modules/programs: add "unchecked" passthru to aid debugging

2024-01-29 13:36:01 +00:00 · 2024-01-29 13:36:01 +00:00 · 881d2f79ed
commit 881d2f79ed
parent 47abdfb831
1 changed files with 18 additions and 4 deletions
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@ -132,19 +132,33 @@ let
  # TODO: it'd be nice to just symlink these instead, but then we couldn't leverage `disallowedReferences` like this.
  copyNonBinaries = pkgName: package: sandboxedBins: runCommand "${pkgName}-sandboxed-non-binary" {
    disallowedReferences = [ package ];
+    # users can build this one when they get a disallowed references failure
+    passthru.unchecked = (copyNonBinaries pkgName package sandboxedBins).overrideAttrs (_: {
+      disallowedReferences = [];
+    });
  } ''
+    trySubstitute() {
+      _outPath="$1"
+      _pattern="$2"
+      _from=$(printf "$_pattern" "${package}")
+      _to=$(printf "$_pattern" "${sandboxedBins}")
+      printf "applying known substitutions to %s" "$_outPath"
+      # substituteInPlace can fail on symlinks, but frequently that's fine because
+      # the referenced file is already safe, so don't error on failure here.
+      substituteInPlace "$_outPath" \
+        --replace "$_from" "$_to" \
+        || true
+    }
    mkdir "$out"
    if [ -e "${package}/share" ]; then
      cp -R "${package}/share" "$out/"
    fi
    # fixup a few files i understand well enough
    for d in $out/share/applications/*.desktop; do
-      substituteInPlace "$d" \
-        --replace "Exec=${package}/bin/" "Exec=${sandboxedBins}/bin/"
+      trySubstitute "$d" "Exec=%s/bin/"
    done
    for d in $out/share/dbus-1/services/*.service; do
-      substituteInPlace "$d" \
-        --replace "Exec=${package}/bin/" "Exec=${sandboxedBins}/bin/"
+      trySubstitute "$d" "Exec=%s/bin/"
    done
  '';