From 2da4f24e2259d41419d14565bc371d34a227b599 Mon Sep 17 00:00:00 2001 From: Michael Eden Date: Sun, 15 Sep 2019 09:29:53 -0400 Subject: fhs-userenv-bubblewrap: bind mount parts of host etc directly --- .../build-fhs-userenv-bubblewrap/default.nix | 48 +++++++++++++++++++++- .../build-fhs-userenv-bubblewrap/env.nix | 38 ----------------- 2 files changed, 46 insertions(+), 40 deletions(-) (limited to 'pkgs/build-support/build-fhs-userenv-bubblewrap') diff --git a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix index 784aa754df780..77958767c97d8 100644 --- a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix +++ b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix @@ -19,20 +19,64 @@ let chrootenv = callPackage ./chrootenv {}; + etcBindFlags = let + files = [ + # NixOS Compatibility + "static" + # Users, Groups, NSS + "passwd" + "group" + "shadow" + "hosts" + "resolv.conf" + "nsswitch.conf" + # Sudo & Su + "login.defs" + "sudoers" + "sudoers.d" + # Time + "localtime" + "zoneinfo" + # Other Core Stuff + "machine-id" + "os-release" + # PAM + "pam.d" + # Fonts + "fonts" + # ALSA + "asound.conf" + # SSL + "ssl/certs" + "pki" + ]; + in concatStringsSep " \\\n " + (map (file: "--ro-bind-try /etc/${file} /etc/${file}") files); + init = run: writeShellScriptBin "${name}-init" '' source /etc/profile exec ${run} "$@" ''; bwrap_cmd = { init_args ? "" }: '' - blacklist="/nix /dev /proc" + blacklist="/nix /dev /proc /etc" ro_mounts="" for i in ${env}/*; do path="/''${i##*/}" + if [[ $path == '/etc' ]]; then + continue + fi ro_mounts="$ro_mounts --ro-bind $i $path" blacklist="$blacklist $path" done + if [[ -d ${env}/etc ]]; then + for i in ${env}/etc/*; do + path="/''${i##*/}" + ro_mounts="$ro_mounts --ro-bind $i /etc$path" + done + fi + auto_mounts="" # loop through all directories in the root for dir in /*; do @@ -51,7 +95,7 @@ let --share-net \ --die-with-parent \ --ro-bind /nix /nix \ - --ro-bind /etc /host-etc \ + ${etcBindFlags} \ $ro_mounts \ $auto_mounts \ ${init runScript}/bin/${name}-init ${init_args} diff --git a/pkgs/build-support/build-fhs-userenv-bubblewrap/env.nix b/pkgs/build-support/build-fhs-userenv-bubblewrap/env.nix index 5e994abfd212e..08f58471bf02d 100644 --- a/pkgs/build-support/build-fhs-userenv-bubblewrap/env.nix +++ b/pkgs/build-support/build-fhs-userenv-bubblewrap/env.nix @@ -78,44 +78,6 @@ let # environment variables ln -s ${etcProfile} profile - # compatibility with NixOS - ln -s /host-etc/static static - - # symlink some NSS stuff - ln -s /host-etc/passwd passwd - ln -s /host-etc/group group - ln -s /host-etc/shadow shadow - ln -s /host-etc/hosts hosts - ln -s /host-etc/resolv.conf resolv.conf - ln -s /host-etc/nsswitch.conf nsswitch.conf - - # symlink sudo and su stuff - ln -s /host-etc/login.defs login.defs - ln -s /host-etc/sudoers sudoers - ln -s /host-etc/sudoers.d sudoers.d - - # symlink other core stuff - ln -s /host-etc/localtime localtime - ln -s /host-etc/zoneinfo zoneinfo - ln -s /host-etc/machine-id machine-id - ln -s /host-etc/os-release os-release - - # symlink PAM stuff - ln -s /host-etc/pam.d pam.d - - # symlink fonts stuff - ln -s /host-etc/fonts fonts - - # symlink ALSA stuff - ln -s /host-etc/asound.conf asound.conf - - # symlink SSL certs - mkdir -p ssl - ln -s /host-etc/ssl/certs ssl/certs - - # Fedora stores certs in another directory - ln -s /host-etc/pki pki - # symlink /etc/mtab -> /proc/mounts (compat for old userspace progs) ln -s /proc/mounts mtab ''; -- cgit 1.4.1