colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

programs: sandboxing: link /etc into sandboxed programs

Browse Source 
this is crucial for e.g. swaync, to find its resource files.
maybe a good idea to link *every* package directory which i also link
into /run/current-system.
This commit is contained in:
Colin
2024-02-27 22:25:17 +00:00
parent 7fb7f72bc0
commit 8f424dcd5a
3 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
modules/programs/make-sandboxed.nix
View File

@@ -218,10 +218,15 @@ let
sandboxedWithoutFixedRefs = (runCommand "${pkgName}-sandboxed-non-binary" {} ''
set -e
mkdir "$out"
if [ -e "${unsandboxed}/share" ]; then
mkdir "$out/share"
${buildPackages.xorg.lndir}/bin/lndir "${unsandboxed}/share" "$out/share"
fi
# link in a limited subset of the directories.
# lib/ is the primary one to avoid, because of shared objects that would be unsandboxed if dlopen'd.
# all other directories are safe-ish, because they won't end up on PATH or LDPATH.
for dir in etc share; do
if [ -e "${unsandboxed}/$dir" ]; then
mkdir "$out/$dir"
${buildPackages.xorg.lndir}/bin/lndir "${unsandboxed}/$dir" "$out/$dir"
fi
done
runHook postInstall
'').overrideAttrs (_: {
# specifically for meta.priority, though it shouldn't actually matter here.