Colin
f10f1ee7b1
each subshell causes like 5ms just on my laptop, which really adds up. this implementation still forks internally, but doesn't exec. runtime decreases from 150ms -> 90ms for `time librewolf --sane-sandbox-replace-cli true`
62 lines
1.6 KiB
Nix
62 lines
1.6 KiB
Nix
{ lib, stdenv
|
|
, bash
|
|
, bubblewrap
|
|
, firejail
|
|
, landlock-sandboxer
|
|
, libcap
|
|
, substituteAll
|
|
, profileDir ? "/share/sane-sandboxed/profiles"
|
|
}:
|
|
|
|
let
|
|
sane-sandboxed = substituteAll {
|
|
src = ./sane-sandboxed;
|
|
inherit bash bubblewrap firejail libcap;
|
|
landlockSandboxer = landlock-sandboxer;
|
|
firejailProfileDirs = "/run/current-system/sw/etc/firejail /etc/firejail ${firejail}/etc/firejail";
|
|
};
|
|
self = stdenv.mkDerivation {
|
|
pname = "sane-sandboxed";
|
|
version = "0.1";
|
|
|
|
src = sane-sandboxed;
|
|
dontUnpack = true;
|
|
|
|
buildPhase = ''
|
|
runHook preBuild
|
|
substituteAll "$src" sane-sandboxed \
|
|
--replace '@out@' "$out"
|
|
runHook postBuild
|
|
'';
|
|
|
|
installPhase = ''
|
|
runHook preInstall
|
|
install -d "$out"
|
|
install -d "$out/bin"
|
|
install -m 755 sane-sandboxed $out/bin/sane-sandboxed
|
|
runHook postInstall
|
|
'';
|
|
|
|
passthru = {
|
|
inherit landlock-sandboxer;
|
|
withProfiles = profiles: self.overrideAttrs (base: {
|
|
inherit profiles;
|
|
postInstall = (base.postInstall or "") + ''
|
|
install -d $out/share/sane-sandboxed
|
|
ln -s "${profiles}/${profileDir}" "$out/${profileDir}"
|
|
'';
|
|
});
|
|
};
|
|
|
|
meta = {
|
|
description = ''
|
|
helper program to run some other program in a sandbox.
|
|
factoring this out allows:
|
|
1. to abstract over the particular sandbox implementation (bwrap, firejail, ...).
|
|
2. to modify sandbox settings without forcing a rebuild of the sandboxed package.
|
|
'';
|
|
mainProgram = "sane-sandboxed";
|
|
};
|
|
};
|
|
in self
|