wrapper-manager/sandboxing/bubblewrap: fix config

2025-01-31 04:58:01 +00:00 · 2024-07-27 11:44:44 +08:00 · 2024-07-27 11:44:44 +08:00 · 50e7d29620
commit 50e7d29620
parent bf51e0dcde
3 changed files with 9 additions and 8 deletions
--- a/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
@ -120,7 +120,7 @@ in

      bubblewrapModule = { config, lib, pkgs, name, ... }:
        let
-          submoduleCfg = config;
+          submoduleCfg = config.sandboxing.bubblewrap;
        in
          {
            options.sandboxing.bubblewrap =
@ -151,7 +151,7 @@ in
                  };

                  config = lib.mkIf (config.sandboxing.variant == "bubblewrap") {
-                    bubblewrap.dbus.filter.extraArgs =
+                    sandboxing.bubblewrap.dbus.filter.extraArgs =
                      let
                        makeDbusProxyArgs = address: metadata:
                          [ address metadata.path ] ++ metadata.extraArgs;
--- a/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/default.nix
@ -121,7 +121,7 @@ in
              # TODO: All of the Linux-exclusive flags could be handled by the
              # launcher instead. ALSO MODULARIZE THIS CRAP!
              # Ordering of the arguments here matter(?).
-              bubblewrap.extraArgs =
+              sandboxing.bubblewrap.extraArgs =
                cfg.extraArgs
                ++ lib.optionals stdenv.isLinux [
                  "--proc" "/proc"
@ -138,14 +138,14 @@ in
            }

            (lib.mkIf submoduleCfg.enableSharedNixStore {
-              bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ];
+              sandboxing.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ];
            })

            (lib.mkIf submoduleCfg.enableNetwork {
              # In case isolation is also enabled, we'll have this still
              # enabled at least.
-              bubblewrap.extraArgs = lib.mkAfter [ "--share-net" ];
-              bubblewrap.binds.ro = [
+              sandboxing.bubblewrap.extraArgs = lib.mkAfter [ "--share-net" ];
+              sandboxing.bubblewrap.binds.ro = [
                "/etc/ssh"
                "/etc/hosts"
                "/etc/resolv.conf"
@ -153,7 +153,8 @@ in
            })

            (lib.mkIf submoduleCfg.enableIsolation {
-              bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ];
+              sandboxing.bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ];
+            })
            })
          ]);
        };
--- a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
@ -77,7 +77,7 @@ in
        options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = false; };

        config = lib.mkIf (config.sandboxing.variant == "bubblewrap") {
-          bubblewrap.extraArgs =
+          sandboxing.bubblewrap.filesystem =
            lib.lists.flatten
              (lib.mapAttrsToList
                (dst: metadata: