foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-07 06:19:00 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

wrapper-manager/wraparound: migrate namespace from sandboxing

Browse Source 
This is in consideration for other wraparound modules in the future
which does not involve a sandboxing framework or something similar.
This commit is contained in:
Gabriel Arazas 2024-10-01 13:03:23 +08:00
parent dd0e007fc6
commit 9687b886a7
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
12 changed files with 64 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/wrapper-manager/default.nix
View File

@ -6,6 +6,6 @@
./programs/jujutsu.nix
./nixgl.nix
./dconf.nix
./sandboxing
./wraparound
];
}

20
modules/wrapper-manager/sandboxing/boxxy.nix → modules/wrapper-manager/wraparound/boxxy.nix
View File

@ -1,7 +1,7 @@
{ lib, pkgs, config, ... }:
let
cfg = config.sandboxing.boxxy;
cfg = config.wraparound.boxxy;
boxxyRuleModule = { name, lib, ... }: {
options = {
@ -75,25 +75,25 @@ let
};
in
{
options.sandboxing.boxxy = boxxyModuleFactory { isGlobal = true; };
options.wraparound.boxxy = boxxyModuleFactory { isGlobal = true; };
options.wrappers =
let
boxxySandboxModule = { name, lib, config, pkgs, ... }:
let
submoduleCfg = config.sandboxing.boxxy;
submoduleCfg = config.wraparound.boxxy;
in
{
options.sandboxing.variant = lib.mkOption {
options.wraparound.variant = lib.mkOption {
type = with lib.types; nullOr (enum [ "boxxy" ]);
};
options.sandboxing.boxxy = boxxyModuleFactory { isGlobal = false; };
options.wraparound.boxxy = boxxyModuleFactory { isGlobal = false; };
config = lib.mkIf (config.sandboxing.variant == "boxxy") {
sandboxing.boxxy.rules = cfg.rules;
config = lib.mkIf (config.wraparound.variant == "boxxy") {
wraparound.boxxy.rules = cfg.rules;
sandboxing.boxxy.extraArgs =
wraparound.boxxy.extraArgs =
cfg.extraArgs
++ (lib.mapAttrsToList
(_: metadata:
@ -110,8 +110,8 @@ in
arg0 = lib.getExe' submoduleCfg.package "boxxy";
prependArgs = lib.mkBefore
(submoduleCfg.extraArgs
++ [ "--" config.sandboxing.wraparound.arg0 ]
++ config.sandboxing.wraparound.extraArgs);
++ [ "--" config.wraparound.subwrapper.arg0 ]
++ config.wraparound.subwrapper.extraArgs);
};
};
in

14
modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix → modules/wrapper-manager/wraparound/bubblewrap/dbus-filter.nix
View File

@ -4,7 +4,7 @@
{ config, lib, options, pkgs, ... }:
let
cfg = config.sandboxing.bubblewrap;
cfg = config.wraparound.bubblewrap;
dbusFilterType = { lib, ... }:
let
@ -56,7 +56,7 @@ let
};
in
{
options.sandboxing.bubblewrap =
options.wraparound.bubblewrap =
lib.recursiveUpdate
(bubblewrapModuleFactory { isGlobal = true; })
{
@ -126,10 +126,10 @@ in
bubblewrapModule = { config, lib, pkgs, name, ... }:
let
submoduleCfg = config.sandboxing.bubblewrap;
submoduleCfg = config.wraparound.bubblewrap;
in
{
options.sandboxing.bubblewrap =
options.wraparound.bubblewrap =
lib.recursiveUpdate
(bubblewrapModuleFactory { isGlobal = false; })
{
@ -168,15 +168,15 @@ in
};
};
config = lib.mkIf (config.sandboxing.variant == "bubblewrap") {
sandboxing.bubblewrap.dbus.filter.extraArgs =
config = lib.mkIf (config.wraparound.variant == "bubblewrap") {
wraparound.bubblewrap.dbus.filter.extraArgs =
let
makeDbusProxyArgs = address: metadata:
[ address (builtins.toString metadata.path) ] ++ metadata.extraArgs;
in
lib.lists.flatten (lib.mapAttrsToList makeDbusProxyArgs submoduleCfg.dbus.filter.addresses);
sandboxing.bubblewrap.sharedNixPaths = [
wraparound.bubblewrap.sharedNixPaths = [
submoduleCfg.dbus.filter.package
];
};

26
modules/wrapper-manager/sandboxing/bubblewrap/default.nix → modules/wrapper-manager/wraparound/bubblewrap/default.nix
View File

@ -18,7 +18,7 @@
{ config, lib, pkgs, ... }:
let
cfg = config.sandboxing.bubblewrap;
cfg = config.wraparound.bubblewrap;
bubblewrapModuleFactory = { isGlobal ? false }: {
package = lib.mkPackageOption pkgs "bubblewrap" { } // lib.optionalAttrs isGlobal {
@ -63,26 +63,26 @@ in
./filesystem.nix
];
options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };
options.wraparound.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };
options.wrappers =
let
bubblewrapModule = { name, config, lib, ... }:
let
submoduleCfg = config.sandboxing.bubblewrap;
submoduleCfg = config.wraparound.bubblewrap;
env' = lib.filterAttrs (n: _: !(lib.strings.hasPrefix "WRAPPER_MANAGER_BWRAP_LAUNCHER" n)) config.env;
in
{
options.sandboxing.variant = lib.mkOption {
options.wraparound.variant = lib.mkOption {
type = with lib.types; nullOr (enum [ "bubblewrap" ]);
};
options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = false; };
options.wraparound.bubblewrap = bubblewrapModuleFactory { isGlobal = false; };
config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [
config = lib.mkIf (config.wraparound.variant == "bubblewrap") (lib.mkMerge [
{
# Ordering of the arguments here matter(?).
sandboxing.bubblewrap.extraArgs =
wraparound.bubblewrap.extraArgs =
cfg.extraArgs
++ lib.mapAttrsToList
(var: metadata:
@ -98,12 +98,12 @@ in
(lib.mkIf submoduleCfg.enableNetwork {
# In case isolation is also enabled, we'll have this still
# enabled at least.
sandboxing.bubblewrap.extraArgs = lib.mkAfter [ "--share-net" ];
wraparound.bubblewrap.extraArgs = lib.mkAfter [ "--share-net" ];
# The most common network-related files found on most
# distributions. This should be enough in most cases. If not,
# we'll probably let the launcher handle this.
sandboxing.bubblewrap.binds.ro = [
wraparound.bubblewrap.binds.ro = [
"/etc/ssh"
"/etc/ssl"
"/etc/hosts"
@ -112,19 +112,19 @@ in
})
(lib.mkIf submoduleCfg.enableBundledCertificates {
sandboxing.bubblewrap.sharedNixPaths = [ pkgs.cacert ];
wraparound.bubblewrap.sharedNixPaths = [ pkgs.cacert ];
})
(lib.mkIf config.locale.enable {
sandboxing.bubblewrap.sharedNixPaths = [ config.locale.package ];
wraparound.bubblewrap.sharedNixPaths = [ config.locale.package ];
})
(lib.mkIf submoduleCfg.enableIsolation {
sandboxing.bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ];
wraparound.bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ];
})
(lib.mkIf submoduleCfg.enableEnsureChildDiesWithParent {
sandboxing.bubblewrap.extraArgs = lib.mkBefore [ "--die-with-parent" ];
wraparound.bubblewrap.extraArgs = lib.mkBefore [ "--die-with-parent" ];
})
]);
};

28
modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix → modules/wrapper-manager/wraparound/bubblewrap/filesystem.nix
View File

@ -4,7 +4,7 @@
{ config, lib, pkgs, ... }:
let
cfg = config.sandboxing.bubblewrap;
cfg = config.wraparound.bubblewrap;
fileOperationsWithPerms = [
"file" "dir" "remount-ro"
@ -53,7 +53,7 @@ let
description = ''
Specify what filesystem-related operations to be done for the given
filesystem object. Only certain operations accept permissions given
from {option}`sandboxing.bubblewrap.filesystem.<name>.permissions`.
from {option}`wraparound.bubblewrap.filesystem.<name>.permissions`.
'';
default = "ro-bind-try";
example = "bind";
@ -181,24 +181,24 @@ let
lib.lists.filter (p: p != "") (lib.splitString "\n" closurePaths);
in
{
options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };
options.wraparound.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };
options.wrappers =
let
bubblewrapModule = { config, lib, name, ... }: let
submoduleCfg = config.sandboxing.bubblewrap;
submoduleCfg = config.wraparound.bubblewrap;
in {
options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = false; };
options.wraparound.bubblewrap = bubblewrapModuleFactory { isGlobal = false; };
config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [
config = lib.mkIf (config.wraparound.variant == "bubblewrap") (lib.mkMerge [
{
sandboxing.bubblewrap.binds = cfg.binds;
sandboxing.bubblewrap.sharedNixPaths = cfg.sharedNixPaths;
sandboxing.bubblewrap.filesystem = cfg.filesystem;
wraparound.bubblewrap.binds = cfg.binds;
wraparound.bubblewrap.sharedNixPaths = cfg.sharedNixPaths;
wraparound.bubblewrap.filesystem = cfg.filesystem;
}
{
sandboxing.bubblewrap.filesystem =
wraparound.bubblewrap.filesystem =
let
renameNixStorePaths = path:
if lib.isDerivation path then path.pname else path;
@ -215,7 +215,7 @@ in
in
builtins.listToAttrs filesystemMappings;
sandboxing.bubblewrap.extraArgs =
wraparound.bubblewrap.extraArgs =
let
makeFilesystemArgs = _: metadata:
let
@ -238,11 +238,11 @@ in
}
(lib.mkIf submoduleCfg.enableSharedNixStore {
sandboxing.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ];
wraparound.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ];
})
(lib.mkIf (submoduleCfg.sharedNixPaths != [ ]) {
sandboxing.bubblewrap.extraArgs =
wraparound.bubblewrap.extraArgs =
let
closurePaths = getClosurePaths submoduleCfg.sharedNixPaths;
in
@ -250,7 +250,7 @@ in
})
(lib.mkIf submoduleCfg.dbus.enable {
sandboxing.bubblewrap.dbus.filter.bwrapArgs =
wraparound.bubblewrap.dbus.filter.bwrapArgs =
let
closurePaths = getClosurePaths submoduleCfg.sharedNixPaths;
in

28
modules/wrapper-manager/sandboxing/bubblewrap/launcher.nix → modules/wrapper-manager/wraparound/bubblewrap/launcher.nix
View File

@ -6,7 +6,7 @@
{ config, lib, options, pkgs, ... }:
let
cfg = config.sandboxing.bubblewrap.launcher;
cfg = config.wraparound.bubblewrap.launcher;
bubblewrapModuleFactory = { isGlobal ? false }: {
package = lib.mkOption {
@ -31,36 +31,36 @@ let
};
in
{
options.sandboxing.bubblewrap.launcher = bubblewrapModuleFactory { isGlobal = true; };
options.wraparound.bubblewrap.launcher = bubblewrapModuleFactory { isGlobal = true; };
options.wrappers =
let
bubblewrapLauncherSubmodule = { config, lib, name, ... }: let
submoduleCfg = config.sandboxing.bubblewrap.launcher;
submoduleCfg = config.wraparound.bubblewrap.launcher;
envSuffix = word: "WRAPPER_MANAGER_BWRAP_LAUNCHER_${word}";
in {
options.sandboxing.bubblewrap.launcher = bubblewrapModuleFactory { isGlobal = false; };
options.wraparound.bubblewrap.launcher = bubblewrapModuleFactory { isGlobal = false; };
config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [
config = lib.mkIf (config.wraparound.variant == "bubblewrap") (lib.mkMerge [
{
arg0 = lib.getExe' submoduleCfg.package "wrapper-manager-bubblewrap-launcher";
prependArgs = lib.mkBefore
(config.sandboxing.bubblewrap.extraArgs
++ [ "--" config.sandboxing.wraparound.arg0 ]
++ config.sandboxing.wraparound.extraArgs);
(config.wraparound.bubblewrap.extraArgs
++ [ "--" config.wraparound.subwrapper.arg0 ]
++ config.wraparound.subwrapper.extraArgs);
env = {
"${envSuffix "BWRAP"}".value = lib.getExe' config.sandboxing.bubblewrap.package "bwrap";
"${envSuffix "BWRAP"}".value = lib.getExe' config.wraparound.bubblewrap.package "bwrap";
# We're just unsetting autoconfigure since we're configuring this
# through the module system anyways and would allow the user to
# have some more control over what can be enabled.
"${envSuffix "AUTOCONFIGURE"}".value = "0";
"${envSuffix "AUTOCONFIGURE"}".value = lib.mkDefault "0";
};
}
(lib.mkIf config.sandboxing.bubblewrap.dbus.enable {
env.${envSuffix "DBUS_PROXY"}.value = lib.getExe' config.sandboxing.bubblewrap.dbus.filter.package "xdg-dbus-proxy";
env.${envSuffix "DBUS_PROXY_ARGS"}.value = lib.concatStringsSep " " config.sandboxing.bubblewrap.dbus.filter.extraArgs;
env.${envSuffix "DBUS_PROXY_BWRAP_ARGS"}.value = lib.concatStringsSep " " config.sandboxing.bubblewrap.dbus.filter.bwrapArgs;
(lib.mkIf config.wraparound.bubblewrap.dbus.enable {
env.${envSuffix "DBUS_PROXY"}.value = lib.getExe' config.wraparound.bubblewrap.dbus.filter.package "xdg-dbus-proxy";
env.${envSuffix "DBUS_PROXY_ARGS"}.value = lib.concatStringsSep " " config.wraparound.bubblewrap.dbus.filter.extraArgs;
env.${envSuffix "DBUS_PROXY_BWRAP_ARGS"}.value = lib.concatStringsSep " " config.wraparound.bubblewrap.dbus.filter.bwrapArgs;
})
(lib.mkIf submoduleCfg.integrations.pulseaudio.enable {

0
modules/wrapper-manager/sandboxing/bubblewrap/launcher/CHANGELOG.adoc → modules/wrapper-manager/wraparound/bubblewrap/launcher/CHANGELOG.adoc
View File

0
modules/wrapper-manager/sandboxing/bubblewrap/launcher/LICENSE → modules/wrapper-manager/wraparound/bubblewrap/launcher/LICENSE
View File

0
modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh → modules/wrapper-manager/wraparound/bubblewrap/launcher/app.sh
View File

0
modules/wrapper-manager/sandboxing/bubblewrap/launcher/meson.build → modules/wrapper-manager/wraparound/bubblewrap/launcher/meson.build
View File

0
modules/wrapper-manager/sandboxing/bubblewrap/launcher/package.nix → modules/wrapper-manager/wraparound/bubblewrap/launcher/package.nix
View File

10
modules/wrapper-manager/sandboxing/default.nix → modules/wrapper-manager/wraparound/default.nix
View File

@ -8,19 +8,19 @@
options.wrappers =
let
sandboxingType = { name, lib, config, options, ... }: {
options.sandboxing = {
wraparoundType = { name, lib, config, options, ... }: {
options.wraparound = {
variant = lib.mkOption {
type = with lib.types; nullOr (enum []);
description = ''
The sandboxing framework to be applied to the wrapper. A value of
The wraparound variant to be applied to the wrapper. A value of
`null` will essentially disable it.
'';
default = null;
example = "bubblewrap";
};
wraparound = {
subwrapper = {
arg0 = options.arg0;
extraArgs = options.appendArgs;
};
@ -28,6 +28,6 @@
};
in
lib.mkOption {
type = with lib.types; attrsOf (submodule sandboxingType);
type = with lib.types; attrsOf (submodule wraparoundType);
};
}