insync: fix bwrap namespaces

- share bwrap namespaces as possible with the user

1 files changed, 36 insertions, 29 deletions

diff --git a/pkgs/applications/networking/insync/default.nix b/pkgs/applications/networking/insync/default.nix
index 282d45513ced8..4e11d9fe38634 100644
--- a/pkgs/applications/networking/insync/default.nix
+++ b/pkgs/applications/networking/insync/default.nix
@@ -1,6 +1,6 @@
 { lib
 , writeShellScript
-, buildFHSEnv
+, buildFHSEnvBubblewrap
 , stdenvNoCC
 , fetchurl
 , autoPatchelfHook
@@ -40,11 +40,12 @@ let
   };
 
   insync-pkg = stdenvNoCC.mkDerivation {
-    inherit pname version meta;
+    name = "${pname}-pkg-${version}";
+    inherit version meta;
 
     src = fetchurl {
       # Find a binary from https://www.insynchq.com/downloads/linux#ubuntu.
-      url = "https://cdn.insynchq.com/builds/linux/${pname}_${version}-lunar_amd64.deb";
+      url = "https://cdn.insynchq.com/builds/linux/insync_${version}-lunar_amd64.deb";
       sha256 = "sha256-BxTFtQ1rAsOuhKnH5vsl3zkM7WOd+vjA4LKZGxl4jk0=";
     };
 
@@ -66,7 +67,7 @@ let
     installPhase = ''
       runHook preInstall
 
-      mkdir -p $out/bin $out/lib $out/share
+      mkdir -p $out
       cp -R usr/* $out/
 
       # use system glibc
@@ -75,6 +76,9 @@ let
       # remove badly packaged plugins
       rm $out/lib/insync/PySide2/plugins/platforminputcontexts/libqtvirtualkeyboardplugin.so
 
+      # remove the unused vendor wrapper
+      rm $out/bin/insync
+
       runHook postInstall
     '';
 
@@ -82,37 +86,40 @@ let
     dontStrip = true;
   };
 
-  insync-fhsenv = buildFHSEnv {
-    name = "${pname}-${version}";
-    inherit meta;
-
-    # for including insync's xdg data dirs
-    extraOutputsToInstall = [ "share" ];
+in buildFHSEnvBubblewrap {
+  name = pname;
+  inherit meta;
 
-    targetPkgs = pkgs: with pkgs; [
-      insync-pkg
-      libudev0-shim
-    ];
+  targetPkgs = pkgs: with pkgs; [
+    insync-pkg
+    libudev0-shim
+  ];
 
-    runScript = writeShellScript "insync-wrapper.sh" ''
+  runScript = writeShellScript "insync-wrapper.sh" ''
     # QT_STYLE_OVERRIDE was used to suppress a QT warning, it should have no actual effect for this binary.
-    export QT_STYLE_OVERRIDE=Fusion
+    echo Unsetting QT_STYLE_OVERRIDE=$QT_STYLE_OVERRIDE
+    echo Unsetting QT_QPA_PLATFORMTHEME=$QT_QPA_PLATFORMTHEME
+    unset QT_STYLE_OVERRIDE
+    unset QPA_PLATFORMTHEME
+
     # xkb configuration needed: https://github.com/NixOS/nixpkgs/issues/236365
     export XKB_CONFIG_ROOT=${xkeyboard_config}/share/X11/xkb/
-    exec "${insync-pkg.outPath}/lib/insync/insync" "$@"
-    '';
+    echo XKB_CONFIG_ROOT=$XKB_CONFIG_ROOT
 
-    # "insync start" command starts a daemon.
-    dieWithParent = false;
-  };
+    # For debuging:
+    # export QT_DEBUG_PLUGINS=1
+    # find -L /usr/share -name "*insync*"
 
-in stdenvNoCC.mkDerivation {
-  inherit pname version meta;
+    exec /usr/lib/insync/insync "$@"
+    '';
 
-  dontUnpack = true;
-  installPhase = ''
-    mkdir -p $out/bin
-    ln -s ${insync-fhsenv}/bin/${insync-fhsenv.name} $out/bin/insync
-    ln -s ${insync-pkg}/share $out/share
-  '';
+  # As intended by this bubble wrap, share as much namespaces as possible with user.
+  unshareUser   = false;
+  unshareIpc    = false;
+  unsharePid    = false;
+  unshareNet    = false;
+  unshareUts    = false;
+  unshareCgroup = false;
+  # Since "insync start" command starts a daemon, this daemon should die with it.
+  dieWithParent = false;
 }