foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 04:58:01 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

wrapper-manager/sandboxing/bubblewrap: fix setting of global-wide config values for individual wrappers

Browse Source 
May cause subtle bugs especially with compound value types such as
`attrsOf` and `listOf`.
This commit is contained in:
Gabriel Arazas 2024-08-05 19:32:46 +08:00
parent 73a6dba219
commit a6c8213d57
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
2 changed files with 9 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
View File

@ -53,7 +53,6 @@ let
}; };
}; };
}; };
}; };
in in
{ {
@ -94,9 +93,7 @@ in
''; '';
}; };
policies = options.sandboxing.bubblewrap.dbus.filter.policies // { policies = options.sandboxing.bubblewrap.dbus.filter.policies;
default = cfg.dbus.filter.policies;
};
extraArgs = lib.mkOption { extraArgs = lib.mkOption {
type = with lib.types; listOf str; type = with lib.types; listOf str;
@ -108,6 +105,7 @@ in
}; };
}; };
config.policies = cfg.dbus.filter.policies;
config.extraArgs = config.extraArgs =
let let
makePolicyArgs = dbusName: policyMetadata: makePolicyArgs = dbusName: policyMetadata:

25
modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
View File

@ -177,18 +177,6 @@ let
in in
{ {
options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; }; options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };
config.sandboxing.bubblewrap.binds.ro = getClosurePaths cfg.sharedNixPaths;
config.sandboxing.bubblewrap.filesystem =
let
makeFilesystemMapping = operation: bind:
lib.nameValuePair bind { inherit operation; source = bind; };
filesystemMappings =
lib.lists.map (makeFilesystemMapping "ro-bind-try") cfg.binds.ro
++ lib.lists.map (makeFilesystemMapping "bind") cfg.binds.rw
++ lib.lists.map (makeFilesystemMapping "dev-bind-try") cfg.binds.dev;
in
builtins.listToAttrs filesystemMappings;
options.wrappers = options.wrappers =
let let
@ -198,6 +186,12 @@ in
options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = false; }; options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = false; };
config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [ config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [
{
sandboxing.bubblewrap.binds = cfg.binds;
sandboxing.bubblewrap.sharedNixPaths = cfg.sharedNixPaths;
sandboxing.bubblewrap.filesystem = cfg.filesystem;
}
{ {
sandboxing.bubblewrap.binds.ro = getClosurePaths submoduleCfg.sharedNixPaths; sandboxing.bubblewrap.binds.ro = getClosurePaths submoduleCfg.sharedNixPaths;
sandboxing.bubblewrap.filesystem = sandboxing.bubblewrap.filesystem =
@ -206,7 +200,7 @@ in
lib.nameValuePair bind { inherit operation; source = bind; }; lib.nameValuePair bind { inherit operation; source = bind; };
filesystemMappings = filesystemMappings =
lib.lists.map (makeFilesystemMapping "ro-bind-try") submoduleCfg.binds.ro lib.lists.map (makeFilesystemMapping "ro-bind-try") submoduleCfg.binds.ro
++ lib.lists.map (makeFilesystemMapping "bind") submoduleCfg.binds.rw ++ lib.lists.map (makeFilesystemMapping "bind-try") submoduleCfg.binds.rw
++ lib.lists.map (makeFilesystemMapping "dev-bind-try") submoduleCfg.binds.dev; ++ lib.lists.map (makeFilesystemMapping "dev-bind-try") submoduleCfg.binds.dev;
in in
builtins.listToAttrs filesystemMappings; builtins.listToAttrs filesystemMappings;
@ -231,11 +225,6 @@ in
(lib.mapAttrsToList makeFilesystemArgs submoduleCfg.filesystem); (lib.mapAttrsToList makeFilesystemArgs submoduleCfg.filesystem);
} }
{
sandboxing.bubblewrap.binds = cfg.binds;
sandboxing.bubblewrap.filesystem = cfg.filesystem;
}
(lib.mkIf submoduleCfg.enableSharedNixStore { (lib.mkIf submoduleCfg.enableSharedNixStore {
sandboxing.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ]; sandboxing.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ];
}) })