diff options
author | Michael Eden <themichaeleden@gmail.com> | 2019-02-20 10:22:17 -0500 |
---|---|---|
committer | Atemu <atemu.main@gmail.com> | 2020-08-17 08:49:24 +0200 |
commit | 2ddb43ec24d82e0d77c5f1402126dbb498ae0440 (patch) | |
tree | b5027325ae153f6063592aa76225d1023a44f2f1 /pkgs/build-support | |
parent | fafbfd2305f092b3ee2024e7b211bd6b5a5e1328 (diff) |
fhs-userenv-bubblewrap: change to using bubblewrap over chrootenv
Diffstat (limited to 'pkgs/build-support')
-rw-r--r-- | pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix | 68 | ||||
-rw-r--r-- | pkgs/build-support/build-fhs-userenv-bubblewrap/env.nix | 39 |
2 files changed, 70 insertions, 37 deletions
diff --git a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix index e7db6a75297d1..784aa754df780 100644 --- a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix +++ b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix @@ -1,36 +1,70 @@ -{ callPackage, runCommandLocal, writeScript, stdenv, coreutils }: +{ callPackage, runCommandLocal, writeShellScriptBin, stdenv, coreutils, bubblewrap }: let buildFHSEnv = callPackage ./env.nix { }; in -args@{ name, runScript ? "bash", extraInstallCommands ? "", meta ? {}, passthru ? {}, ... }: +args @ { + name, + runScript ? "bash", + extraInstallCommands ? "", + meta ? {}, + passthru ? {}, + ... +}: +with builtins; let - env = buildFHSEnv (removeAttrs args [ "runScript" "extraInstallCommands" "meta" "passthru" ]); + env = buildFHSEnv (removeAttrs args [ + "runScript" "extraInstallCommands" "meta" "passthru" + ]); chrootenv = callPackage ./chrootenv {}; - init = run: writeScript "${name}-init" '' - #! ${stdenv.shell} - for i in ${env}/* /host/*; do + init = run: writeShellScriptBin "${name}-init" '' + source /etc/profile + exec ${run} "$@" + ''; + + bwrap_cmd = { init_args ? "" }: '' + blacklist="/nix /dev /proc" + ro_mounts="" + for i in ${env}/*; do path="/''${i##*/}" - [ -e "$path" ] || ${coreutils}/bin/ln -s "$i" "$path" + ro_mounts="$ro_mounts --ro-bind $i $path" + blacklist="$blacklist $path" done - [ -d "$1" ] && [ -r "$1" ] && cd "$1" - shift + auto_mounts="" + # loop through all directories in the root + for dir in /*; do + # if it is a directory and it is not in the blacklist + if [[ -d "$dir" ]] && grep -v "$dir" <<< "$blacklist" >/dev/null; then + # add it to the mount list + auto_mounts="$auto_mounts --bind $dir $dir" + fi + done - source /etc/profile - exec ${run} "$@" + exec ${bubblewrap}/bin/bwrap \ + --dev /dev \ + --proc /proc \ + --chdir "$(pwd)" \ + --unshare-all \ + --share-net \ + --die-with-parent \ + --ro-bind /nix /nix \ + --ro-bind /etc /host-etc \ + $ro_mounts \ + $auto_mounts \ + ${init runScript}/bin/${name}-init ${init_args} ''; + bin = writeShellScriptBin name (bwrap_cmd { init_args = ''"$@"''; }); + in runCommandLocal name { inherit meta; passthru = passthru // { env = runCommandLocal "${name}-shell-env" { - shellHook = '' - exec ${chrootenv}/bin/chrootenv ${init runScript} "$(pwd)" - ''; + shellHook = bwrap_cmd {}; } '' echo >&2 "" echo >&2 "*** User chroot 'env' attributes are intended for interactive nix-shell sessions, not for building! ***" @@ -40,10 +74,6 @@ in runCommandLocal name { }; } '' mkdir -p $out/bin - cat <<EOF >$out/bin/${name} - #! ${stdenv.shell} - exec ${chrootenv}/bin/chrootenv ${init runScript} "\$(pwd)" "\$@" - EOF - chmod +x $out/bin/${name} + ln -s ${bin}/bin/${name} $out/bin/${name} ${extraInstallCommands} '' diff --git a/pkgs/build-support/build-fhs-userenv-bubblewrap/env.nix b/pkgs/build-support/build-fhs-userenv-bubblewrap/env.nix index 083e7617b5029..5e994abfd212e 100644 --- a/pkgs/build-support/build-fhs-userenv-bubblewrap/env.nix +++ b/pkgs/build-support/build-fhs-userenv-bubblewrap/env.nix @@ -79,39 +79,42 @@ let ln -s ${etcProfile} profile # compatibility with NixOS - ln -s /host/etc/static static + ln -s /host-etc/static static # symlink some NSS stuff - ln -s /host/etc/passwd passwd - ln -s /host/etc/group group - ln -s /host/etc/shadow shadow - ln -s /host/etc/hosts hosts - ln -s /host/etc/resolv.conf resolv.conf - ln -s /host/etc/nsswitch.conf nsswitch.conf + ln -s /host-etc/passwd passwd + ln -s /host-etc/group group + ln -s /host-etc/shadow shadow + ln -s /host-etc/hosts hosts + ln -s /host-etc/resolv.conf resolv.conf + ln -s /host-etc/nsswitch.conf nsswitch.conf # symlink sudo and su stuff - ln -s /host/etc/login.defs login.defs - ln -s /host/etc/sudoers sudoers - ln -s /host/etc/sudoers.d sudoers.d + ln -s /host-etc/login.defs login.defs + ln -s /host-etc/sudoers sudoers + ln -s /host-etc/sudoers.d sudoers.d # symlink other core stuff - ln -s /host/etc/localtime localtime - ln -s /host/etc/zoneinfo zoneinfo - ln -s /host/etc/machine-id machine-id - ln -s /host/etc/os-release os-release + ln -s /host-etc/localtime localtime + ln -s /host-etc/zoneinfo zoneinfo + ln -s /host-etc/machine-id machine-id + ln -s /host-etc/os-release os-release # symlink PAM stuff - ln -s /host/etc/pam.d pam.d + ln -s /host-etc/pam.d pam.d # symlink fonts stuff - ln -s /host/etc/fonts fonts + ln -s /host-etc/fonts fonts # symlink ALSA stuff - ln -s /host/etc/asound.conf asound.conf + ln -s /host-etc/asound.conf asound.conf # symlink SSL certs mkdir -p ssl - ln -s /host/etc/ssl/certs ssl/certs + ln -s /host-etc/ssl/certs ssl/certs + + # Fedora stores certs in another directory + ln -s /host-etc/pki pki # symlink /etc/mtab -> /proc/mounts (compat for old userspace progs) ln -s /proc/mounts mtab |