programs: sandbox: always specify --sanebox-profile-dir instead of loading from XDG_DATA_DIRS

2024-05-15 08:54:16 +00:00 · 2024-05-15 08:54:16 +00:00 · 530664294a
commit 530664294a
parent b649071d98
1 changed files with 9 additions and 26 deletions
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -150,30 +150,18 @@ let
          inherit allowedPaths allowedHomePaths allowedRunPaths symlinkCache;
        };
        makeSandboxedArgs = {
+        };
+      in
+        makeSandboxed {
          inherit pkgName package;
          inherit (sandbox)
            embedSandboxer
            wrapperType
          ;
-        };
-      in
-        makeSandboxed (makeSandboxedArgs // {
-          passthru = {
-            inherit sandboxProfiles;
-            withEmbeddedSandboxer = makeSandboxed (makeSandboxedArgs // {
-              # embed the sandboxer AND a profile, whichever profile the package would have if installed by the default user.
-              # useful to iterate a package's sandbox config without redeploying.
-              embedSandboxer = true;
-              extraSandboxerArgs = [
-                "--sanebox-profile-dir" "${sandboxProfiles}/share/sanebox/profiles"
-              ];
-            });
-            withEmbeddedSandboxerOnly = makeSandboxed (makeSandboxedArgs // {
-              # embed the sandboxer but no profile. useful pretty much only for testing changes within the actual sandboxer.
-              embedSandboxer = true;
-            });
-          };
-        })
+          extraSandboxerArgs = [
+            "--sanebox-profile-dir" "${sandboxProfiles}/share/sanebox/profiles"
+          ];
+        }
  );
  pkgSpec = with lib; types.submodule ({ config, name, ... }: {
    options = {
@ -567,18 +555,14 @@ let

    # conditionally add to system PATH and env
    environment = lib.optionalAttrs (p.enabled && p.enableFor.system) {
-      systemPackages = lib.optionals (p.package != null) (
-        [ p.package ] ++ lib.optional (p.sandbox.enable && p.sandbox.method != null) (p.package.passthru.sandboxProfiles)
-      );
+      systemPackages = lib.optionals (p.package != null) [ p.package ];
      # sessionVariables are set by PAM, as opposed to environment.variables which goes in /etc/profile
      sessionVariables = p.env;
    };

    # conditionally add to user(s) PATH
    users.users = lib.mapAttrs (userName: en: {
-      packages = lib.optionals (p.package != null && en && p.enabled) (
-        [ p.package ] ++ lib.optional (p.sandbox.enable && p.sandbox.method != null) (p.package.passthru.sandboxProfiles)
-      );
+      packages = lib.optionals (p.package != null && en && p.enabled) [ p.package ];
    }) p.enableFor.user;

    # conditionally persist relevant user dirs and create files
@ -672,7 +656,6 @@ in
    in lib.mkMerge [
      (take (sane-lib.mkTypedMerge take configs))
      {
-        environment.pathsToLink = [ "/share/sanebox" ];
        sane.programs.sanebox.enableFor.system = true;
        # expose the pkgs -- as available to the system -- as a build target.
        system.build.pkgs = pkgs;