
|
|
|
withProfiles = profiles: self.overrideAttrs (base: {
|
|
|
|
inherit profiles;
|
|
|
|
postInstall = (base.postInstall or "") + ''
|
|
|
|
install -d $out/share/sane-sandboxed
|
|
|
|
ln -s "${profiles}/${profileDir}" "$out/${profileDir}"
|
|
|
|
'';
|
|
|
|
});
|
|
|
|
};
|
2024-01-23 08:01:23 +00:00
|
|
|
|
|
|
|
meta = {
|
|
|
|
description = ''
|
|
|
|
helper program to run some other program in a sandbox.
|
|
|
|
factoring this out allows:
|
|
|
|
1. to abstract over the particular sandbox implementation (bwrap, firejail, ...).
|
|
|
|
2. to modify sandbox settings without forcing a rebuild of the sandboxed package.
|
|
|
|
'';
|
|
|
|
mainProgram = "sane-sandboxed";
|
|
|
|
};
|
2024-01-23 02:29:33 +00:00
|
|
|
};
|
2024-01-23 08:01:23 +00:00
|
|
|
in self
|