modules/programs: make-sandboxed: lift profile creation logic out to the toplevel
This commit is contained in:
parent
2ee34e9af3
commit
3e0b0a0f02
|
@ -38,20 +38,17 @@ let
|
|||
package
|
||||
else
|
||||
let
|
||||
makeProfile = pkgs.callPackage ./make-sandbox-profile.nix { };
|
||||
makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sane-sandboxed = config.sane.sandboxHelper; };
|
||||
vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
|
||||
in
|
||||
makeSandboxed {
|
||||
inherit pkgName package;
|
||||
profilePkg = makeProfile {
|
||||
inherit pkgName;
|
||||
inherit (sandbox)
|
||||
autodetectCliPaths
|
||||
binMap
|
||||
capabilities
|
||||
embedSandboxer
|
||||
extraConfig
|
||||
method
|
||||
whitelistPwd
|
||||
wrapperType
|
||||
;
|
||||
netDev = if sandbox.net == "vpn" then
|
||||
vpn.bridgeDevice
|
||||
|
@ -78,6 +75,19 @@ let
|
|||
"/run/secrets/home" #< TODO: this could be restricted per-app based on the HOME paths they need
|
||||
"/usr/bin/env"
|
||||
] ++ sandbox.extraPaths;
|
||||
};
|
||||
in
|
||||
makeSandboxed {
|
||||
inherit pkgName package;
|
||||
inherit (sandbox)
|
||||
binMap
|
||||
embedSandboxer
|
||||
wrapperType
|
||||
;
|
||||
# extraSandboxerArgs = lib.optionals sandbox.embedProfile [
|
||||
# "--sane-sandbox-profile-dir" "${profilePkg}/share/sane-sandboxed/profiles"
|
||||
# ];
|
||||
passthru.sandboxProfiles = profilePkg;
|
||||
}
|
||||
);
|
||||
pkgSpec = with lib; types.submodule ({ config, name, ... }: {
|
||||
|
|
|
@ -196,9 +196,9 @@ let
|
|||
'');
|
||||
|
||||
# take the nearly-final sandboxed package, with binaries and and else, and
|
||||
# populate passthru attributes the caller expects, like `sandboxProfiles` and `checkSandboxed`.
|
||||
fixupMetaAndPassthru = pkgName: pkg: sandboxProfiles: extraPassthru: pkg.overrideAttrs (finalAttrs: prevAttrs: let
|
||||
final = fixupMetaAndPassthru pkgName pkg sandboxProfiles extraPassthru;
|
||||
# populate passthru attributes the caller expects, like `checkSandboxed`.
|
||||
fixupMetaAndPassthru = pkgName: pkg: extraPassthru: pkg.overrideAttrs (finalAttrs: prevAttrs: let
|
||||
final = fixupMetaAndPassthru pkgName pkg extraPassthru;
|
||||
nonBin = (prevAttrs.passthru or {}).sandboxedNonBin or {};
|
||||
in {
|
||||
meta = (prevAttrs.meta or {}) // {
|
||||
|
@ -206,7 +206,6 @@ let
|
|||
priority = ((prevAttrs.meta or {}).priority or 0) - 1;
|
||||
};
|
||||
passthru = (prevAttrs.passthru or {}) // extraPassthru // {
|
||||
inherit sandboxProfiles;
|
||||
checkSandboxed = runCommand "${pkgName}-check-sandboxed" {} ''
|
||||
set -e
|
||||
# invoke each binary in a way only the sandbox wrapper will recognize,
|
||||
|
@ -230,7 +229,7 @@ let
|
|||
};
|
||||
});
|
||||
|
||||
make-sandboxed = { pkgName, package, method, wrapperType, netDev ? null, dns ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? null, binMap ? {}, capabilities ? [], embedProfile ? false, embedSandboxer ? false, extraConfig ? [], whitelistPwd ? false }@args:
|
||||
make-sandboxed = { pkgName, package, wrapperType, binMap ? {}, embedSandboxer ? false, extraSandboxerArgs ? [], passthru ? {} }@args:
|
||||
let
|
||||
unsandboxed = package;
|
||||
sane-sandboxed' = if embedSandboxer then
|
||||
|
@ -241,12 +240,7 @@ let
|
|||
sane-sandboxed.meta.mainProgram
|
||||
;
|
||||
|
||||
sandboxProfilesPkg = callPackage ./make-sandbox-profile.nix { } {
|
||||
inherit pkgName method netDev dns allowedHomePaths allowedRootPaths autodetectCliPaths capabilities whitelistPwd extraConfig;
|
||||
};
|
||||
sandboxProfileDir = "${sandboxProfilesPkg}/share/sane-sandboxed/profiles";
|
||||
|
||||
maybeEmbedProfilesDir = lib.optionalString embedProfile ''"--sane-sandbox-profile-dir" "${sandboxProfileDir}"'';
|
||||
extraSandboxerArgsStr = lib.escapeShellArgs extraSandboxerArgs;
|
||||
|
||||
# two ways i could wrap a package in a sandbox:
|
||||
# 1. package.overrideAttrs, with `postFixup`.
|
||||
|
@ -258,7 +252,7 @@ let
|
|||
inplace = sandboxBinariesInPlace
|
||||
binMap
|
||||
sane-sandboxed'
|
||||
maybeEmbedProfilesDir
|
||||
extraSandboxerArgsStr
|
||||
pkgName
|
||||
(makeHookable unsandboxed);
|
||||
|
||||
|
@ -266,7 +260,7 @@ let
|
|||
sandboxedBin = sandboxBinariesInPlace
|
||||
binMap
|
||||
sane-sandboxed'
|
||||
maybeEmbedProfilesDir
|
||||
extraSandboxerArgsStr
|
||||
pkgName
|
||||
(symlinkBinaries pkgName unsandboxed);
|
||||
sandboxedNonBin = sandboxNonBinaries pkgName unsandboxed sandboxedBin;
|
||||
|
@ -278,9 +272,11 @@ let
|
|||
};
|
||||
packageWrapped = sandboxedBy."${wrapperType}";
|
||||
in
|
||||
fixupMetaAndPassthru pkgName packageWrapped sandboxProfilesPkg {
|
||||
fixupMetaAndPassthru pkgName packageWrapped (passthru // {
|
||||
# allow the user to build this package, but sandboxed in a different manner.
|
||||
# e.g. `<pkg>.sandboxedBy.inplace`.
|
||||
inherit sandboxedBy;
|
||||
withEmbeddedSandboxer = make-sandboxed (args // { embedSandboxer = true; embedProfile = true; });
|
||||
}
|
||||
withEmbeddedSandboxer = make-sandboxed (args // { embedSandboxer = true; });
|
||||
})
|
||||
;
|
||||
in make-sandboxed
|
||||
|
|
Loading…
Reference in New Issue
Block a user