programs: sandbox: always specify --sanebox-profile-dir instead of loading from XDG_DATA_DIRS
This commit is contained in:
parent
b649071d98
commit
530664294a
|
@ -150,30 +150,18 @@ let
|
|||
inherit allowedPaths allowedHomePaths allowedRunPaths symlinkCache;
|
||||
};
|
||||
makeSandboxedArgs = {
|
||||
};
|
||||
in
|
||||
makeSandboxed {
|
||||
inherit pkgName package;
|
||||
inherit (sandbox)
|
||||
embedSandboxer
|
||||
wrapperType
|
||||
;
|
||||
};
|
||||
in
|
||||
makeSandboxed (makeSandboxedArgs // {
|
||||
passthru = {
|
||||
inherit sandboxProfiles;
|
||||
withEmbeddedSandboxer = makeSandboxed (makeSandboxedArgs // {
|
||||
# embed the sandboxer AND a profile, whichever profile the package would have if installed by the default user.
|
||||
# useful to iterate a package's sandbox config without redeploying.
|
||||
embedSandboxer = true;
|
||||
extraSandboxerArgs = [
|
||||
"--sanebox-profile-dir" "${sandboxProfiles}/share/sanebox/profiles"
|
||||
];
|
||||
});
|
||||
withEmbeddedSandboxerOnly = makeSandboxed (makeSandboxedArgs // {
|
||||
# embed the sandboxer but no profile. useful pretty much only for testing changes within the actual sandboxer.
|
||||
embedSandboxer = true;
|
||||
});
|
||||
};
|
||||
})
|
||||
extraSandboxerArgs = [
|
||||
"--sanebox-profile-dir" "${sandboxProfiles}/share/sanebox/profiles"
|
||||
];
|
||||
}
|
||||
);
|
||||
pkgSpec = with lib; types.submodule ({ config, name, ... }: {
|
||||
options = {
|
||||
|
@ -567,18 +555,14 @@ let
|
|||
|
||||
# conditionally add to system PATH and env
|
||||
environment = lib.optionalAttrs (p.enabled && p.enableFor.system) {
|
||||
systemPackages = lib.optionals (p.package != null) (
|
||||
[ p.package ] ++ lib.optional (p.sandbox.enable && p.sandbox.method != null) (p.package.passthru.sandboxProfiles)
|
||||
);
|
||||
systemPackages = lib.optionals (p.package != null) [ p.package ];
|
||||
# sessionVariables are set by PAM, as opposed to environment.variables which goes in /etc/profile
|
||||
sessionVariables = p.env;
|
||||
};
|
||||
|
||||
# conditionally add to user(s) PATH
|
||||
users.users = lib.mapAttrs (userName: en: {
|
||||
packages = lib.optionals (p.package != null && en && p.enabled) (
|
||||
[ p.package ] ++ lib.optional (p.sandbox.enable && p.sandbox.method != null) (p.package.passthru.sandboxProfiles)
|
||||
);
|
||||
packages = lib.optionals (p.package != null && en && p.enabled) [ p.package ];
|
||||
}) p.enableFor.user;
|
||||
|
||||
# conditionally persist relevant user dirs and create files
|
||||
|
@ -672,7 +656,6 @@ in
|
|||
in lib.mkMerge [
|
||||
(take (sane-lib.mkTypedMerge take configs))
|
||||
{
|
||||
environment.pathsToLink = [ "/share/sanebox" ];
|
||||
sane.programs.sanebox.enableFor.system = true;
|
||||
# expose the pkgs -- as available to the system -- as a build target.
|
||||
system.build.pkgs = pkgs;
|
||||
|
|
Loading…
Reference in New Issue
Block a user