foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-07 12:19:07 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

wrapper-manager/sandboxing/bubblewrap: update default values

Browse Source
This commit is contained in:
Gabriel Arazas 2024-08-06 11:17:22 +08:00
parent c73d27dba3
commit 99b13543ae
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
modules/wrapper-manager/sandboxing/bubblewrap/default.nix
View File

@ -68,9 +68,10 @@ in
options.wrappers = options.wrappers =
let let
bubblewrapModule = { name, config, lib, pkgs, ... }: bubblewrapModule = { name, config, lib, ... }:
let let
submoduleCfg = config.sandboxing.bubblewrap; submoduleCfg = config.sandboxing.bubblewrap;
env' = lib.filterAttrs (n: _: !(lib.strings.hasPrefix "WRAPPER_MANAGER_BWRAP_LAUNCHER" n)) config.env;
in in
{ {
options.sandboxing.variant = lib.mkOption { options.sandboxing.variant = lib.mkOption {
@ -89,10 +90,10 @@ in
if metadata.action == "unset" then if metadata.action == "unset" then
"--unsetenv ${var}" "--unsetenv ${var}"
else if lib.elem metadata.action [ "prefix" "suffix" ] then else if lib.elem metadata.action [ "prefix" "suffix" ] then
"--setenv ${var} ${lib.escapeShellArg (lib.concatStringsSep metadata.separator metadata.value)}" "--setenv ${lib.escapeShellArg var} ${lib.escapeShellArg (lib.concatStringsSep metadata.separator metadata.value)}"
else else
"--setenv ${var} ${metadata.value}") "--setenv ${lib.escapeShellArg var} ${lib.escapeShellArg metadata.value}")
config.env; env';
} }
(lib.mkIf submoduleCfg.enableNetwork { (lib.mkIf submoduleCfg.enableNetwork {
@ -105,6 +106,7 @@ in
# we'll probably let the launcher handle this. # we'll probably let the launcher handle this.
sandboxing.bubblewrap.binds.ro = [ sandboxing.bubblewrap.binds.ro = [
"/etc/ssh" "/etc/ssh"
"/etc/ssl"
"/etc/hosts" "/etc/hosts"
"/etc/resolv.conf" "/etc/resolv.conf"
]; ];
@ -114,6 +116,10 @@ in
sandboxing.bubblewrap.sharedNixPaths = [ pkgs.cacert ]; sandboxing.bubblewrap.sharedNixPaths = [ pkgs.cacert ];
}) })
(lib.mkIf config.locale.enable {
sandboxing.bubblewrap.sharedNixPaths = [ config.locale.package ];
})
(lib.mkIf submoduleCfg.enableIsolation { (lib.mkIf submoduleCfg.enableIsolation {
sandboxing.bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ]; sandboxing.bubblewrap.extraArgs = lib.mkBefore [ "--unshare-all" ];
}) })