56 lines
1.3 KiB
Nix
56 lines
1.3 KiB
Nix
{ lib
|
|
, writeTextFile }:
|
|
|
|
{ pkgName
|
|
, method
|
|
, netDev
|
|
, dns
|
|
, allowedHomePaths
|
|
, allowedRootPaths
|
|
, autodetectCliPaths
|
|
, capabilities
|
|
, whitelistPwd
|
|
, extraConfig
|
|
}:
|
|
let
|
|
allowPath = p: [
|
|
"--sane-sandbox-path"
|
|
p
|
|
];
|
|
allowHomePath = p: [
|
|
"--sane-sandbox-home-path"
|
|
p
|
|
];
|
|
allowPaths = paths: lib.flatten (builtins.map allowPath paths);
|
|
allowHomePaths = paths: lib.flatten (builtins.map allowHomePath paths);
|
|
|
|
capabilityFlags = lib.flatten (builtins.map (c: [ "--sane-sandbox-cap" c ]) capabilities);
|
|
|
|
netItems = lib.optionals (netDev != null) [
|
|
"--sane-sandbox-net"
|
|
netDev
|
|
] ++ lib.optionals (dns != null) (
|
|
lib.flatten (builtins.map
|
|
(addr: [ "--sane-sandbox-dns" addr ])
|
|
dns
|
|
)
|
|
);
|
|
|
|
sandboxFlags = [
|
|
"--sane-sandbox-method" method
|
|
]
|
|
++ netItems
|
|
++ allowPaths allowedRootPaths
|
|
++ allowHomePaths allowedHomePaths
|
|
++ capabilityFlags
|
|
++ lib.optionals (autodetectCliPaths != null) [ "--sane-sandbox-autodetect" autodetectCliPaths ]
|
|
++ lib.optionals whitelistPwd [ "--sane-sandbox-add-pwd" ]
|
|
++ extraConfig;
|
|
|
|
in
|
|
writeTextFile {
|
|
name = "${pkgName}-sandbox-profiles";
|
|
destination = "/share/sane-sandboxed/profiles/${pkgName}.profile";
|
|
text = builtins.concatStringsSep "\n" sandboxFlags;
|
|
}
|