wrapper-manager/sandboxing/bubblewrap: fix setting of global-wide config values for individual wrappers

May cause subtle bugs especially with compound value types such as `attrsOf` and `listOf`.
2025-01-31 04:58:01 +00:00 · 2024-08-05 19:32:46 +08:00 · 2024-08-05 19:32:46 +08:00 · a6c8213d57
commit a6c8213d57
parent 73a6dba219
2 changed files with 9 additions and 22 deletions
--- a/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
@ -53,7 +53,6 @@ let
        };
      };
    };
-
  };
 in
 {
@ -94,9 +93,7 @@ in
            '';
          };

-          policies = options.sandboxing.bubblewrap.dbus.filter.policies // {
-            default = cfg.dbus.filter.policies;
-          };
+          policies = options.sandboxing.bubblewrap.dbus.filter.policies;

          extraArgs = lib.mkOption {
            type = with lib.types; listOf str;
@ -108,6 +105,7 @@ in
          };
        };

+        config.policies = cfg.dbus.filter.policies;
        config.extraArgs =
          let
            makePolicyArgs = dbusName: policyMetadata:
--- a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
@ -177,18 +177,6 @@ let
 in
 {
  options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };
-  config.sandboxing.bubblewrap.binds.ro = getClosurePaths cfg.sharedNixPaths;
-
-  config.sandboxing.bubblewrap.filesystem =
-    let
-      makeFilesystemMapping = operation: bind:
-        lib.nameValuePair bind { inherit operation; source = bind; };
-      filesystemMappings =
-        lib.lists.map (makeFilesystemMapping "ro-bind-try") cfg.binds.ro
-        ++ lib.lists.map (makeFilesystemMapping "bind") cfg.binds.rw
-        ++ lib.lists.map (makeFilesystemMapping "dev-bind-try") cfg.binds.dev;
-    in
-    builtins.listToAttrs filesystemMappings;

  options.wrappers =
    let
@ -198,6 +186,12 @@ in
        options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = false; };

        config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [
+          {
+            sandboxing.bubblewrap.binds = cfg.binds;
+            sandboxing.bubblewrap.sharedNixPaths = cfg.sharedNixPaths;
+            sandboxing.bubblewrap.filesystem = cfg.filesystem;
+          }
+
          {
            sandboxing.bubblewrap.binds.ro = getClosurePaths submoduleCfg.sharedNixPaths;
            sandboxing.bubblewrap.filesystem =
@ -206,7 +200,7 @@ in
                  lib.nameValuePair bind { inherit operation; source = bind; };
                filesystemMappings =
                  lib.lists.map (makeFilesystemMapping "ro-bind-try") submoduleCfg.binds.ro
-                  ++ lib.lists.map (makeFilesystemMapping "bind") submoduleCfg.binds.rw
+                  ++ lib.lists.map (makeFilesystemMapping "bind-try") submoduleCfg.binds.rw
                  ++ lib.lists.map (makeFilesystemMapping "dev-bind-try") submoduleCfg.binds.dev;
              in
              builtins.listToAttrs filesystemMappings;
@ -231,11 +225,6 @@ in
                (lib.mapAttrsToList makeFilesystemArgs submoduleCfg.filesystem);
          }

-          {
-            sandboxing.bubblewrap.binds = cfg.binds;
-            sandboxing.bubblewrap.filesystem = cfg.filesystem;
-          }
-
          (lib.mkIf submoduleCfg.enableSharedNixStore {
            sandboxing.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ];
          })