modules/programs: split "make-sandbox-profile" out of "make-sandboxed"

2024-02-12 11:20:40 +00:00 · 2024-02-12 11:20:40 +00:00 · 7c05d221d6
commit 7c05d221d6
parent 93012664e5
2 changed files with 58 additions and 38 deletions
--- a/modules/programs/make-sandbox-profile.nix
+++ b/modules/programs/make-sandbox-profile.nix
@ -0,0 +1,55 @@
+{ lib
+, writeTextFile }:
+
+{ pkgName
+, method
+, netDev
+, dns
+, allowedHomePaths
+, allowedRootPaths
+, autodetectCliPaths
+, capabilities
+, whitelistPwd
+, extraConfig
+}:
+let
+  allowPath = p: [
+    "--sane-sandbox-path"
+    p
+  ];
+  allowHomePath = p: [
+    "--sane-sandbox-home-path"
+    p
+  ];
+  allowPaths = paths: lib.flatten (builtins.map allowPath paths);
+  allowHomePaths = paths: lib.flatten (builtins.map allowHomePath paths);
+
+  capabilityFlags = lib.flatten (builtins.map (c: [ "--sane-sandbox-cap" c ]) capabilities);
+
+  netItems = lib.optionals (netDev != null) [
+    "--sane-sandbox-net"
+    netDev
+  ] ++ lib.optionals (dns != null) (
+    lib.flatten (builtins.map
+      (addr: [ "--sane-sandbox-dns" addr ])
+      dns
+    )
+  );
+
+  sandboxFlags = [
+    "--sane-sandbox-method" method
+  ]
+    ++ netItems
+    ++ allowPaths allowedRootPaths
+    ++ allowHomePaths allowedHomePaths
+    ++ capabilityFlags
+    ++ lib.optionals (autodetectCliPaths != null) [ "--sane-sandbox-autodetect" autodetectCliPaths ]
+    ++ lib.optionals whitelistPwd [ "--sane-sandbox-add-pwd" ]
+    ++ extraConfig;
+
+in
+  writeTextFile {
+    name = "${pkgName}-sandbox-profiles";
+    destination = "/share/sane-sandboxed/profiles/${pkgName}.profile";
+    text = builtins.concatStringsSep "\n" sandboxFlags;
+  }
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@ -1,5 +1,6 @@
 { lib
 , buildPackages
+, callPackage
 , runCommand
 , runtimeShell
 , sane-sandboxed
@ -240,44 +241,8 @@ let
      sane-sandboxed.meta.mainProgram
    ;

-    allowPath = p: [
-      "--sane-sandbox-path"
-      p
-    ];
-    allowHomePath = p: [
-      "--sane-sandbox-home-path"
-      p
-    ];
-    allowPaths = paths: lib.flatten (builtins.map allowPath paths);
-    allowHomePaths = paths: lib.flatten (builtins.map allowHomePath paths);
-
-    capabilityFlags = lib.flatten (builtins.map (c: [ "--sane-sandbox-cap" c ]) capabilities);
-
-    netItems = lib.optionals (netDev != null) [
-      "--sane-sandbox-net"
-      netDev
-    ] ++ lib.optionals (dns != null) (
-      lib.flatten (builtins.map
-        (addr: [ "--sane-sandbox-dns" addr ])
-        dns
-      )
-    );
-
-    sandboxFlags = [
-      "--sane-sandbox-method" method
-    ]
-      ++ netItems
-      ++ allowPaths allowedRootPaths
-      ++ allowHomePaths allowedHomePaths
-      ++ capabilityFlags
-      ++ lib.optionals (autodetectCliPaths != null) [ "--sane-sandbox-autodetect" autodetectCliPaths ]
-      ++ lib.optionals whitelistPwd [ "--sane-sandbox-add-pwd" ]
-      ++ extraConfig;
-
-    sandboxProfilesPkg = writeTextFile {
-      name = "${pkgName}-sandbox-profiles";
-      destination = "/share/sane-sandboxed/profiles/${pkgName}.profile";
-      text = builtins.concatStringsSep "\n" sandboxFlags;
+    sandboxProfilesPkg = callPackage ./make-sandbox-profile.nix { } {
+      inherit pkgName method netDev dns allowedHomePaths allowedRootPaths autodetectCliPaths capabilities whitelistPwd extraConfig;
    };
    sandboxProfileDir = "${sandboxProfilesPkg}/share/sane-sandboxed/profiles";