modules/programs: simplify how sandbox profiles make it into system packages
This commit is contained in:
parent
c424f7ac3b
commit
93012664e5
|
@ -430,20 +430,21 @@ let
|
||||||
system.checks = lib.optionals (p.enabled && p.sandbox.enable && p.sandbox.method != null && p.package != null) [
|
system.checks = lib.optionals (p.enabled && p.sandbox.enable && p.sandbox.method != null && p.package != null) [
|
||||||
p.package.passthru.checkSandboxed
|
p.package.passthru.checkSandboxed
|
||||||
];
|
];
|
||||||
sane.sandboxProfiles = lib.optionals (p.enabled && p.sandbox.enable && p.sandbox.method != null && p.package != null) [
|
|
||||||
p.package.passthru.sandboxProfiles
|
|
||||||
];
|
|
||||||
|
|
||||||
# conditionally add to system PATH and env
|
# conditionally add to system PATH and env
|
||||||
environment = lib.optionalAttrs (p.enabled && p.enableFor.system) {
|
environment = lib.optionalAttrs (p.enabled && p.enableFor.system) {
|
||||||
systemPackages = lib.optional (p.package != null) p.package;
|
systemPackages = lib.optionals (p.package != null) (
|
||||||
|
[ p.package ] ++ lib.optional (p.sandbox.enable && p.sandbox.method != null) p.package.passthru.sandboxProfiles
|
||||||
|
);
|
||||||
# sessionVariables are set by PAM, as opposed to environment.variables which goes in /etc/profile
|
# sessionVariables are set by PAM, as opposed to environment.variables which goes in /etc/profile
|
||||||
sessionVariables = p.env;
|
sessionVariables = p.env;
|
||||||
};
|
};
|
||||||
|
|
||||||
# conditionally add to user(s) PATH
|
# conditionally add to user(s) PATH
|
||||||
users.users = lib.mapAttrs (user: en: {
|
users.users = lib.mapAttrs (user: en: {
|
||||||
packages = lib.optional (p.package != null && en && p.enabled) p.package;
|
packages = lib.optionals (p.package != null && en && p.enabled) (
|
||||||
|
[ p.package ] ++ lib.optional (p.sandbox.enable && p.sandbox.method != null) p.package.passthru.sandboxProfiles
|
||||||
|
);
|
||||||
}) p.enableFor.user;
|
}) p.enableFor.user;
|
||||||
|
|
||||||
# conditionally persist relevant user dirs and create files
|
# conditionally persist relevant user dirs and create files
|
||||||
|
@ -529,14 +530,6 @@ in
|
||||||
exposed to facilitate debugging, e.g. `nix build '.#hostConfigs.desko.sane.sandboxHelper'`
|
exposed to facilitate debugging, e.g. `nix build '.#hostConfigs.desko.sane.sandboxHelper'`
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
sane.sandboxProfiles = mkOption {
|
|
||||||
type = types.listOf types.package;
|
|
||||||
default = [];
|
|
||||||
description = ''
|
|
||||||
packages with /share/sane-sandbox profiles indicating how to sandbox their associated package.
|
|
||||||
this is mostly an internal implementation detail.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
sane.strictSandboxing = mkOption {
|
sane.strictSandboxing = mkOption {
|
||||||
type = types.enum [ false "warn" "assert" ];
|
type = types.enum [ false "warn" "assert" ];
|
||||||
default = "warn";
|
default = "warn";
|
||||||
|
@ -553,7 +546,6 @@ in
|
||||||
environment.systemPackages = f.environment.systemPackages;
|
environment.systemPackages = f.environment.systemPackages;
|
||||||
environment.sessionVariables = f.environment.sessionVariables;
|
environment.sessionVariables = f.environment.sessionVariables;
|
||||||
users.users = f.users.users;
|
users.users = f.users.users;
|
||||||
sane.sandboxProfiles = f.sane.sandboxProfiles;
|
|
||||||
sane.users = f.sane.users;
|
sane.users = f.sane.users;
|
||||||
sops.secrets = f.sops.secrets;
|
sops.secrets = f.sops.secrets;
|
||||||
system.checks = f.system.checks;
|
system.checks = f.system.checks;
|
||||||
|
@ -563,13 +555,7 @@ in
|
||||||
(take (sane-lib.mkTypedMerge take configs))
|
(take (sane-lib.mkTypedMerge take configs))
|
||||||
{
|
{
|
||||||
environment.pathsToLink = [ "/share/sane-sandboxed" ];
|
environment.pathsToLink = [ "/share/sane-sandboxed" ];
|
||||||
environment.systemPackages = [(
|
environment.systemPackages = [ config.sane.sandboxHelper ];
|
||||||
config.sane.sandboxHelper.withProfiles
|
|
||||||
(pkgs.symlinkJoin {
|
|
||||||
name = "sane-sandbox-profiles";
|
|
||||||
paths = config.sane.sandboxProfiles;
|
|
||||||
})
|
|
||||||
)];
|
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
# expose the pkgs -- as available to the system -- as a build target.
|
# expose the pkgs -- as available to the system -- as a build target.
|
||||||
|
|
Loading…
Reference in New Issue
Block a user