From 088b6f1b9a06087ca5d63ff907c489f2e7ef97d2 Mon Sep 17 00:00:00 2001 From: Colin Date: Mon, 12 Feb 2024 10:37:26 +0000 Subject: [PATCH] sane-sandboxed: load profiles via $NIX_PROFILES env var --- modules/programs/sane-sandboxed | 10 +++++++++- modules/programs/sane-sandboxed.nix | 3 --- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/modules/programs/sane-sandboxed b/modules/programs/sane-sandboxed index 19633bd1..fc9d54bc 100644 --- a/modules/programs/sane-sandboxed +++ b/modules/programs/sane-sandboxed @@ -1,6 +1,6 @@ #!@runtimeShell@ -profileDirs=(@profileDirs@) +profileDirs=() isDebug= isDisable= @@ -56,6 +56,13 @@ tryLoadProfileByName() { fi } +initDefaultProfileDirs() { + # NIX_PROFILES is a space-separated array of /run/current-system/sw, ... + for d in $NIX_PROFILES; do + profileDirs+=("$d/share/sane-sandboxed/profiles") + done +} + # convert e.g. `file:///Local%20Users/foo.mp3` to `file:///Local Users/foo.mp3` urldecode() { # source: @@ -521,6 +528,7 @@ ingestForBackend() { ## TOPLEVEL EXECUTION # no code evaluated before this point should be dependent on user args / environment. +initDefaultProfileDirs parseArgsAndEnvironment "$@" # variables meant to be inherited diff --git a/modules/programs/sane-sandboxed.nix b/modules/programs/sane-sandboxed.nix index 330388fd..39478db3 100644 --- a/modules/programs/sane-sandboxed.nix +++ b/modules/programs/sane-sandboxed.nix @@ -14,9 +14,6 @@ let inherit bubblewrap firejail libcap runtimeShell; landlockSandboxer = landlock-sandboxer; firejailProfileDirs = "/run/current-system/sw/etc/firejail /etc/firejail ${firejail}/etc/firejail"; - # /run might be unavailable inside a container, so to support nested containers - # fallback to a profile dir adjacent to the sane-sandboxed binary - profileDirs = "/run/current-system/sw/${profileDir} @out@/${profileDir}"; }; self = stdenv.mkDerivation { pname = "sane-sandboxed";