From 132798be23fb6bc8ba209dba2aa810099d59b53e Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Tue, 16 Jul 2024 07:14:29 +0000
Subject: [PATCH] sanebox: ensure sanebox is always on the PATH of sandboxed
 binaries

---
 hosts/common/programs/sanebox.nix   | 13 +++++++++++--
 modules/programs/make-sandboxed.nix |  2 +-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/hosts/common/programs/sanebox.nix b/hosts/common/programs/sanebox.nix
index d8a227631..f062908d8 100644
--- a/hosts/common/programs/sanebox.nix
+++ b/hosts/common/programs/sanebox.nix
@@ -16,7 +16,7 @@ let
 in
 {
   sane.programs.sanebox = {
-    packageUnwrapped = pkgs.sanebox.override {
+    packageUnwrapped = (pkgs.sanebox.override {
       bubblewrap = cfg.bubblewrap.package;
       passt = cfg.passt.package;
       libcap = cfg.libcap.package;
@@ -25,11 +25,20 @@ in
         # the sandboxer may nag about one or the other wanting to be updated.
         linux = config.boot.kernelPackages.kernel;
       };
-    };
+    }).overrideAttrs (base: {
+      # create a directory which holds just the `sanebox` so that we
+      # can add sanebox as a dependency to binaries via `PATH=/run/current-system/libexec/sanebox` without forcing rebuild every time sanebox changes
+      postInstall = ''
+        mkdir -p $out/libexec/sanebox
+        ln -s $out/bin/sanebox $out/libexec/sanebox/sanebox
+      '';
+    });
 
     sandbox.enable = false;
   };
 
+  environment.pathsToLink = lib.mkIf cfg.sanebox.enabled [ "/libexec/sanebox" ];
+
   environment.etc = lib.mkIf cfg.sanebox.enabled {
     "sanebox/symlink-cache".text = lib.concatStringsSep "\n" (
       lib.mapAttrsToList
diff --git a/modules/programs/make-sandboxed.nix b/modules/programs/make-sandboxed.nix
index 284f8a248..8f7956d37 100644
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@@ -101,7 +101,7 @@ let
         else
           mv "$_dir/$_name" "$_dir/.sandboxed/"
         fi
-        makeBinaryWrapper ${sanebox'} "$_dir/$_name" ${lib.escapeShellArgs (lib.flatten (builtins.map (f: [ "--add-flags" f ]) extraSandboxArgs))} --add-flags "$_dir/.sandboxed/$_name"
+        makeBinaryWrapper ${sanebox'} "$_dir/$_name" --suffix PATH : /run/current-system/sw/libexec/sanebox ${lib.escapeShellArgs (lib.flatten (builtins.map (f: [ "--add-flags" f ]) extraSandboxArgs))} --add-flags "$_dir/.sandboxed/$_name"
       }
 
       crawlAndWrap() {