colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sandbox: remove unused "binMap" option

Browse Source
This commit is contained in:
Colin
2024-04-15 19:56:33 +00:00
parent 0385c09f23
commit 2eea562d1f
2 changed files with 4 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
modules/programs/default.nix
View File

@@ -107,7 +107,6 @@ let
makeSandboxedArgs = { makeSandboxedArgs = {
inherit pkgName package; inherit pkgName package;
inherit (sandbox) inherit (sandbox)
binMap
embedSandboxer embedSandboxer
wrapperType wrapperType
; ;
@@ -331,16 +330,6 @@ let
- "existingFileOrParent" => add the path if it exists and is file-like; if not, add its parent if that exists. useful for programs which create files. - "existingFileOrParent" => add the path if it exists and is file-like; if not, add its parent if that exists. useful for programs which create files.
''; '';
}; };
sandbox.binMap = mkOption {
type = types.attrsOf types.str;
default = {};
description = ''
map binName -> sandboxAs.
for example,
if the package ships `bin/mpv` and `bin/umpv`, this module might know how to sandbox `mpv` but not `umpv`.
then set `sandbox.binMap.umpv = "mpv";` to sandbox `bin/umpv` with the same rules as `bin/mpv`
'';
};
sandbox.capabilities = mkOption { sandbox.capabilities = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = []; default = [];

38
modules/programs/make-sandboxed.nix
View File

@@ -39,7 +39,7 @@ let
# take an existing package, which may have a `bin/` folder as well as `share/` etc, # take an existing package, which may have a `bin/` folder as well as `share/` etc,
# and patch the `bin/` items in-place # and patch the `bin/` items in-place
sandboxBinariesInPlace = binMap: sane-sandboxed': extraSandboxArgsStr: pkgName: pkg: pkg.overrideAttrs (unwrapped: { sandboxBinariesInPlace = sane-sandboxed': extraSandboxArgsStr: pkgName: pkg: pkg.overrideAttrs (unwrapped: {
# disable the sandbox and inject a minimal fake sandboxer which understands that flag, # disable the sandbox and inject a minimal fake sandboxer which understands that flag,
# in order to support packages which invoke sandboxed apps in their check phase. # in order to support packages which invoke sandboxed apps in their check phase.
# note that it's not just for packages which invoke their *own* binaries in check phase, # note that it's not just for packages which invoke their *own* binaries in check phase,
@@ -61,33 +61,9 @@ let
]; ];
postFixup = (unwrapped.postFixup or "") + '' postFixup = (unwrapped.postFixup or "") + ''
getProfileFromBinMap() {
case "$1" in
${builtins.concatStringsSep "\n" (lib.mapAttrsToList
(bin: profile: ''
(${bin})
echo "${profile}"
;;
'')
binMap
)}
(*)
;;
esac
}
sandboxWrap() { sandboxWrap() {
local _dir="$1" local _dir="$1"
local _name="$2" local _name="$2"
local _profileFromBinMap="$(getProfileFromBinMap $_name)"
local _profiles=("$_profileFromBinMap" "$_name" "${pkgName}" "${unwrapped.pname or ""}" "${unwrapped.name or ""}")
# filter to just the unique profiles
local _profileArgs=(${extraSandboxArgsStr})
for _profile in "''${_profiles[@]}"; do
if [ -n "$_profile" ] && ! [[ " ''${_profileArgs[@]} " =~ " $_profile " ]]; then
_profileArgs+=("--sane-sandbox-profile" "$_profile")
fi
done
# N.B.: unlike `makeWrapper`, we place the unwrapped binary in a subdirectory and *preserve its name*. # N.B.: unlike `makeWrapper`, we place the unwrapped binary in a subdirectory and *preserve its name*.
# the upside of this is that for applications which read "$0" to decide what to do (e.g. busybox, git) # the upside of this is that for applications which read "$0" to decide what to do (e.g. busybox, git)
@@ -102,12 +78,8 @@ let
else else
mv "$_dir/$_name" "$_dir/.sandboxed/" mv "$_dir/$_name" "$_dir/.sandboxed/"
fi fi
cat <<EOF >> "$_dir/$_name" echo '#!${runtimeShell}' > "$_dir/$_name"
#!${runtimeShell} echo 'exec ${sane-sandboxed'} --sane-sandbox-profile ${pkgName}' "$_dir/.sandboxed/$_name" '"$@"' >> "$_dir/$_name"
exec ${sane-sandboxed'} \
''${_profileArgs[@]} \
"$_dir/.sandboxed/$_name" "\$@"
EOF
chmod +x "$_dir/$_name" chmod +x "$_dir/$_name"
} }
@@ -295,7 +267,7 @@ let
}; };
}); });
make-sandboxed = { pkgName, package, wrapperType, binMap ? {}, embedSandboxer ? false, extraSandboxerArgs ? [], passthru ? {} }@args: make-sandboxed = { pkgName, package, wrapperType, embedSandboxer ? false, extraSandboxerArgs ? [], passthru ? {} }@args:
let let
unsandboxed = package; unsandboxed = package;
sane-sandboxed' = if embedSandboxer then sane-sandboxed' = if embedSandboxer then
@@ -316,7 +288,6 @@ let
# regardless of which one is chosen here, all other options are exposed via `passthru`. # regardless of which one is chosen here, all other options are exposed via `passthru`.
sandboxedBy = { sandboxedBy = {
inplace = sandboxBinariesInPlace inplace = sandboxBinariesInPlace
binMap
sane-sandboxed' sane-sandboxed'
extraSandboxerArgsStr extraSandboxerArgsStr
pkgName pkgName
@@ -324,7 +295,6 @@ let
wrappedDerivation = let wrappedDerivation = let
sandboxedBin = sandboxBinariesInPlace sandboxedBin = sandboxBinariesInPlace
binMap
sane-sandboxed' sane-sandboxed'
extraSandboxerArgsStr extraSandboxerArgsStr
pkgName pkgName