foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 10:58:02 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

wrapper-manager/sandboxing: fix options to be applied correctly

Browse Source 
Especially for composite values like in lists or attrsets.
This commit is contained in:
Gabriel Arazas 2024-07-30 11:52:31 +08:00
parent c03acceac7
commit 55eb5fd831
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
2 changed files with 33 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
modules/wrapper-manager/sandboxing/boxxy.nix
View File

@ -40,9 +40,11 @@ let
rules = lib.mkOption { rules = lib.mkOption {
type = with lib.types; attrsOf (submodule boxxyRuleModule); type = with lib.types; attrsOf (submodule boxxyRuleModule);
default = if isGlobal then { } else cfg.rules; default = { };
description = '' description = if isGlobal then ''
Global set of rules to be applied per-wrapper. Global set of rules to be applied per-wrapper.
'' else ''
Set of rules to be applied to the wrapper.
''; '';
example = lib.literalExpression '' example = lib.literalExpression ''
{ {
@ -58,10 +60,12 @@ let
extraArgs = lib.mkOption { extraArgs = lib.mkOption {
type = with lib.types; listOf str; type = with lib.types; listOf str;
description = '' description = if isGlobal then ''
Global list of arguments to be appended to each Boxxy-enabled wrappers.
'' else ''
List of arguments to the {program}`boxxy` executable. List of arguments to the {program}`boxxy` executable.
''; '';
default = if isGlobal then [ ] else cfg.extraArgs; default = [ ];
example = [ "--immutable" "--daemon" ]; example = [ "--immutable" "--daemon" ];
}; };
}; };
@ -83,8 +87,11 @@ in
options.sandboxing.boxxy = boxxyModuleFactory { isGlobal = false; }; options.sandboxing.boxxy = boxxyModuleFactory { isGlobal = false; };
config = lib.mkIf (config.sandboxing.variant == "boxxy") { config = lib.mkIf (config.sandboxing.variant == "boxxy") {
sandboxing.boxxy.rules = cfg.rules;
sandboxing.boxxy.extraArgs = sandboxing.boxxy.extraArgs =
lib.mapAttrsToList cfg.extraArgs
++ (lib.mapAttrsToList
(_: metadata: (_: metadata:
let let
inherit (metadata) source destination mode; inherit (metadata) source destination mode;
@ -92,7 +99,7 @@ in
if mode != null if mode != null
then "--rule ${source}:${destination}:${mode}" then "--rule ${source}:${destination}:${mode}"
else "--rule ${source}:${destination}") else "--rule ${source}:${destination}")
submoduleCfg.rules; submoduleCfg.rules);
arg0 = lib.getExe submoduleCfg.package; arg0 = lib.getExe submoduleCfg.package;
prependArgs = lib.mkBefore prependArgs = lib.mkBefore

25
modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
View File

@ -69,8 +69,11 @@ let
sharedNixPaths = lib.mkOption { sharedNixPaths = lib.mkOption {
type = with lib.types; listOf package; type = with lib.types; listOf package;
default = if isGlobal then [ ] else cfg.sharedNixPaths; default = [ ];
description = '' description = if isGlobal then ''
A global list of store paths to be shared
per-Bubblewrap-enabled-wrappers.
'' else ''
A list of store paths to be mounted (as read-only bind-mounts). Note A list of store paths to be mounted (as read-only bind-mounts). Note
that this also includes the listed store objects' dependencies. that this also includes the listed store objects' dependencies.
''; '';
@ -84,12 +87,12 @@ let
binds = { binds = {
ro = lib.mkOption { ro = lib.mkOption {
type = with lib.types; listOf path; type = with lib.types; listOf path;
default = if isGlobal then [ ] else cfg.binds.ro; default = [ ];
description = description =
if isGlobal if isGlobal
then '' then ''
Global list of read-only mounts to be given to all Bubblewrap-enabled Global list of read-only mounts to be given to all
wrappers. Bubblewrap-enabled wrappers.
'' ''
else '' else ''
List of read-only mounts to the Bubblewrap environment. List of read-only mounts to the Bubblewrap environment.
@ -102,7 +105,7 @@ let
rw = lib.mkOption { rw = lib.mkOption {
type = with lib.types; listOf path; type = with lib.types; listOf path;
default = if isGlobal then [ ] else cfg.binds.rw; default = [ ];
description = description =
if isGlobal if isGlobal
then '' then ''
@ -116,7 +119,7 @@ let
dev = lib.mkOption { dev = lib.mkOption {
type = with lib.types; listOf path; type = with lib.types; listOf path;
default = if isGlobal then [ ] else cfg.binds.dev; default = [ ];
description = description =
if isGlobal if isGlobal
then '' then ''
@ -138,7 +141,7 @@ let
Set of wrapper-specific filesystem configurations in the Bubblewrap Set of wrapper-specific filesystem configurations in the Bubblewrap
environment. environment.
''; '';
default = if isGlobal then { } else cfg.filesystem; default = { };
example = lib.literalExpression '' example = lib.literalExpression ''
{ {
"/etc/hello" = { "/etc/hello" = {
@ -197,7 +200,6 @@ in
config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [ config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [
{ {
sandboxing.bubblewrap.binds.ro = getClosurePaths submoduleCfg.sharedNixPaths; sandboxing.bubblewrap.binds.ro = getClosurePaths submoduleCfg.sharedNixPaths;
sandboxing.bubblewrap.filesystem = sandboxing.bubblewrap.filesystem =
let let
makeFilesystemMapping = operation: bind: makeFilesystemMapping = operation: bind:
@ -229,6 +231,11 @@ in
(lib.mapAttrsToList makeFilesystemArgs submoduleCfg.filesystem); (lib.mapAttrsToList makeFilesystemArgs submoduleCfg.filesystem);
} }
{
sandboxing.bubblewrap.binds = cfg.binds;
sandboxing.bubblewrap.filesystem = cfg.filesystem;
}
(lib.mkIf submoduleCfg.enableSharedNixStore { (lib.mkIf submoduleCfg.enableSharedNixStore {
sandboxing.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ]; sandboxing.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ];
}) })