From 881d2f79edb4b8fbfaedefecdeb17615e1d47f4a Mon Sep 17 00:00:00 2001 From: Colin Date: Mon, 29 Jan 2024 13:36:01 +0000 Subject: [PATCH] modules/programs: add "unchecked" passthru to aid debugging --- modules/programs/make-sandboxed.nix | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/modules/programs/make-sandboxed.nix b/modules/programs/make-sandboxed.nix index c73e772f..e7392ab2 100644 --- a/modules/programs/make-sandboxed.nix +++ b/modules/programs/make-sandboxed.nix @@ -132,19 +132,33 @@ let # TODO: it'd be nice to just symlink these instead, but then we couldn't leverage `disallowedReferences` like this. copyNonBinaries = pkgName: package: sandboxedBins: runCommand "${pkgName}-sandboxed-non-binary" { disallowedReferences = [ package ]; + # users can build this one when they get a disallowed references failure + passthru.unchecked = (copyNonBinaries pkgName package sandboxedBins).overrideAttrs (_: { + disallowedReferences = []; + }); } '' + trySubstitute() { + _outPath="$1" + _pattern="$2" + _from=$(printf "$_pattern" "${package}") + _to=$(printf "$_pattern" "${sandboxedBins}") + printf "applying known substitutions to %s" "$_outPath" + # substituteInPlace can fail on symlinks, but frequently that's fine because + # the referenced file is already safe, so don't error on failure here. + substituteInPlace "$_outPath" \ + --replace "$_from" "$_to" \ + || true + } mkdir "$out" if [ -e "${package}/share" ]; then cp -R "${package}/share" "$out/" fi # fixup a few files i understand well enough for d in $out/share/applications/*.desktop; do - substituteInPlace "$d" \ - --replace "Exec=${package}/bin/" "Exec=${sandboxedBins}/bin/" + trySubstitute "$d" "Exec=%s/bin/" done for d in $out/share/dbus-1/services/*.service; do - substituteInPlace "$d" \ - --replace "Exec=${package}/bin/" "Exec=${sandboxedBins}/bin/" + trySubstitute "$d" "Exec=%s/bin/" done '';