modules/programs: implement embedWrapper
option
This commit is contained in:
parent
5f3e481fe4
commit
7b9795ea3d
|
@ -43,7 +43,7 @@ let
|
|||
in
|
||||
makeSandboxed {
|
||||
inherit pkgName package;
|
||||
inherit (sandbox) autodetectCliPaths binMap capabilities embedProfile extraConfig method whitelistPwd wrapperType;
|
||||
inherit (sandbox) autodetectCliPaths binMap capabilities embedProfile embedSandboxer extraConfig method whitelistPwd wrapperType;
|
||||
vpn = if net == "vpn" then vpn else null;
|
||||
allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ sandbox.extraHomePaths;
|
||||
allowedRootPaths = [
|
||||
|
@ -237,6 +237,14 @@ let
|
|||
but it also means you can run the program without installing it: helpful for iteration.
|
||||
'';
|
||||
};
|
||||
sandbox.embedSandboxer = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
whether the sandboxed application should reference its sandboxer by path or by name.
|
||||
if you're setting this option you probably also want `embedProfile = true`
|
||||
'';
|
||||
};
|
||||
sandbox.wrapperType = mkOption {
|
||||
type = types.enum [ "inplace" "wrappedDerivation" ];
|
||||
default = "inplace";
|
||||
|
|
|
@ -34,9 +34,15 @@ let
|
|||
runHook postFixup
|
||||
'';
|
||||
in
|
||||
{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? false, binMap ? {}, capabilities ? [], embedProfile ? false, extraConfig ? [], whitelistPwd ? false }:
|
||||
{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? false, binMap ? {}, capabilities ? [], embedProfile ? false, embedSandboxer ? false, extraConfig ? [], whitelistPwd ? false }:
|
||||
let
|
||||
sane-sandboxed' = sane-sandboxed.meta.mainProgram; #< load by bin name to reduce rebuilds
|
||||
sane-sandboxed' = if embedSandboxer then
|
||||
# optionally hard-code the sandboxer. this forces rebuilds, but allows deep iteration w/o deploys.
|
||||
lib.getExe sane-sandboxed
|
||||
else
|
||||
#v prefer to load by bin name to reduce rebuilds
|
||||
sane-sandboxed.meta.mainProgram
|
||||
;
|
||||
|
||||
allowPath = p: [
|
||||
"--sane-sandbox-path"
|
||||
|
|
Loading…
Reference in New Issue
Block a user