modules/programs: implement embedWrapper option

2024-01-29 09:13:49 +00:00 · 2024-01-29 09:13:49 +00:00 · 7b9795ea3d
commit 7b9795ea3d
parent 5f3e481fe4
2 changed files with 17 additions and 3 deletions
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -43,7 +43,7 @@ let
      in
        makeSandboxed {
          inherit pkgName package;
-          inherit (sandbox) autodetectCliPaths binMap capabilities embedProfile extraConfig method whitelistPwd wrapperType;
+          inherit (sandbox) autodetectCliPaths binMap capabilities embedProfile embedSandboxer extraConfig method whitelistPwd wrapperType;
          vpn = if net == "vpn" then vpn else null;
          allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ sandbox.extraHomePaths;
          allowedRootPaths = [
@ -237,6 +237,14 @@ let
          but it also means you can run the program without installing it: helpful for iteration.
        '';
      };
+      sandbox.embedSandboxer = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          whether the sandboxed application should reference its sandboxer by path or by name.
+          if you're setting this option you probably also want `embedProfile = true`
+        '';
+      };
      sandbox.wrapperType = mkOption {
        type = types.enum [ "inplace" "wrappedDerivation" ];
        default = "inplace";
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@ -34,9 +34,15 @@ let
    runHook postFixup
  '';
 in
-{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? false, binMap ? {}, capabilities ? [], embedProfile ? false, extraConfig ? [], whitelistPwd ? false }:
+{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? false, binMap ? {}, capabilities ? [], embedProfile ? false, embedSandboxer ? false, extraConfig ? [], whitelistPwd ? false }:
 let
-  sane-sandboxed' = sane-sandboxed.meta.mainProgram;  #< load by bin name to reduce rebuilds
+  sane-sandboxed' = if embedSandboxer then
+    # optionally hard-code the sandboxer. this forces rebuilds, but allows deep iteration w/o deploys.
+    lib.getExe sane-sandboxed
+  else
+    #v prefer to load by bin name to reduce rebuilds
+    sane-sandboxed.meta.mainProgram
+  ;

  allowPath = p: [
    "--sane-sandbox-path"