diff options
| author | Jeff Huffman <tejing@tejing.com> | 2023-12-09 00:29:32 -0500 |
|---|---|---|
| committer | Jonathan Ringer <jonringer@users.noreply.github.com> | 2023-12-13 23:33:05 -0800 |
| commit | 195248b6c101f3d58002d5c7e15be38231780786 (patch) | |
| tree | 51fdbf4c680d5e01e5076d7fa6280a000d746146 /pkgs/build-support/build-fhsenv-bubblewrap | |
| parent | 452b8162ecc995793d906cde424b652fa3dd1314 (diff) | |
buildFHSEnv, steam: isolate steam's /tmp from host
Works around steam's misbehavior: https://github.com/ValveSoftware/steam-for-linux/issues/9121
Diffstat (limited to 'pkgs/build-support/build-fhsenv-bubblewrap')
| -rw-r--r-- | pkgs/build-support/build-fhsenv-bubblewrap/default.nix | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/pkgs/build-support/build-fhsenv-bubblewrap/default.nix b/pkgs/build-support/build-fhsenv-bubblewrap/default.nix index ba28c68c3de3d..b6b5f13bba978 100644 --- a/pkgs/build-support/build-fhsenv-bubblewrap/default.nix +++ b/pkgs/build-support/build-fhsenv-bubblewrap/default.nix @@ -16,6 +16,7 @@ , extraInstallCommands ? "" , meta ? {} , passthru ? {} +, extraPreBwrapCmds ? "" , extraBwrapArgs ? [] , unshareUser ? false , unshareIpc ? false @@ -23,6 +24,7 @@ , unshareNet ? false , unshareUts ? false , unshareCgroup ? false +, privateTmp ? false , dieWithParent ? true , ... } @ args: @@ -38,8 +40,8 @@ let buildFHSEnv = callPackage ./buildFHSEnv.nix { }; fhsenv = buildFHSEnv (removeAttrs (args // { inherit name; }) [ - "runScript" "extraInstallCommands" "meta" "passthru" "extraBwrapArgs" "dieWithParent" - "unshareUser" "unshareCgroup" "unshareUts" "unshareNet" "unsharePid" "unshareIpc" + "runScript" "extraInstallCommands" "meta" "passthru" "extraPreBwrapCmds" "extraBwrapArgs" "dieWithParent" + "unshareUser" "unshareCgroup" "unshareUts" "unshareNet" "unsharePid" "unshareIpc" "privateTmp" "pname" "version" ]); @@ -116,7 +118,8 @@ let indentLines = str: lib.concatLines (map (s: " " + s) (filter (s: s != "") (lib.splitString "\n" str))); bwrapCmd = { initArgs ? "" }: '' - ignored=(/nix /dev /proc /etc) + ${extraPreBwrapCmds} + ignored=(/nix /dev /proc /etc ${lib.optionalString privateTmp "/tmp"}) ro_mounts=() symlinks=() etc_ignored=() @@ -191,6 +194,7 @@ let ${lib.optionalString dieWithParent "--die-with-parent"} --ro-bind /nix /nix --ro-bind /etc /.host-etc + ${lib.optionalString privateTmp "--tmpfs /tmp"} # Our glibc will look for the cache in its own path in `/nix/store`. # As such, we need a cache to exist there, because pressure-vessel # depends on the existence of an ld cache. However, adding one |