From 7524d87b49bed749374559329281e0754fe8bf52 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Tue, 6 Aug 2024 11:06:28 +0800
Subject: [PATCH] wrapper-manager/sandboxing/bubblewrap: update closure path
 mount binds

It could be done by removing the string context but it is more tedious
to maintain in the long run so it would be best to have them separate.
---
 .../sandboxing/bubblewrap/filesystem.nix          | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
index 8690097a..b952d105 100644
--- a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
@@ -173,12 +173,12 @@ let
 
   # TODO: There has to be a better way to get this info without relying on
   # pkgs.closureInfo builder, right?
-  getClosurePaths = rootpaths:
+  getClosurePaths = rootPaths:
     let
-      sharedNixPathsClosureInfo = pkgs.closureInfo { inherit rootpaths; };
+      sharedNixPathsClosureInfo = pkgs.closureInfo { inherit rootPaths; };
       closurePaths = lib.readFile "${sharedNixPathsClosureInfo}/store-paths";
     in
-      lib.lists.filter (p: p != "") (lib.splitStrings "\n" closurePaths);
+      lib.lists.filter (p: p != "") (lib.splitString "\n" closurePaths);
 in
 {
   options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };
@@ -198,7 +198,6 @@ in
           }
 
           {
-            sandboxing.bubblewrap.binds.ro = getClosurePaths submoduleCfg.sharedNixPaths;
             sandboxing.bubblewrap.filesystem =
               let
                 renameNixStorePaths = path:
@@ -241,6 +240,14 @@ in
           (lib.mkIf submoduleCfg.enableSharedNixStore {
             sandboxing.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ];
           })
+
+          (lib.mkIf (submoduleCfg.sharedNixPaths != [ ]) {
+            sandboxing.bubblewrap.extraArgs =
+              let
+                closurePaths = getClosurePaths submoduleCfg.sharedNixPaths;
+              in
+                builtins.map (p: "--ro-bind ${lib.escapeShellArg p} ${lib.escapeShellArg p}") closurePaths;
+          })
         ]);
       };
     in