wrapper-manager/sandboxing/bubblewrap: fix escaping arguments and launcher

The makeWrapper arguments are not escaped anymore for the binary wrapper that automatically does this anyways.
2025-01-31 10:58:02 +00:00 · 2024-08-12 15:34:23 +08:00 · 2024-08-12 15:34:23 +08:00 · 11e7d52350
commit 11e7d52350
parent 11e2ae7e33
3 changed files with 6 additions and 6 deletions
--- a/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
@ -89,9 +89,9 @@ in
                    if metadata.action == "unset" then
                      "--unsetenv ${var}"
                    else if lib.elem metadata.action [ "prefix" "suffix" ] then
-                      "--setenv ${lib.escapeShellArg var} ${lib.escapeShellArg (lib.concatStringsSep metadata.separator metadata.value)}"
+                      "--setenv ${var} ${lib.concatStringsSep metadata.separator metadata.value}"
                    else
-                      "--setenv ${lib.escapeShellArg var} ${lib.escapeShellArg metadata.value}")
+                      "--setenv ${var} ${metadata.value}")
                  env';
            }
--- a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
@ -219,8 +219,8 @@ in
              let
                makeFilesystemArgs = _: metadata:
                  let
-                    src = lib.escapeShellArg metadata.source;
+                    src = metadata.source;
-                    dst = lib.escapeShellArg metadata.destination;
+                    dst = metadata.destination;
                    hasPermissions = metadata.permissions != null;
                    isValidOperationWithPerms = lib.elem metadata.operation fileOperationsWithPerms;
                  in
@ -246,7 +246,7 @@ in
              let
                closurePaths = getClosurePaths submoduleCfg.sharedNixPaths;
              in
-                builtins.map (p: "--ro-bind ${lib.escapeShellArg p} ${lib.escapeShellArg p}") closurePaths;
+                builtins.map (p: "--ro-bind ${p} ${p}") closurePaths;
          })
        ]);
      };
--- a/modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh
@ -51,7 +51,7 @@ case "$(uname)" in
        for sysfs_dir in /sys/{block,bus,class,dev,devices}; do
            if [[ -r "$sysfs_dir" ]] && [[ -x "$sysfs_dir" ]]; then
-                additional_flags+=(--ro-bind "${sysfs_dir}")
+                additional_flags+=(--ro-bind "${sysfs_dir}" "${sysfs_dir}")
            fi
        done
        ;;