colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

modules/programs: allow using custom mesa cache dirs, when sandboxed

Browse Source
This commit is contained in:
Colin
2024-12-15 23:31:50 +00:00
parent 2130e517fc
commit a0ade73638
2 changed files with 44 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
modules/programs/default.nix
View File

@@ -86,6 +86,7 @@ let
autodetectCliPaths autodetectCliPaths
capabilities capabilities
extraConfig extraConfig
extraEnv
keepIpc keepIpc
keepPids keepPids
tryKeepUsers tryKeepUsers
@@ -528,6 +529,28 @@ let
or `[ "/" ]` to bind all of XDG_RUNTIME_DIR. or `[ "/" ]` to bind all of XDG_RUNTIME_DIR.
''; '';
}; };
sandbox.extraEnv = mkOption {
type = types.attrsOf types.str;
default = {};
description = ''
extra environment variables which should be set when running the program in a sandboxed fashion.
certain expressions are expanded when evaluating the environment, such as:
- `$HOME`
- `$XDG_RUNTIME_DIR`
escape expansion with `$$`
'';
};
sandbox.mesaCacheDir = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
place the mesa cache in a custom directory.
generally, most GUI applications should have their mesa cache directory
persisted to disk to (1) reduce ram consumption and (2) massively improve loading speed.
'';
};
sandbox.extraConfig = mkOption { sandbox.extraConfig = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = []; default = [];
@@ -577,6 +600,10 @@ let
sandbox.whitelistDbus = lib.mkIf config.sandbox.whitelistSystemctl [ "system" ]; sandbox.whitelistDbus = lib.mkIf config.sandbox.whitelistSystemctl [ "system" ];
sandbox.extraEnv = lib.optionalAttrs (config.sandbox.mesaCacheDir != null) {
MESA_SHADER_CACHE_DIR = "$HOME/${config.sandbox.mesaCacheDir}";
};
sandbox.extraPaths = sandbox.extraPaths =
lib.optionals config.sandbox.whitelistDri [ lib.optionals config.sandbox.whitelistDri [
# /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary) # /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary)
@@ -678,6 +705,9 @@ let
# some packages, e.g. swaynotificationcenter, store the config under the binary name instead of the package name # some packages, e.g. swaynotificationcenter, store the config under the binary name instead of the package name
++ lib.optionals (mainProgram != null) (whitelistDir ".config/${mainProgram}") ++ lib.optionals (mainProgram != null) (whitelistDir ".config/${mainProgram}")
++ lib.optionals (mainProgram != null) (whitelistDir ".local/share/${mainProgram}") ++ lib.optionals (mainProgram != null) (whitelistDir ".local/share/${mainProgram}")
++ lib.optionals (config.sandbox.mesaCacheDir != null) [
config.sandbox.mesaCacheDir
]
; ;
}; };
}); });
@@ -720,7 +750,7 @@ let
# conditionally persist relevant user dirs and create files # conditionally persist relevant user dirs and create files
sane.users = lib.mapAttrs (user: en: lib.mkIf (en && p.enabled) { sane.users = lib.mapAttrs (user: en: lib.mkIf (en && p.enabled) {
inherit (p) persist services; inherit (p) services;
environment = lib.mapAttrs (k: v: lib.mkOverride p.mime.priority v) p.env; environment = lib.mapAttrs (k: v: lib.mkOverride p.mime.priority v) p.env;
fs = lib.mkMerge [ fs = lib.mkMerge [
p.fs p.fs
@@ -747,6 +777,14 @@ let
# p.secrets # p.secrets
# ) # )
]; ];
persist = lib.mkMerge [
p.persist
(lib.optionalAttrs (p.sandbox.mesaCacheDir != null) {
# persist the mesa cache to private storage by default;
# but allow the user to override that.
byPath."${p.sandbox.mesaCacheDir}".store = lib.mkDefault "private";
})
];
}) p.enableFor.user; }) p.enableFor.user;
# make secrets available for each user # make secrets available for each user

5
modules/programs/make-sandbox-args.nix
View File

@@ -4,6 +4,7 @@ let
autodetectCliPaths = style: [ "--bunpen-autodetect" style ]; autodetectCliPaths = style: [ "--bunpen-autodetect" style ];
capability = cap: [ "--bunpen-cap" cap ]; capability = cap: [ "--bunpen-cap" cap ];
dns = addr: [ "--bunpen-dns" addr ]; dns = addr: [ "--bunpen-dns" addr ];
env = key: value: [ "--bunpen-env" "${key}=${value}" ];
keepIpc = [ "--bunpen-keep-ipc" ]; keepIpc = [ "--bunpen-keep-ipc" ];
keepPids = [ "--bunpen-keep-pid" ]; keepPids = [ "--bunpen-keep-pid" ];
method = m: assert m == "bunpen"; method = m: assert m == "bunpen";
@@ -45,6 +46,7 @@ in
autodetectCliPaths ? false, autodetectCliPaths ? false,
capabilities ? [], capabilities ? [],
dns ? null, dns ? null,
extraEnv ? {},
keepIpc ? false, keepIpc ? false,
keepPids ? false, keepPids ? false,
tryKeepUsers ? false, tryKeepUsers ? false,
@@ -63,6 +65,8 @@ let
capabilityFlags = lib.flatten (builtins.map gen.capability capabilities); capabilityFlags = lib.flatten (builtins.map gen.capability capabilities);
envArgs = lib.flatten (lib.mapAttrsToList gen.env extraEnv);
netItems = lib.optionals (netDev != null) (gen.netDev netDev) netItems = lib.optionals (netDev != null) (gen.netDev netDev)
++ lib.optionals (netGateway != null) (gen.netGateway netGateway) ++ lib.optionals (netGateway != null) (gen.netGateway netGateway)
++ lib.optionals (dns != null) (lib.flatten (builtins.map gen.dns dns)) ++ lib.optionals (dns != null) (lib.flatten (builtins.map gen.dns dns))
@@ -74,6 +78,7 @@ in
++ allowPaths "unqualified" allowedPaths ++ allowPaths "unqualified" allowedPaths
++ allowPaths "home" allowedHomePaths ++ allowPaths "home" allowedHomePaths
++ allowPaths "run" allowedRunPaths ++ allowPaths "run" allowedRunPaths
++ envArgs
++ capabilityFlags ++ capabilityFlags
++ lib.optionals (autodetectCliPaths != null) (gen.autodetectCliPaths autodetectCliPaths) ++ lib.optionals (autodetectCliPaths != null) (gen.autodetectCliPaths autodetectCliPaths)
++ lib.optionals keepIpc gen.keepIpc ++ lib.optionals keepIpc gen.keepIpc