sanebox: load the link cache from a static /etc path instead of via CLI args
This commit is contained in:
parent
348837ff4a
commit
b4229ecb1e
|
@ -1,6 +1,18 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, lib, pkgs, sane-lib, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.sane.programs;
|
cfg = config.sane.programs;
|
||||||
|
# create an AttrSet[String -> String]
|
||||||
|
# which maps symlink path -> symlink content
|
||||||
|
# for every symlink known to nix
|
||||||
|
fsSymlinksAsAttrs = lib.concatMapAttrs
|
||||||
|
(path: value: lib.optionalAttrs
|
||||||
|
((value.symlink or null) != null)
|
||||||
|
{
|
||||||
|
"${path}" = value.symlink.target;
|
||||||
|
}
|
||||||
|
)
|
||||||
|
config.sane.fs
|
||||||
|
;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sane.programs.sanebox = {
|
sane.programs.sanebox = {
|
||||||
|
@ -16,4 +28,40 @@ in
|
||||||
|
|
||||||
sandbox.enable = false;
|
sandbox.enable = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
environment.etc = lib.mkIf cfg.sanebox.enabled {
|
||||||
|
"sanebox/symlink-cache".text = lib.concatStringsSep "\n" (
|
||||||
|
lib.mapAttrsToList
|
||||||
|
(k: v: "${k}\t${v}")
|
||||||
|
({
|
||||||
|
"/bin/sh" = config.environment.binsh;
|
||||||
|
"${builtins.unsafeDiscardStringContext config.environment.binsh}" = "bash";
|
||||||
|
"/usr/bin/env" = config.environment.usrbinenv;
|
||||||
|
"${builtins.unsafeDiscardStringContext config.environment.usrbinenv}" = "coreutils";
|
||||||
|
|
||||||
|
# "/run/current-system" = "${config.system.build.toplevel}";
|
||||||
|
# XXX: /run/current-system symlink can't be cached without forcing regular mass rebuilds:
|
||||||
|
# mount it as if it were a directory instead.
|
||||||
|
"/run/current-system" = "";
|
||||||
|
} // lib.optionalAttrs config.hardware.opengl.enable {
|
||||||
|
"/run/opengl-driver" = let
|
||||||
|
gl = config.hardware.opengl;
|
||||||
|
# from: <repo:nixos/nixpkgs:nixos/modules/hardware/opengl.nix>
|
||||||
|
package = pkgs.buildEnv {
|
||||||
|
name = "opengl-drivers";
|
||||||
|
paths = [ gl.package ] ++ gl.extraPackages;
|
||||||
|
};
|
||||||
|
in "${package}";
|
||||||
|
} // lib.optionalAttrs (config.hardware.opengl.enable && config.hardware.opengl.driSupport32Bit) {
|
||||||
|
"/run/opengl-driver-32" = let
|
||||||
|
gl = config.hardware.opengl;
|
||||||
|
# from: <repo:nixos/nixpkgs:nixos/modules/hardware/opengl.nix>
|
||||||
|
package = pkgs.buildEnv {
|
||||||
|
name = "opengl-drivers-32bit";
|
||||||
|
paths = [ gl.package32 ] ++ gl.extraPackages32;
|
||||||
|
};
|
||||||
|
in "${package}";
|
||||||
|
} // fsSymlinksAsAttrs)
|
||||||
|
);
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,24 +43,6 @@ let
|
||||||
makeSandboxArgs = pkgs.callPackage ./make-sandbox-args.nix { };
|
makeSandboxArgs = pkgs.callPackage ./make-sandbox-args.nix { };
|
||||||
makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sanebox = config.sane.programs.sanebox.package; };
|
makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sanebox = config.sane.programs.sanebox.package; };
|
||||||
|
|
||||||
# derefSymlinks: [ str ] -> [ str ]: for each path which is a symlink (or a child of a symlink'd dir), dereference one layer of symlink. else, return the path unchanged.
|
|
||||||
derefSymlinks = paths: builtins.map (fs-lib.derefSymlink config.sane.fs) paths;
|
|
||||||
# given some paths, walk all of these and keep only the paths/ancestors which are symlinks
|
|
||||||
keepOnlySymlinks = paths: lib.filter
|
|
||||||
(p: ((config.sane.fs."${builtins.unsafeDiscardStringContext p}" or {}).symlink or null) != null)
|
|
||||||
(lib.concatMap (p: path-lib.walk "/" p) paths)
|
|
||||||
;
|
|
||||||
# expandSymlinksOnce: [ str ] -> [ str ]
|
|
||||||
# dereference all the paths once, union with the original path set, and then filter out everything that's not a symlink.
|
|
||||||
expandSymlinksOnce = paths: keepOnlySymlinks (lib.unique (paths ++ derefSymlinks paths));
|
|
||||||
symlinksClosure = paths: lib.converge expandSymlinksOnce paths;
|
|
||||||
|
|
||||||
# symlinkToAttrs: [ str ] -> Attrs such that `attrs."${symlink}" = symlinkTarget`.
|
|
||||||
symlinksToAttrs = paths: lib.genAttrs
|
|
||||||
paths
|
|
||||||
(p: config.sane.fs."${p}".symlink.target)
|
|
||||||
;
|
|
||||||
|
|
||||||
vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
|
vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
|
||||||
|
|
||||||
allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ sandbox.extraHomePaths;
|
allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ sandbox.extraHomePaths;
|
||||||
|
@ -98,37 +80,6 @@ let
|
||||||
userPathsClosure = lib.flatten (
|
userPathsClosure = lib.flatten (
|
||||||
builtins.map additionalPathsForUser (builtins.attrValues config.users.users)
|
builtins.map additionalPathsForUser (builtins.attrValues config.users.users)
|
||||||
);
|
);
|
||||||
symlinkCache = {
|
|
||||||
"/bin/sh" = config.environment.binsh;
|
|
||||||
"${builtins.unsafeDiscardStringContext config.environment.binsh}" = "bash";
|
|
||||||
"/usr/bin/env" = config.environment.usrbinenv;
|
|
||||||
"${builtins.unsafeDiscardStringContext config.environment.usrbinenv}" = "coreutils";
|
|
||||||
|
|
||||||
# "/run/current-system" = "${config.system.build.toplevel}";
|
|
||||||
# XXX: /run/current-system symlink can't be cached without forcing regular mass rebuilds:
|
|
||||||
# mount it as if it were a directory instead.
|
|
||||||
"/run/current-system" = "";
|
|
||||||
} // lib.optionalAttrs config.hardware.opengl.enable {
|
|
||||||
"/run/opengl-driver" = let
|
|
||||||
gl = config.hardware.opengl;
|
|
||||||
# from: <repo:nixos/nixpkgs:nixos/modules/hardware/opengl.nix>
|
|
||||||
package = pkgs.buildEnv {
|
|
||||||
name = "opengl-drivers";
|
|
||||||
paths = [ gl.package ] ++ gl.extraPackages;
|
|
||||||
};
|
|
||||||
in "${package}";
|
|
||||||
} // lib.optionalAttrs (config.hardware.opengl.enable && config.hardware.opengl.driSupport32Bit) {
|
|
||||||
"/run/opengl-driver-32" = let
|
|
||||||
gl = config.hardware.opengl;
|
|
||||||
# from: <repo:nixos/nixpkgs:nixos/modules/hardware/opengl.nix>
|
|
||||||
package = pkgs.buildEnv {
|
|
||||||
name = "opengl-drivers-32bit";
|
|
||||||
paths = [ gl.package32 ] ++ gl.extraPackages32;
|
|
||||||
};
|
|
||||||
in "${package}";
|
|
||||||
} // (
|
|
||||||
symlinksToAttrs (symlinksClosure (allowedPaths ++ userPathsClosure))
|
|
||||||
);
|
|
||||||
|
|
||||||
sandboxArgs = makeSandboxArgs {
|
sandboxArgs = makeSandboxArgs {
|
||||||
inherit (sandbox)
|
inherit (sandbox)
|
||||||
|
@ -146,7 +97,7 @@ let
|
||||||
vpn.dns
|
vpn.dns
|
||||||
else
|
else
|
||||||
null;
|
null;
|
||||||
inherit allowedPaths allowedHomePaths allowedRunPaths symlinkCache;
|
inherit allowedPaths allowedHomePaths allowedRunPaths;
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
makeSandboxed {
|
makeSandboxed {
|
||||||
|
|
|
@ -804,6 +804,16 @@ noneGetCli() {
|
||||||
|
|
||||||
## ARGUMENT POST-PROCESSING
|
## ARGUMENT POST-PROCESSING
|
||||||
|
|
||||||
|
loadLinkCache() {
|
||||||
|
# readarray -t: reads some file into an array; each line becomes one element
|
||||||
|
readarray -t _linkCacheArray < /etc/sanebox/symlink-cache
|
||||||
|
for link in "${_linkCacheArray[@]}"; do
|
||||||
|
local from="${link%%\t*}"
|
||||||
|
local to="${link##*\t}"
|
||||||
|
linkCache["$from"]="$to"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
### autodetect: if one of the CLI args looks like a path, that could be an input or output file
|
### autodetect: if one of the CLI args looks like a path, that could be an input or output file
|
||||||
# so allow access to it.
|
# so allow access to it.
|
||||||
maybeAutodetectPaths() {
|
maybeAutodetectPaths() {
|
||||||
|
@ -927,6 +937,7 @@ export SANEBOX_PREPEND="$SANEBOX_PREPEND"
|
||||||
export SANEBOX_APPEND="$SANEBOX_APPEND"
|
export SANEBOX_APPEND="$SANEBOX_APPEND"
|
||||||
|
|
||||||
if [ -z "$isDisable" ]; then
|
if [ -z "$isDisable" ]; then
|
||||||
|
loadLinkCache
|
||||||
# method-specific setup could add additional paths that need binding, so do that before canonicalization
|
# method-specific setup could add additional paths that need binding, so do that before canonicalization
|
||||||
"$method"Setup
|
"$method"Setup
|
||||||
maybeAutodetectPaths
|
maybeAutodetectPaths
|
||||||
|
|
Loading…
Reference in New Issue
Block a user