modules/programs: make-sandboxed: lift profile creation logic out to the toplevel

2024-02-12 11:52:33 +00:00 · 2024-02-12 11:52:33 +00:00 · 3e0b0a0f02
commit 3e0b0a0f02
parent 2ee34e9af3
2 changed files with 28 additions and 22 deletions
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -38,20 +38,17 @@ let
      package
    else
      let
+        makeProfile = pkgs.callPackage ./make-sandbox-profile.nix { };
        makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sane-sandboxed = config.sane.sandboxHelper; };
        vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
-      in
-        makeSandboxed {
-          inherit pkgName package;
+        profilePkg = makeProfile {
+          inherit pkgName;
          inherit (sandbox)
            autodetectCliPaths
-            binMap
            capabilities
-            embedSandboxer
            extraConfig
            method
            whitelistPwd
-            wrapperType
          ;
          netDev = if sandbox.net == "vpn" then
            vpn.bridgeDevice
@ -78,6 +75,19 @@ let
            "/run/secrets/home"  #< TODO: this could be restricted per-app based on the HOME paths they need
            "/usr/bin/env"
          ] ++ sandbox.extraPaths;
+        };
+      in
+        makeSandboxed {
+          inherit pkgName package;
+          inherit (sandbox)
+            binMap
+            embedSandboxer
+            wrapperType
+          ;
+          # extraSandboxerArgs = lib.optionals sandbox.embedProfile [
+          #   "--sane-sandbox-profile-dir" "${profilePkg}/share/sane-sandboxed/profiles"
+          # ];
+          passthru.sandboxProfiles = profilePkg;
        }
  );
  pkgSpec = with lib; types.submodule ({ config, name, ... }: {
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@ -196,9 +196,9 @@ let
    '');

  # take the nearly-final sandboxed package, with binaries and and else, and
-  # populate passthru attributes the caller expects, like `sandboxProfiles` and `checkSandboxed`.
-  fixupMetaAndPassthru = pkgName: pkg: sandboxProfiles: extraPassthru: pkg.overrideAttrs (finalAttrs: prevAttrs: let
-    final = fixupMetaAndPassthru pkgName pkg sandboxProfiles extraPassthru;
+  # populate passthru attributes the caller expects, like `checkSandboxed`.
+  fixupMetaAndPassthru = pkgName: pkg: extraPassthru: pkg.overrideAttrs (finalAttrs: prevAttrs: let
+    final = fixupMetaAndPassthru pkgName pkg extraPassthru;
    nonBin = (prevAttrs.passthru or {}).sandboxedNonBin or {};
  in {
    meta = (prevAttrs.meta or {}) // {
@ -206,7 +206,6 @@ let
      priority = ((prevAttrs.meta or {}).priority or 0) - 1;
    };
    passthru = (prevAttrs.passthru or {}) // extraPassthru // {
-      inherit sandboxProfiles;
      checkSandboxed = runCommand "${pkgName}-check-sandboxed" {} ''
        set -e
        # invoke each binary in a way only the sandbox wrapper will recognize,
@ -230,7 +229,7 @@ let
    };
  });

-  make-sandboxed = { pkgName, package, method, wrapperType, netDev ? null, dns ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? null, binMap ? {}, capabilities ? [], embedProfile ? false, embedSandboxer ? false, extraConfig ? [], whitelistPwd ? false }@args:
+  make-sandboxed = { pkgName, package, wrapperType, binMap ? {}, embedSandboxer ? false, extraSandboxerArgs ? [], passthru ? {} }@args:
  let
    unsandboxed = package;
    sane-sandboxed' = if embedSandboxer then
@ -241,12 +240,7 @@ let
      sane-sandboxed.meta.mainProgram
    ;

-    sandboxProfilesPkg = callPackage ./make-sandbox-profile.nix { } {
-      inherit pkgName method netDev dns allowedHomePaths allowedRootPaths autodetectCliPaths capabilities whitelistPwd extraConfig;
-    };
-    sandboxProfileDir = "${sandboxProfilesPkg}/share/sane-sandboxed/profiles";
-
-    maybeEmbedProfilesDir = lib.optionalString embedProfile ''"--sane-sandbox-profile-dir" "${sandboxProfileDir}"'';
+    extraSandboxerArgsStr = lib.escapeShellArgs extraSandboxerArgs;

    # two ways i could wrap a package in a sandbox:
    # 1. package.overrideAttrs, with `postFixup`.
@ -258,7 +252,7 @@ let
      inplace = sandboxBinariesInPlace
        binMap
        sane-sandboxed'
-        maybeEmbedProfilesDir
+        extraSandboxerArgsStr
        pkgName
        (makeHookable unsandboxed);

@ -266,7 +260,7 @@ let
        sandboxedBin = sandboxBinariesInPlace
          binMap
          sane-sandboxed'
-          maybeEmbedProfilesDir
+          extraSandboxerArgsStr
          pkgName
          (symlinkBinaries pkgName unsandboxed);
        sandboxedNonBin = sandboxNonBinaries pkgName unsandboxed sandboxedBin;
@ -278,9 +272,11 @@ let
    };
    packageWrapped = sandboxedBy."${wrapperType}";
  in
-    fixupMetaAndPassthru pkgName packageWrapped sandboxProfilesPkg {
+    fixupMetaAndPassthru pkgName packageWrapped (passthru // {
+      # allow the user to build this package, but sandboxed in a different manner.
+      # e.g. `<pkg>.sandboxedBy.inplace`.
      inherit sandboxedBy;
-      withEmbeddedSandboxer = make-sandboxed (args // { embedSandboxer = true; embedProfile = true; });
-    }
+      withEmbeddedSandboxer = make-sandboxed (args // { embedSandboxer = true; });
+    })
  ;
 in make-sandboxed