From 55eb5fd831f0ea2fffb125b9d51944314e6f07ba Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Tue, 30 Jul 2024 11:52:31 +0800
Subject: [PATCH] wrapper-manager/sandboxing: fix options to be applied
 correctly

Especially for composite values like in lists or attrsets.
---
 modules/wrapper-manager/sandboxing/boxxy.nix  | 19 +++++++----
 .../sandboxing/bubblewrap/filesystem.nix      | 33 +++++++++++--------
 2 files changed, 33 insertions(+), 19 deletions(-)

diff --git a/modules/wrapper-manager/sandboxing/boxxy.nix b/modules/wrapper-manager/sandboxing/boxxy.nix
index abcc0db8..207899ed 100644
--- a/modules/wrapper-manager/sandboxing/boxxy.nix
+++ b/modules/wrapper-manager/sandboxing/boxxy.nix
@@ -40,9 +40,11 @@ let
 
     rules = lib.mkOption {
       type = with lib.types; attrsOf (submodule boxxyRuleModule);
-      default = if isGlobal then { } else cfg.rules;
-      description = ''
+      default = { };
+      description = if isGlobal then ''
         Global set of rules to be applied per-wrapper.
+      '' else ''
+        Set of rules to be applied to the wrapper.
       '';
       example = lib.literalExpression ''
         {
@@ -58,10 +60,12 @@ let
 
     extraArgs = lib.mkOption {
       type = with lib.types; listOf str;
-      description = ''
+      description = if isGlobal then ''
+        Global list of arguments to be appended to each Boxxy-enabled wrappers.
+      '' else ''
         List of arguments to the {program}`boxxy` executable.
       '';
-      default = if isGlobal then [ ] else cfg.extraArgs;
+      default = [ ];
       example = [ "--immutable" "--daemon" ];
     };
   };
@@ -83,8 +87,11 @@ in
           options.sandboxing.boxxy = boxxyModuleFactory { isGlobal = false; };
 
           config = lib.mkIf (config.sandboxing.variant == "boxxy") {
+            sandboxing.boxxy.rules = cfg.rules;
+
             sandboxing.boxxy.extraArgs =
-              lib.mapAttrsToList
+              cfg.extraArgs
+              ++ (lib.mapAttrsToList
                 (_: metadata:
                   let
                     inherit (metadata) source destination mode;
@@ -92,7 +99,7 @@ in
                   if mode != null
                   then "--rule ${source}:${destination}:${mode}"
                   else "--rule ${source}:${destination}")
-                submoduleCfg.rules;
+                submoduleCfg.rules);
 
             arg0 = lib.getExe submoduleCfg.package;
             prependArgs = lib.mkBefore
diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
index 9c27a3a9..20a8f1f0 100644
--- a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
@@ -69,8 +69,11 @@ let
 
     sharedNixPaths = lib.mkOption {
       type = with lib.types; listOf package;
-      default = if isGlobal then [ ] else cfg.sharedNixPaths;
-      description = ''
+      default = [ ];
+      description = if isGlobal then ''
+        A global list of store paths to be shared
+        per-Bubblewrap-enabled-wrappers.
+      '' else ''
         A list of store paths to be mounted (as read-only bind-mounts). Note
         that this also includes the listed store objects' dependencies.
       '';
@@ -84,12 +87,12 @@ let
     binds = {
       ro = lib.mkOption {
         type = with lib.types; listOf path;
-        default = if isGlobal then [ ] else cfg.binds.ro;
+        default = [ ];
         description =
           if isGlobal
           then ''
-            Global list of read-only mounts to be given to all Bubblewrap-enabled
-            wrappers.
+            Global list of read-only mounts to be given to all
+            Bubblewrap-enabled wrappers.
           ''
           else ''
             List of read-only mounts to the Bubblewrap environment.
@@ -102,7 +105,7 @@ let
 
       rw = lib.mkOption {
         type = with lib.types; listOf path;
-        default = if isGlobal then [ ] else cfg.binds.rw;
+        default = [ ];
         description =
           if isGlobal
           then ''
@@ -116,7 +119,7 @@ let
 
       dev = lib.mkOption {
         type = with lib.types; listOf path;
-        default = if isGlobal then [ ] else cfg.binds.dev;
+        default = [ ];
         description =
           if isGlobal 
           then ''
@@ -138,7 +141,7 @@ let
           Set of wrapper-specific filesystem configurations in the Bubblewrap
           environment.
         '';
-      default = if isGlobal then { } else cfg.filesystem;
+      default = { };
       example = lib.literalExpression ''
         {
           "/etc/hello" = {
@@ -197,7 +200,6 @@ in
         config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [
           {
             sandboxing.bubblewrap.binds.ro = getClosurePaths submoduleCfg.sharedNixPaths;
-
             sandboxing.bubblewrap.filesystem =
               let
                 makeFilesystemMapping = operation: bind:
@@ -227,11 +229,16 @@ in
               in
               lib.lists.flatten
                 (lib.mapAttrsToList makeFilesystemArgs submoduleCfg.filesystem);
-            }
+          }
 
-            (lib.mkIf submoduleCfg.enableSharedNixStore {
-              sandboxing.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ];
-            })
+          {
+            sandboxing.bubblewrap.binds = cfg.binds;
+            sandboxing.bubblewrap.filesystem = cfg.filesystem;
+          }
+
+          (lib.mkIf submoduleCfg.enableSharedNixStore {
+            sandboxing.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ];
+          })
         ]);
       };
     in