make-sandboxed: use makeWrapper proper, rather than rolling my own

i can't use the _binary_ wrapper unless i use a fully-qualified path to 'sanebox' or hide it behind something like /usr/bin/env
2024-07-03 17:54:38 +00:00
parent 631c47c9bc
commit 4839a40205
1 changed files with 22 additions and 19 deletions
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@@ -1,14 +1,16 @@
-{ lib
-, stdenv
-, buildPackages
-, file
-, gnugrep
-, runCommandLocal
-, runtimeShell
-, sanebox
-, symlinkJoin
-, writeShellScriptBin
-, writeTextFile
+{
+  lib,
+  stdenv,
+  buildPackages,
+  file,
+  gnugrep,
+  makeWrapper,
+  runCommandLocal,
+  runtimeShell,
+  sanebox,
+  symlinkJoin,
+  writeShellScriptBin,
+  writeTextFile,
 }:
 let
  fakeSaneSandboxed = writeShellScriptBin "sanebox" ''
@@ -42,7 +44,7 @@ let

  # take an existing package, which may have a `bin/` folder as well as `share/` etc,
  # and patch the `bin/` items in-place
-  sandboxBinariesInPlace = sanebox': extraSandboxArgsStr: pkgName: pkg: pkg.overrideAttrs (unwrapped: {
+  sandboxBinariesInPlace = sanebox': extraSandboxArgs: pkgName: pkg: pkg.overrideAttrs (unwrapped: {
    # disable the sandbox and inject a minimal fake sandboxer which understands that flag,
    # in order to support packages which invoke sandboxed apps in their check phase.
    # note that it's not just for packages which invoke their *own* binaries in check phase,
@@ -56,6 +58,7 @@ let
    outputs = lib.remove "lib" (unwrapped.outputs or [ "out" ]);
    nativeBuildInputs = (unwrapped.nativeBuildInputs or []) ++ [
      fakeSaneSandboxed
+      makeWrapper
    ];
    disallowedReferences = (unwrapped.disallowedReferences or []) ++ [
      # the fake sandbox gates itself behind SANEBOX_DISABLE, so if it did end up deployed
@@ -64,6 +67,10 @@ let
    ];

    postFixup = (unwrapped.postFixup or "") + ''
+      assertExecutable() {
+        # my programs refer to sanebox by name, not path, which triggers an over-eager assertion in nixpkgs (so, mask that)
+        :
+      }
      sandboxWrap() {
        local _dir="$1"
        local _name="$2"
@@ -81,9 +88,7 @@ let
        else
          mv "$_dir/$_name" "$_dir/.sandboxed/"
        fi
-        echo '#!${runtimeShell}' > "$_dir/$_name"
-        echo 'exec ${sanebox'}' ${extraSandboxArgsStr} "$_dir/.sandboxed/$_name" '"$@"' >> "$_dir/$_name"
-        chmod +x "$_dir/$_name"
+        makeShellWrapper ${sanebox'} "$_dir/$_name" --inherit-argv0 ${lib.escapeShellArgs (lib.flatten (builtins.map (f: [ "--add-flags" f ]) extraSandboxArgs))} --add-flags "$_dir/.sandboxed/$_name"
      }

      crawlAndWrap() {
@@ -309,8 +314,6 @@ let
      sanebox.meta.mainProgram
    ;

-    extraSandboxerArgsStr = lib.escapeShellArgs extraSandboxerArgs;
-
    # two ways i could wrap a package in a sandbox:
    # 1. package.overrideAttrs, with `postFixup`.
    # 2. pkgs.symlinkJoin, creating an entirely new package which calls into the inner binaries.
@@ -320,14 +323,14 @@ let
    sandboxedBy = {
      inplace = sandboxBinariesInPlace
        sanebox'
-        extraSandboxerArgsStr
+        extraSandboxerArgs
        pkgName
        (makeHookable unsandboxed);

      wrappedDerivation = let
        sandboxedBin = sandboxBinariesInPlace
          sanebox'
-          extraSandboxerArgsStr
+          extraSandboxerArgs
          pkgName
          (symlinkBinaries pkgName unsandboxed);
        sandboxedNonBin = sandboxNonBinaries pkgName unsandboxed sandboxedBin;