sanebox: ensure sanebox is always on the PATH of sandboxed binaries
This commit is contained in:
@@ -16,7 +16,7 @@ let
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
sane.programs.sanebox = {
|
sane.programs.sanebox = {
|
||||||
packageUnwrapped = pkgs.sanebox.override {
|
packageUnwrapped = (pkgs.sanebox.override {
|
||||||
bubblewrap = cfg.bubblewrap.package;
|
bubblewrap = cfg.bubblewrap.package;
|
||||||
passt = cfg.passt.package;
|
passt = cfg.passt.package;
|
||||||
libcap = cfg.libcap.package;
|
libcap = cfg.libcap.package;
|
||||||
@@ -25,11 +25,20 @@ in
|
|||||||
# the sandboxer may nag about one or the other wanting to be updated.
|
# the sandboxer may nag about one or the other wanting to be updated.
|
||||||
linux = config.boot.kernelPackages.kernel;
|
linux = config.boot.kernelPackages.kernel;
|
||||||
};
|
};
|
||||||
};
|
}).overrideAttrs (base: {
|
||||||
|
# create a directory which holds just the `sanebox` so that we
|
||||||
|
# can add sanebox as a dependency to binaries via `PATH=/run/current-system/libexec/sanebox` without forcing rebuild every time sanebox changes
|
||||||
|
postInstall = ''
|
||||||
|
mkdir -p $out/libexec/sanebox
|
||||||
|
ln -s $out/bin/sanebox $out/libexec/sanebox/sanebox
|
||||||
|
'';
|
||||||
|
});
|
||||||
|
|
||||||
sandbox.enable = false;
|
sandbox.enable = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
environment.pathsToLink = lib.mkIf cfg.sanebox.enabled [ "/libexec/sanebox" ];
|
||||||
|
|
||||||
environment.etc = lib.mkIf cfg.sanebox.enabled {
|
environment.etc = lib.mkIf cfg.sanebox.enabled {
|
||||||
"sanebox/symlink-cache".text = lib.concatStringsSep "\n" (
|
"sanebox/symlink-cache".text = lib.concatStringsSep "\n" (
|
||||||
lib.mapAttrsToList
|
lib.mapAttrsToList
|
||||||
|
@@ -101,7 +101,7 @@ let
|
|||||||
else
|
else
|
||||||
mv "$_dir/$_name" "$_dir/.sandboxed/"
|
mv "$_dir/$_name" "$_dir/.sandboxed/"
|
||||||
fi
|
fi
|
||||||
makeBinaryWrapper ${sanebox'} "$_dir/$_name" ${lib.escapeShellArgs (lib.flatten (builtins.map (f: [ "--add-flags" f ]) extraSandboxArgs))} --add-flags "$_dir/.sandboxed/$_name"
|
makeBinaryWrapper ${sanebox'} "$_dir/$_name" --suffix PATH : /run/current-system/sw/libexec/sanebox ${lib.escapeShellArgs (lib.flatten (builtins.map (f: [ "--add-flags" f ]) extraSandboxArgs))} --add-flags "$_dir/.sandboxed/$_name"
|
||||||
}
|
}
|
||||||
|
|
||||||
crawlAndWrap() {
|
crawlAndWrap() {
|
||||||
|
Reference in New Issue
Block a user