sane-sandboxed: split out into an actual package
This commit is contained in:
@@ -95,6 +95,7 @@
|
|||||||
./rofi
|
./rofi
|
||||||
./s6-rc.nix
|
./s6-rc.nix
|
||||||
./sane-input-handler
|
./sane-input-handler
|
||||||
|
./sane-sandboxed.nix
|
||||||
./sane-screenshot.nix
|
./sane-screenshot.nix
|
||||||
./sane-scripts.nix
|
./sane-scripts.nix
|
||||||
./schlock.nix
|
./schlock.nix
|
||||||
|
19
hosts/common/programs/sane-sandboxed.nix
Normal file
19
hosts/common/programs/sane-sandboxed.nix
Normal file
@@ -0,0 +1,19 @@
|
|||||||
|
{ config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.sane.programs;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
sane.programs.sane-sandboxed = {
|
||||||
|
packageUnwrapped = pkgs.sane-sandboxed.override {
|
||||||
|
bubblewrap = cfg.bubblewrap.package;
|
||||||
|
firejail = cfg.firejail.package;
|
||||||
|
landlock-sandboxer = pkgs.landlock-sandboxer.override {
|
||||||
|
# not strictly necessary (landlock ABI is versioned), however when sandboxer version != kernel version,
|
||||||
|
# the sandboxer may nag about one or the other wanting to be updated.
|
||||||
|
linux = config.boot.kernelPackages.kernel;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
sandbox.enable = false;
|
||||||
|
};
|
||||||
|
}
|
@@ -41,7 +41,7 @@ let
|
|||||||
else
|
else
|
||||||
let
|
let
|
||||||
makeProfile = pkgs.callPackage ./make-sandbox-profile.nix { };
|
makeProfile = pkgs.callPackage ./make-sandbox-profile.nix { };
|
||||||
makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sane-sandboxed = config.sane.sandboxHelper; };
|
makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sane-sandboxed = config.sane.programs.sane-sandboxed.package; };
|
||||||
|
|
||||||
# removeStorePaths: [ str ] -> [ str ], but remove store paths, because nix evals aren't allowed to contain any (for purity reasons?)
|
# removeStorePaths: [ str ] -> [ str ], but remove store paths, because nix evals aren't allowed to contain any (for purity reasons?)
|
||||||
removeStorePaths = paths: lib.filter (p: !(lib.hasPrefix "/nix/store" p)) paths;
|
removeStorePaths = paths: lib.filter (p: !(lib.hasPrefix "/nix/store" p)) paths;
|
||||||
@@ -610,22 +610,6 @@ in
|
|||||||
set to 0 to get the fastest, but most restrictive build.
|
set to 0 to get the fastest, but most restrictive build.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
sane.sandboxHelper = mkOption {
|
|
||||||
type = types.package;
|
|
||||||
default = pkgs.callPackage ./sane-sandboxed.nix {
|
|
||||||
bubblewrap = cfg.bubblewrap.package;
|
|
||||||
firejail = cfg.firejail.package;
|
|
||||||
landlock-sandboxer = pkgs.landlock-sandboxer.override {
|
|
||||||
# not strictly necessary (landlock ABI is versioned), however when sandboxer version != kernel version,
|
|
||||||
# the sandboxer may nag about one or the other wanting to be updated.
|
|
||||||
linux = config.boot.kernelPackages.kernel;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
description = ''
|
|
||||||
`sane-sandbox` package.
|
|
||||||
exposed to facilitate debugging, e.g. `nix build '.#hostConfigs.desko.sane.sandboxHelper'`
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
sane.strictSandboxing = mkOption {
|
sane.strictSandboxing = mkOption {
|
||||||
type = types.enum [ false "warn" "assert" ];
|
type = types.enum [ false "warn" "assert" ];
|
||||||
default = "warn";
|
default = "warn";
|
||||||
@@ -651,7 +635,7 @@ in
|
|||||||
(take (sane-lib.mkTypedMerge take configs))
|
(take (sane-lib.mkTypedMerge take configs))
|
||||||
{
|
{
|
||||||
environment.pathsToLink = [ "/share/sane-sandboxed" ];
|
environment.pathsToLink = [ "/share/sane-sandboxed" ];
|
||||||
environment.systemPackages = [ config.sane.sandboxHelper ];
|
sane.programs.sane-sandboxed.enableFor.system = true;
|
||||||
# expose the pkgs -- as available to the system -- as a build target.
|
# expose the pkgs -- as available to the system -- as a build target.
|
||||||
system.build.pkgs = pkgs;
|
system.build.pkgs = pkgs;
|
||||||
}
|
}
|
||||||
|
@@ -58,6 +58,7 @@ let
|
|||||||
rtl8723cs-firmware = callPackage ./additional/rtl8723cs-firmware { };
|
rtl8723cs-firmware = callPackage ./additional/rtl8723cs-firmware { };
|
||||||
rtl8723cs-wowlan = callPackage ./additional/rtl8723cs-wowlan { };
|
rtl8723cs-wowlan = callPackage ./additional/rtl8723cs-wowlan { };
|
||||||
sane-open-desktop = callPackage ./additional/sane-open-desktop { };
|
sane-open-desktop = callPackage ./additional/sane-open-desktop { };
|
||||||
|
sane-sandboxed = callPackage ./additional/sane-sandboxed { };
|
||||||
sane-screenshot = callPackage ./additional/sane-screenshot { };
|
sane-screenshot = callPackage ./additional/sane-screenshot { };
|
||||||
sane-scripts = lib.recurseIntoAttrs (callPackage ./additional/sane-scripts { });
|
sane-scripts = lib.recurseIntoAttrs (callPackage ./additional/sane-scripts { });
|
||||||
sane-weather = callPackage ./additional/sane-weather { };
|
sane-weather = callPackage ./additional/sane-weather { };
|
||||||
|
Reference in New Issue
Block a user