wrapper-manager/sandboxing/bubblewrap: refactor and update

2025-01-31 04:58:01 +00:00 · 2024-07-29 19:04:45 +08:00 · 2024-07-29 19:04:45 +08:00 · 0d32b27571
commit 0d32b27571
parent 5376666247
3 changed files with 13 additions and 6 deletions
--- a/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
@ -108,7 +108,7 @@ in
          };
        };

-        config.dbus.filter.extraArgs =
+        config.extraArgs =
          let
            makePolicyArgs = dbusName: policyMetadata:
              lib.optionals (policyMetadata.level != null) [ "--${policyMetadata.level}=${dbusName}" ]
--- a/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
@ -97,6 +97,10 @@ in
              # In case isolation is also enabled, we'll have this still
              # enabled at least.
              sandboxing.bubblewrap.extraArgs = lib.mkAfter [ "--share-net" ];
+
+              # The most common network-related files found on most
+              # distributions. This should be enough in most cases. If not,
+              # we'll probably let the launcher handle this.
              sandboxing.bubblewrap.binds.ro = [
                "/etc/ssh"
                "/etc/hosts"
--- a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
@ -162,18 +162,19 @@ let
      '';
    };
  };
-in
-{
-  options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };

  # TODO: There has to be a better way to get this info without relying on
  # pkgs.closureInfo builder, right?
-  config.sandboxing.bubblewrap.binds.ro =
+  getClosurePaths = rootpaths:
    let
-      sharedNixPathsClosureInfo = pkgs.closureInfo { rootpaths = cfg.sharedNixPaths; };
+      sharedNixPathsClosureInfo = pkgs.closureInfo { inherit rootpaths; };
      closurePaths = lib.readFile "${sharedNixPathsClosureInfo}/store-paths";
    in
      lib.lists.filter (p: p != "") (lib.splitStrings "\n" closurePaths);
+in
+{
+  options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };
+  config.sandboxing.bubblewrap.binds.ro = getClosurePaths cfg.sharedNixPaths;

  config.sandboxing.bubblewrap.filesystem =
    let
@ -195,6 +196,8 @@ in

        config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [
          {
+            sandboxing.bubblewrap.binds.ro = getClosurePaths submoduleCfg.sharedNixPaths;
+
            sandboxing.bubblewrap.filesystem =
              let
                makeFilesystemMapping = operation: bind: