colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

make-sandboxed: use makeWrapper proper, rather than rolling my own

Browse Source 
i can't use the _binary_ wrapper unless i use a fully-qualified path to 'sanebox' or hide it behind something like /usr/bin/env
This commit is contained in:
Colin
2024-07-03 17:54:38 +00:00
parent 631c47c9bc
commit 4839a40205
1 changed files with 22 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
modules/programs/make-sandboxed.nix
View File

@@ -1,14 +1,16 @@
{ lib {
, stdenv lib,
, buildPackages stdenv,
, file buildPackages,
, gnugrep file,
, runCommandLocal gnugrep,
, runtimeShell makeWrapper,
, sanebox runCommandLocal,
, symlinkJoin runtimeShell,
, writeShellScriptBin sanebox,
, writeTextFile symlinkJoin,
writeShellScriptBin,
writeTextFile,
}: }:
let let
fakeSaneSandboxed = writeShellScriptBin "sanebox" '' fakeSaneSandboxed = writeShellScriptBin "sanebox" ''
@@ -42,7 +44,7 @@ let
# take an existing package, which may have a `bin/` folder as well as `share/` etc, # take an existing package, which may have a `bin/` folder as well as `share/` etc,
# and patch the `bin/` items in-place # and patch the `bin/` items in-place
sandboxBinariesInPlace = sanebox': extraSandboxArgsStr: pkgName: pkg: pkg.overrideAttrs (unwrapped: { sandboxBinariesInPlace = sanebox': extraSandboxArgs: pkgName: pkg: pkg.overrideAttrs (unwrapped: {
# disable the sandbox and inject a minimal fake sandboxer which understands that flag, # disable the sandbox and inject a minimal fake sandboxer which understands that flag,
# in order to support packages which invoke sandboxed apps in their check phase. # in order to support packages which invoke sandboxed apps in their check phase.
# note that it's not just for packages which invoke their *own* binaries in check phase, # note that it's not just for packages which invoke their *own* binaries in check phase,
@@ -56,6 +58,7 @@ let
outputs = lib.remove "lib" (unwrapped.outputs or [ "out" ]); outputs = lib.remove "lib" (unwrapped.outputs or [ "out" ]);
nativeBuildInputs = (unwrapped.nativeBuildInputs or []) ++ [ nativeBuildInputs = (unwrapped.nativeBuildInputs or []) ++ [
fakeSaneSandboxed fakeSaneSandboxed
makeWrapper
]; ];
disallowedReferences = (unwrapped.disallowedReferences or []) ++ [ disallowedReferences = (unwrapped.disallowedReferences or []) ++ [
# the fake sandbox gates itself behind SANEBOX_DISABLE, so if it did end up deployed # the fake sandbox gates itself behind SANEBOX_DISABLE, so if it did end up deployed
@@ -64,6 +67,10 @@ let
]; ];
postFixup = (unwrapped.postFixup or "") + '' postFixup = (unwrapped.postFixup or "") + ''
assertExecutable() {
# my programs refer to sanebox by name, not path, which triggers an over-eager assertion in nixpkgs (so, mask that)
:
}
sandboxWrap() { sandboxWrap() {
local _dir="$1" local _dir="$1"
local _name="$2" local _name="$2"
@@ -81,9 +88,7 @@ let
else else
mv "$_dir/$_name" "$_dir/.sandboxed/" mv "$_dir/$_name" "$_dir/.sandboxed/"
fi fi
echo '#!${runtimeShell}' > "$_dir/$_name" makeShellWrapper ${sanebox'} "$_dir/$_name" --inherit-argv0 ${lib.escapeShellArgs (lib.flatten (builtins.map (f: [ "--add-flags" f ]) extraSandboxArgs))} --add-flags "$_dir/.sandboxed/$_name"
echo 'exec ${sanebox'}' ${extraSandboxArgsStr} "$_dir/.sandboxed/$_name" '"$@"' >> "$_dir/$_name"
chmod +x "$_dir/$_name"
} }
crawlAndWrap() { crawlAndWrap() {
@@ -309,8 +314,6 @@ let
sanebox.meta.mainProgram sanebox.meta.mainProgram
; ;
extraSandboxerArgsStr = lib.escapeShellArgs extraSandboxerArgs;
# two ways i could wrap a package in a sandbox: # two ways i could wrap a package in a sandbox:
# 1. package.overrideAttrs, with `postFixup`. # 1. package.overrideAttrs, with `postFixup`.
# 2. pkgs.symlinkJoin, creating an entirely new package which calls into the inner binaries. # 2. pkgs.symlinkJoin, creating an entirely new package which calls into the inner binaries.
@@ -320,14 +323,14 @@ let
sandboxedBy = { sandboxedBy = {
inplace = sandboxBinariesInPlace inplace = sandboxBinariesInPlace
sanebox' sanebox'
extraSandboxerArgsStr extraSandboxerArgs
pkgName pkgName
(makeHookable unsandboxed); (makeHookable unsandboxed);
wrappedDerivation = let wrappedDerivation = let
sandboxedBin = sandboxBinariesInPlace sandboxedBin = sandboxBinariesInPlace
sanebox' sanebox'
extraSandboxerArgsStr extraSandboxerArgs
pkgName pkgName
(symlinkBinaries pkgName unsandboxed); (symlinkBinaries pkgName unsandboxed);
sandboxedNonBin = sandboxNonBinaries pkgName unsandboxed sandboxedBin; sandboxedNonBin = sandboxNonBinaries pkgName unsandboxed sandboxedBin;