diff --git a/modules/wrapper-manager/default.nix b/modules/wrapper-manager/default.nix index 1f722aa9..39700504 100644 --- a/modules/wrapper-manager/default.nix +++ b/modules/wrapper-manager/default.nix @@ -6,6 +6,6 @@ ./programs/jujutsu.nix ./nixgl.nix ./dconf.nix - ./sandboxing + ./wraparound ]; } diff --git a/modules/wrapper-manager/sandboxing/boxxy.nix b/modules/wrapper-manager/wraparound/boxxy.nix similarity index 85% rename from modules/wrapper-manager/sandboxing/boxxy.nix rename to modules/wrapper-manager/wraparound/boxxy.nix index 337ae69a..6f9a322d 100644 --- a/modules/wrapper-manager/sandboxing/boxxy.nix +++ b/modules/wrapper-manager/wraparound/boxxy.nix @@ -1,7 +1,7 @@ { lib, pkgs, config, ... }: let - cfg = config.sandboxing.boxxy; + cfg = config.wraparound.boxxy; boxxyRuleModule = { name, lib, ... }: { options = { @@ -75,25 +75,25 @@ let }; in { - options.sandboxing.boxxy = boxxyModuleFactory { isGlobal = true; }; + options.wraparound.boxxy = boxxyModuleFactory { isGlobal = true; }; options.wrappers = let boxxySandboxModule = { name, lib, config, pkgs, ... }: let - submoduleCfg = config.sandboxing.boxxy; + submoduleCfg = config.wraparound.boxxy; in { - options.sandboxing.variant = lib.mkOption { + options.wraparound.variant = lib.mkOption { type = with lib.types; nullOr (enum [ "boxxy" ]); }; - options.sandboxing.boxxy = boxxyModuleFactory { isGlobal = false; }; + options.wraparound.boxxy = boxxyModuleFactory { isGlobal = false; }; - config = lib.mkIf (config.sandboxing.variant == "boxxy") { - sandboxing.boxxy.rules = cfg.rules; + config = lib.mkIf (config.wraparound.variant == "boxxy") { + wraparound.boxxy.rules = cfg.rules; - sandboxing.boxxy.extraArgs = + wraparound.boxxy.extraArgs = cfg.extraArgs ++ (lib.mapAttrsToList (_: metadata: @@ -110,8 +110,8 @@ in arg0 = lib.getExe' submoduleCfg.package "boxxy"; prependArgs = lib.mkBefore (submoduleCfg.extraArgs - ++ [ "--" config.sandboxing.wraparound.arg0 ] - ++ config.sandboxing.wraparound.extraArgs); + ++ [ "--" config.wraparound.subwrapper.arg0 ] + ++ config.wraparound.subwrapper.extraArgs); }; }; in diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix b/modules/wrapper-manager/wraparound/bubblewrap/dbus-filter.nix similarity index 94% rename from modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix rename to modules/wrapper-manager/wraparound/bubblewrap/dbus-filter.nix index 8ca74e60..f070ef9c 100644 --- a/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix +++ b/modules/wrapper-manager/wraparound/bubblewrap/dbus-filter.nix @@ -4,7 +4,7 @@ { config, lib, options, pkgs, ... }: let - cfg = config.sandboxing.bubblewrap; + cfg = config.wraparound.bubblewrap; dbusFilterType = { lib, ... }: let @@ -56,7 +56,7 @@ let }; in { - options.sandboxing.bubblewrap = + options.wraparound.bubblewrap = lib.recursiveUpdate (bubblewrapModuleFactory { isGlobal = true; }) { @@ -126,10 +126,10 @@ in bubblewrapModule = { config, lib, pkgs, name, ... }: let - submoduleCfg = config.sandboxing.bubblewrap; + submoduleCfg = config.wraparound.bubblewrap; in { - options.sandboxing.bubblewrap = + options.wraparound.bubblewrap = lib.recursiveUpdate (bubblewrapModuleFactory { isGlobal = false; }) { @@ -168,15 +168,15 @@ in }; }; - config = lib.mkIf (config.sandboxing.variant == "bubblewrap") { - sandboxing.bubblewrap.dbus.filter.extraArgs = + config = lib.mkIf (config.wraparound.variant == "bubblewrap") { + wraparound.bubblewrap.dbus.filter.extraArgs = let makeDbusProxyArgs = address: metadata: [ address (builtins.toString metadata.path) ] ++ metadata.extraArgs; in lib.lists.flatten (lib.mapAttrsToList makeDbusProxyArgs submoduleCfg.dbus.filter.addresses); - sandboxing.bubblewrap.sharedNixPaths = [ + wraparound.bubblewrap.sharedNixPaths = [ submoduleCfg.dbus.filter.package ]; }; diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/default.nix b/modules/wrapper-manager/wraparound/bubblewrap/default.nix similarity index 84% rename from modules/wrapper-manager/sandboxing/bubblewrap/default.nix rename to modules/wrapper-manager/wraparound/bubblewrap/default.nix index 82aaf26d..b8b6da1a 100644 --- a/modules/wrapper-manager/sandboxing/bubblewrap/default.nix +++ b/modules/wrapper-manager/wraparound/bubblewrap/default.nix @@ -18,7 +18,7 @@ { config, lib, pkgs, ... }: let - cfg = config.sandboxing.bubblewrap; + cfg = config.wraparound.bubblewrap; bubblewrapModuleFactory = { isGlobal ? false }: { package = lib.mkPackageOption pkgs "bubblewrap" { } // lib.optionalAttrs isGlobal { @@ -63,26 +63,26 @@ in ./filesystem.nix ]; - options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; }; + options.wraparound.bubblewrap = bubblewrapModuleFactory { isGlobal = true; }; options.wrappers = let bubblewrapModule = { name, config, lib, ... }: let - submoduleCfg = config.sandboxing.bubblewrap; + submoduleCfg = config.wraparound.bubblewrap; env' = lib.filterAttrs (n: _: !(lib.strings.hasPrefix "WRAPPER_MANAGER_BWRAP_LAUNCHER" n)) config.env; in { - options.sandboxing.variant = lib.mkOption { + options.wraparound.variant = lib.mkOption { type = with lib.types; nullOr (enum [ "bubblewrap" ]); }; - options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = false; }; + options.wraparound.bubblewrap = bubblewrapModuleFactory { isGlobal = false; }; - config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [ + config = lib.mkIf (config.wraparound.variant == "bubblewrap") (lib.mkMerge [ { # Ordering of the arguments here matter(?). - sandboxing.bubblewrap.extraArgs = + wraparound.bubblewrap.extraArgs = cfg.extraArgs ++ lib.mapAttrsToList (var: metadata: @@ -98,12 +98,12 @@ in (lib.mkIf submoduleCfg.enableNetwork { # In case isolation is also enabled, we'll have this still # enabled at least. - sandboxing.bubblewrap.extraArgs = lib.mkAfter [ "--share-net" ]; + wraparound.bubblewrap.extraArgs = lib.mkAfter [ "--share-net" ]; # The most common network-related files found on most # distributions. This should be enough in most cases. If not, # we'll probably let the launcher handle this. - sandboxing.bubblewrap.binds.ro = [ + wraparound.bubblewrap.binds.ro = [ "/etc/ssh" "/etc/ssl" "/etc/hosts" @@ -112,19 +112,19 @@ in }) (lib.mkIf submoduleCfg.enableBundledCertificates { - sandboxing.bubblewrap.sharedNixPaths = [ pkgs.cacert ]; + wraparound.bubblewrap.sharedNixPaths = [ pkgs.cacert ]; }) (lib.mkIf config.locale.enable { - sandboxing.bubblewrap.sharedNixPaths = [ config.locale.package ]; + wraparound.bubblewrap.sharedNixPaths = [ config.locale.package ]; }) (lib.mkIf submoduleCfg.enableIsolation { - sandboxing.bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ]; + wraparound.bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ]; }) (lib.mkIf submoduleCfg.enableEnsureChildDiesWithParent { - sandboxing.bubblewrap.extraArgs = lib.mkBefore [ "--die-with-parent" ]; + wraparound.bubblewrap.extraArgs = lib.mkBefore [ "--die-with-parent" ]; }) ]); }; diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix b/modules/wrapper-manager/wraparound/bubblewrap/filesystem.nix similarity index 91% rename from modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix rename to modules/wrapper-manager/wraparound/bubblewrap/filesystem.nix index 190a37ab..90dee7a7 100644 --- a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix +++ b/modules/wrapper-manager/wraparound/bubblewrap/filesystem.nix @@ -4,7 +4,7 @@ { config, lib, pkgs, ... }: let - cfg = config.sandboxing.bubblewrap; + cfg = config.wraparound.bubblewrap; fileOperationsWithPerms = [ "file" "dir" "remount-ro" @@ -53,7 +53,7 @@ let description = '' Specify what filesystem-related operations to be done for the given filesystem object. Only certain operations accept permissions given - from {option}`sandboxing.bubblewrap.filesystem..permissions`. + from {option}`wraparound.bubblewrap.filesystem..permissions`. ''; default = "ro-bind-try"; example = "bind"; @@ -181,24 +181,24 @@ let lib.lists.filter (p: p != "") (lib.splitString "\n" closurePaths); in { - options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; }; + options.wraparound.bubblewrap = bubblewrapModuleFactory { isGlobal = true; }; options.wrappers = let bubblewrapModule = { config, lib, name, ... }: let - submoduleCfg = config.sandboxing.bubblewrap; + submoduleCfg = config.wraparound.bubblewrap; in { - options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = false; }; + options.wraparound.bubblewrap = bubblewrapModuleFactory { isGlobal = false; }; - config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [ + config = lib.mkIf (config.wraparound.variant == "bubblewrap") (lib.mkMerge [ { - sandboxing.bubblewrap.binds = cfg.binds; - sandboxing.bubblewrap.sharedNixPaths = cfg.sharedNixPaths; - sandboxing.bubblewrap.filesystem = cfg.filesystem; + wraparound.bubblewrap.binds = cfg.binds; + wraparound.bubblewrap.sharedNixPaths = cfg.sharedNixPaths; + wraparound.bubblewrap.filesystem = cfg.filesystem; } { - sandboxing.bubblewrap.filesystem = + wraparound.bubblewrap.filesystem = let renameNixStorePaths = path: if lib.isDerivation path then path.pname else path; @@ -215,7 +215,7 @@ in in builtins.listToAttrs filesystemMappings; - sandboxing.bubblewrap.extraArgs = + wraparound.bubblewrap.extraArgs = let makeFilesystemArgs = _: metadata: let @@ -238,11 +238,11 @@ in } (lib.mkIf submoduleCfg.enableSharedNixStore { - sandboxing.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ]; + wraparound.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ]; }) (lib.mkIf (submoduleCfg.sharedNixPaths != [ ]) { - sandboxing.bubblewrap.extraArgs = + wraparound.bubblewrap.extraArgs = let closurePaths = getClosurePaths submoduleCfg.sharedNixPaths; in @@ -250,7 +250,7 @@ in }) (lib.mkIf submoduleCfg.dbus.enable { - sandboxing.bubblewrap.dbus.filter.bwrapArgs = + wraparound.bubblewrap.dbus.filter.bwrapArgs = let closurePaths = getClosurePaths submoduleCfg.sharedNixPaths; in diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/launcher.nix b/modules/wrapper-manager/wraparound/bubblewrap/launcher.nix similarity index 77% rename from modules/wrapper-manager/sandboxing/bubblewrap/launcher.nix rename to modules/wrapper-manager/wraparound/bubblewrap/launcher.nix index cd1270c9..b8c7b009 100644 --- a/modules/wrapper-manager/sandboxing/bubblewrap/launcher.nix +++ b/modules/wrapper-manager/wraparound/bubblewrap/launcher.nix @@ -6,7 +6,7 @@ { config, lib, options, pkgs, ... }: let - cfg = config.sandboxing.bubblewrap.launcher; + cfg = config.wraparound.bubblewrap.launcher; bubblewrapModuleFactory = { isGlobal ? false }: { package = lib.mkOption { @@ -31,36 +31,36 @@ let }; in { - options.sandboxing.bubblewrap.launcher = bubblewrapModuleFactory { isGlobal = true; }; + options.wraparound.bubblewrap.launcher = bubblewrapModuleFactory { isGlobal = true; }; options.wrappers = let bubblewrapLauncherSubmodule = { config, lib, name, ... }: let - submoduleCfg = config.sandboxing.bubblewrap.launcher; + submoduleCfg = config.wraparound.bubblewrap.launcher; envSuffix = word: "WRAPPER_MANAGER_BWRAP_LAUNCHER_${word}"; in { - options.sandboxing.bubblewrap.launcher = bubblewrapModuleFactory { isGlobal = false; }; + options.wraparound.bubblewrap.launcher = bubblewrapModuleFactory { isGlobal = false; }; - config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [ + config = lib.mkIf (config.wraparound.variant == "bubblewrap") (lib.mkMerge [ { arg0 = lib.getExe' submoduleCfg.package "wrapper-manager-bubblewrap-launcher"; prependArgs = lib.mkBefore - (config.sandboxing.bubblewrap.extraArgs - ++ [ "--" config.sandboxing.wraparound.arg0 ] - ++ config.sandboxing.wraparound.extraArgs); + (config.wraparound.bubblewrap.extraArgs + ++ [ "--" config.wraparound.subwrapper.arg0 ] + ++ config.wraparound.subwrapper.extraArgs); env = { - "${envSuffix "BWRAP"}".value = lib.getExe' config.sandboxing.bubblewrap.package "bwrap"; + "${envSuffix "BWRAP"}".value = lib.getExe' config.wraparound.bubblewrap.package "bwrap"; # We're just unsetting autoconfigure since we're configuring this # through the module system anyways and would allow the user to # have some more control over what can be enabled. - "${envSuffix "AUTOCONFIGURE"}".value = "0"; + "${envSuffix "AUTOCONFIGURE"}".value = lib.mkDefault "0"; }; } - (lib.mkIf config.sandboxing.bubblewrap.dbus.enable { - env.${envSuffix "DBUS_PROXY"}.value = lib.getExe' config.sandboxing.bubblewrap.dbus.filter.package "xdg-dbus-proxy"; - env.${envSuffix "DBUS_PROXY_ARGS"}.value = lib.concatStringsSep " " config.sandboxing.bubblewrap.dbus.filter.extraArgs; - env.${envSuffix "DBUS_PROXY_BWRAP_ARGS"}.value = lib.concatStringsSep " " config.sandboxing.bubblewrap.dbus.filter.bwrapArgs; + (lib.mkIf config.wraparound.bubblewrap.dbus.enable { + env.${envSuffix "DBUS_PROXY"}.value = lib.getExe' config.wraparound.bubblewrap.dbus.filter.package "xdg-dbus-proxy"; + env.${envSuffix "DBUS_PROXY_ARGS"}.value = lib.concatStringsSep " " config.wraparound.bubblewrap.dbus.filter.extraArgs; + env.${envSuffix "DBUS_PROXY_BWRAP_ARGS"}.value = lib.concatStringsSep " " config.wraparound.bubblewrap.dbus.filter.bwrapArgs; }) (lib.mkIf submoduleCfg.integrations.pulseaudio.enable { diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/launcher/CHANGELOG.adoc b/modules/wrapper-manager/wraparound/bubblewrap/launcher/CHANGELOG.adoc similarity index 100% rename from modules/wrapper-manager/sandboxing/bubblewrap/launcher/CHANGELOG.adoc rename to modules/wrapper-manager/wraparound/bubblewrap/launcher/CHANGELOG.adoc diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/launcher/LICENSE b/modules/wrapper-manager/wraparound/bubblewrap/launcher/LICENSE similarity index 100% rename from modules/wrapper-manager/sandboxing/bubblewrap/launcher/LICENSE rename to modules/wrapper-manager/wraparound/bubblewrap/launcher/LICENSE diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh b/modules/wrapper-manager/wraparound/bubblewrap/launcher/app.sh similarity index 100% rename from modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh rename to modules/wrapper-manager/wraparound/bubblewrap/launcher/app.sh diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/launcher/meson.build b/modules/wrapper-manager/wraparound/bubblewrap/launcher/meson.build similarity index 100% rename from modules/wrapper-manager/sandboxing/bubblewrap/launcher/meson.build rename to modules/wrapper-manager/wraparound/bubblewrap/launcher/meson.build diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/launcher/package.nix b/modules/wrapper-manager/wraparound/bubblewrap/launcher/package.nix similarity index 100% rename from modules/wrapper-manager/sandboxing/bubblewrap/launcher/package.nix rename to modules/wrapper-manager/wraparound/bubblewrap/launcher/package.nix diff --git a/modules/wrapper-manager/sandboxing/default.nix b/modules/wrapper-manager/wraparound/default.nix similarity index 65% rename from modules/wrapper-manager/sandboxing/default.nix rename to modules/wrapper-manager/wraparound/default.nix index bed896b7..97cd2342 100644 --- a/modules/wrapper-manager/sandboxing/default.nix +++ b/modules/wrapper-manager/wraparound/default.nix @@ -8,19 +8,19 @@ options.wrappers = let - sandboxingType = { name, lib, config, options, ... }: { - options.sandboxing = { + wraparoundType = { name, lib, config, options, ... }: { + options.wraparound = { variant = lib.mkOption { type = with lib.types; nullOr (enum []); description = '' - The sandboxing framework to be applied to the wrapper. A value of + The wraparound variant to be applied to the wrapper. A value of `null` will essentially disable it. ''; default = null; example = "bubblewrap"; }; - wraparound = { + subwrapper = { arg0 = options.arg0; extraArgs = options.appendArgs; }; @@ -28,6 +28,6 @@ }; in lib.mkOption { - type = with lib.types; attrsOf (submodule sandboxingType); + type = with lib.types; attrsOf (submodule wraparoundType); }; }