foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 10:58:02 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

wrapper-manager/sandboxing/bubblewrap: fix config

Browse Source
This commit is contained in:
Gabriel Arazas 2024-07-27 11:44:44 +08:00
parent bf51e0dcde
commit 50e7d29620
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
3 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
View File

@ -120,7 +120,7 @@ in
bubblewrapModule = { config, lib, pkgs, name, ... }: bubblewrapModule = { config, lib, pkgs, name, ... }:
let let
submoduleCfg = config; submoduleCfg = config.sandboxing.bubblewrap;
in in
{ {
options.sandboxing.bubblewrap = options.sandboxing.bubblewrap =
@ -151,7 +151,7 @@ in
}; };
config = lib.mkIf (config.sandboxing.variant == "bubblewrap") { config = lib.mkIf (config.sandboxing.variant == "bubblewrap") {
bubblewrap.dbus.filter.extraArgs = sandboxing.bubblewrap.dbus.filter.extraArgs =
let let
makeDbusProxyArgs = address: metadata: makeDbusProxyArgs = address: metadata:
[ address metadata.path ] ++ metadata.extraArgs; [ address metadata.path ] ++ metadata.extraArgs;

11
modules/wrapper-manager/sandboxing/bubblewrap/default.nix
View File

@ -121,7 +121,7 @@ in
# TODO: All of the Linux-exclusive flags could be handled by the # TODO: All of the Linux-exclusive flags could be handled by the
# launcher instead. ALSO MODULARIZE THIS CRAP! # launcher instead. ALSO MODULARIZE THIS CRAP!
# Ordering of the arguments here matter(?). # Ordering of the arguments here matter(?).
bubblewrap.extraArgs = sandboxing.bubblewrap.extraArgs =
cfg.extraArgs cfg.extraArgs
++ lib.optionals stdenv.isLinux [ ++ lib.optionals stdenv.isLinux [
"--proc" "/proc" "--proc" "/proc"
@ -138,14 +138,14 @@ in
} }
(lib.mkIf submoduleCfg.enableSharedNixStore { (lib.mkIf submoduleCfg.enableSharedNixStore {
bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ]; sandboxing.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ];
}) })
(lib.mkIf submoduleCfg.enableNetwork { (lib.mkIf submoduleCfg.enableNetwork {
# In case isolation is also enabled, we'll have this still # In case isolation is also enabled, we'll have this still
# enabled at least. # enabled at least.
bubblewrap.extraArgs = lib.mkAfter [ "--share-net" ]; sandboxing.bubblewrap.extraArgs = lib.mkAfter [ "--share-net" ];
bubblewrap.binds.ro = [ sandboxing.bubblewrap.binds.ro = [
"/etc/ssh" "/etc/ssh"
"/etc/hosts" "/etc/hosts"
"/etc/resolv.conf" "/etc/resolv.conf"
@ -153,7 +153,8 @@ in
}) })
(lib.mkIf submoduleCfg.enableIsolation { (lib.mkIf submoduleCfg.enableIsolation {
bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ]; sandboxing.bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ];
})
}) })
]); ]);
}; };

2
modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
View File

@ -77,7 +77,7 @@ in
options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = false; }; options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = false; };
config = lib.mkIf (config.sandboxing.variant == "bubblewrap") { config = lib.mkIf (config.sandboxing.variant == "bubblewrap") {
bubblewrap.extraArgs = sandboxing.bubblewrap.filesystem =
lib.lists.flatten lib.lists.flatten
(lib.mapAttrsToList (lib.mapAttrsToList
(dst: metadata: (dst: metadata: