foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-02-07 12:19:07 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

wrapper-manager/sandboxing/bubblewrap: add destination to filesystem submodule

Browse Source
This commit is contained in:
Gabriel Arazas 2024-08-06 11:04:34 +08:00
parent f58675d0f9
commit c127b79eb1
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
1 changed files with 30 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
View File

@ -7,7 +7,7 @@ let
cfg = config.sandboxing.bubblewrap; cfg = config.sandboxing.bubblewrap;
fileOperationsWithPerms = [ fileOperationsWithPerms = [
"file" "dir" "file" "dir" "remount-ro"
"bind-data" "ro-bind-data" "bind-data" "ro-bind-data"
]; ];
fileOperationsWithoutPerms = [ fileOperationsWithoutPerms = [
@ -28,8 +28,17 @@ let
example = lib.literalExpression "./files/example.file"; example = lib.literalExpression "./files/example.file";
}; };
destination = lib.mkOption {
type = lib.types.str;
description = ''
The source of the path to be copied from.
'';
default = name;
example = lib.literalExpression "./files/example.file";
};
permissions = lib.mkOption { permissions = lib.mkOption {
type = with lib.types; nullOr (strMatch "[0-7]{0,4}"); type = with lib.types; nullOr (strMatching "[0-7]{0,4}");
description = '' description = ''
The permissions of the node in octal. If the value is `null`, it The permissions of the node in octal. If the value is `null`, it
will be handled by Bubblewrap executable. For more details for each will be handled by Bubblewrap executable. For more details for each
@ -53,6 +62,8 @@ let
lock = lib.mkEnableOption "locking the file"; lock = lib.mkEnableOption "locking the file";
}; };
}; };
bindsType = with lib.types; listOf (oneOf [ str package ]);
in { in {
enableSharedNixStore = lib.mkEnableOption null // { enableSharedNixStore = lib.mkEnableOption null // {
default = if isGlobal then true else cfg.enableSharedNixStore; default = if isGlobal then true else cfg.enableSharedNixStore;
@ -80,7 +91,7 @@ let
binds = { binds = {
ro = lib.mkOption { ro = lib.mkOption {
type = with lib.types; listOf str; type = bindsType;
default = [ ]; default = [ ];
description = description =
if isGlobal if isGlobal
@ -98,7 +109,7 @@ let
}; };
rw = lib.mkOption { rw = lib.mkOption {
type = with lib.types; listOf str; type = bindsType;
default = [ ]; default = [ ];
description = description =
if isGlobal if isGlobal
@ -112,7 +123,7 @@ let
}; };
dev = lib.mkOption { dev = lib.mkOption {
type = with lib.types; listOf str; type = bindsType;
default = [ ]; default = [ ];
description = description =
if isGlobal if isGlobal
@ -190,8 +201,14 @@ in
sandboxing.bubblewrap.binds.ro = getClosurePaths submoduleCfg.sharedNixPaths; sandboxing.bubblewrap.binds.ro = getClosurePaths submoduleCfg.sharedNixPaths;
sandboxing.bubblewrap.filesystem = sandboxing.bubblewrap.filesystem =
let let
renameNixStorePaths = path:
if lib.isDerivation path then path.pname else path;
makeFilesystemMapping = operation: bind: makeFilesystemMapping = operation: bind:
lib.nameValuePair bind { inherit operation; source = bind; }; lib.nameValuePair (renameNixStorePaths bind) {
inherit operation;
source = builtins.toString bind;
destination = builtins.toString bind;
};
filesystemMappings = filesystemMappings =
lib.lists.map (makeFilesystemMapping "ro-bind-try") submoduleCfg.binds.ro lib.lists.map (makeFilesystemMapping "ro-bind-try") submoduleCfg.binds.ro
++ lib.lists.map (makeFilesystemMapping "bind-try") submoduleCfg.binds.rw ++ lib.lists.map (makeFilesystemMapping "bind-try") submoduleCfg.binds.rw
@ -201,22 +218,24 @@ in
sandboxing.bubblewrap.extraArgs = sandboxing.bubblewrap.extraArgs =
let let
makeFilesystemArgs = dst: metadata: makeFilesystemArgs = _: metadata:
let let
src = metadata.source; src = lib.escapeShellArg metadata.source;
dst = lib.escapeShellArg metadata.destination;
hasPermissions = metadata.permissions != null; hasPermissions = metadata.permissions != null;
isValidOperationWithPerms = lib.elem metadata.operation fileOperationsWithPerms; isValidOperationWithPerms = lib.elem metadata.operation fileOperationsWithPerms;
in in
# Take note of the ordering here such as `--perms` requiring
# to be before the file operation flags.
lib.optionals (hasPermissions && isValidOperationWithPerms) [ "--perms ${metadata.permissions}" ] lib.optionals (hasPermissions && isValidOperationWithPerms) [ "--perms ${metadata.permissions}" ]
++ ( ++ (
if metadata.operation == "dir" if lib.elem metadata.operation [ "dir" "remount-ro" ]
then [ "--${metadata.operation} ${dst}" ] then [ "--${metadata.operation} ${dst}" ]
else [ "--${metadata.operation} ${src} ${dst}" ] else [ "--${metadata.operation} ${src} ${dst}" ]
) )
++ lib.optionals metadata.lock [ "--lock-file ${dst}" ]; ++ lib.optionals metadata.lock [ "--lock-file ${dst}" ];
in in
lib.lists.flatten lib.lists.flatten (lib.mapAttrsToList makeFilesystemArgs submoduleCfg.filesystem);
(lib.mapAttrsToList makeFilesystemArgs submoduleCfg.filesystem);
} }
(lib.mkIf submoduleCfg.enableSharedNixStore { (lib.mkIf submoduleCfg.enableSharedNixStore {