wrapper-manager/sandboxing/bubblewrap: refactor and update

modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix

@@ -108,7 +108,7 @@ in
           };
         };
 
-        config.dbus.filter.extraArgs =
+        config.extraArgs =
           let
             makePolicyArgs = dbusName: policyMetadata:
               lib.optionals (policyMetadata.level != null) [ "--${policyMetadata.level}=${dbusName}" ]

modules/wrapper-manager/sandboxing/bubblewrap/default.nix

@@ -97,6 +97,10 @@ in
               # In case isolation is also enabled, we'll have this still
               # enabled at least.
               sandboxing.bubblewrap.extraArgs = lib.mkAfter [ "--share-net" ];
+
+              # The most common network-related files found on most
+              # distributions. This should be enough in most cases. If not,
+              # we'll probably let the launcher handle this.
               sandboxing.bubblewrap.binds.ro = [
                 "/etc/ssh"
                 "/etc/hosts"

modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix

@@ -162,18 +162,19 @@ let
       '';
     };
   };
-in
-{
-  options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };
 
   # TODO: There has to be a better way to get this info without relying on
   # pkgs.closureInfo builder, right?
-  config.sandboxing.bubblewrap.binds.ro =
+  getClosurePaths = rootpaths:
     let
-      sharedNixPathsClosureInfo = pkgs.closureInfo { rootpaths = cfg.sharedNixPaths; };
+      sharedNixPathsClosureInfo = pkgs.closureInfo { inherit rootpaths; };
       closurePaths = lib.readFile "${sharedNixPathsClosureInfo}/store-paths";
     in
       lib.lists.filter (p: p != "") (lib.splitStrings "\n" closurePaths);
+in
+{
+  options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };
+  config.sandboxing.bubblewrap.binds.ro = getClosurePaths cfg.sharedNixPaths;
 
   config.sandboxing.bubblewrap.filesystem =
     let
@@ -195,6 +196,8 @@ in
 
         config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [
           {
+            sandboxing.bubblewrap.binds.ro = getClosurePaths submoduleCfg.sharedNixPaths;
+
             sandboxing.bubblewrap.filesystem =
               let
                 makeFilesystemMapping = operation: bind: