diff options
author | Profpatsch <mail@profpatsch.de> | 2019-12-08 02:39:44 +0100 |
---|---|---|
committer | Profpatsch <mail@profpatsch.de> | 2019-12-08 02:39:44 +0100 |
commit | 3cd2df8f8eb3a63a5e8823ca094785589d4039df (patch) | |
tree | a78895d856609a1840abd3b53e0fbcdfdd0d4e45 /pkgs/profpatsch/default.nix | |
parent | 9d88b75f6261b9b4f5d280ec081cd0e53b47f6be (diff) |
pkgs/profpatsch: add sandbox primitive
Small sandboxing utility, which unshares the filesystem via user-namespaces and can optionally bind-mount existing paths into the sandbox.
Diffstat (limited to 'pkgs/profpatsch/default.nix')
-rw-r--r-- | pkgs/profpatsch/default.nix | 12 |
1 files changed, 3 insertions, 9 deletions
diff --git a/pkgs/profpatsch/default.nix b/pkgs/profpatsch/default.nix index c6698d7b..14666867 100644 --- a/pkgs/profpatsch/default.nix +++ b/pkgs/profpatsch/default.nix @@ -109,15 +109,6 @@ let inherit pkgs execlineb-with-builtins; }; - # remove everything but a few selected environment variables - runInEmptyEnv = keepVars: - let - importas = pkgs.lib.concatMap (var: [ "importas" "-i" var var ]) keepVars; - # we have to explicitely call export here, because PATH is probably empty - export = pkgs.lib.concatMap (var: [ "${pkgs.execline}/bin/export" var ''''${${var}}'' ]) keepVars; - in writeExeclineFns.writeExecline "empty-env" {} - (importas ++ [ "emptyenv" ] ++ export ++ [ "${pkgs.execline}/bin/exec" "$@" ]); - in rec { inherit (nixperiments) @@ -174,6 +165,9 @@ in rec { inherit getBins; + inherit (import ./sandbox.nix {inherit pkgs writeExecline; }) + sandbox runInEmptyEnv; + symlink = pkgs.callPackage ./execline/symlink.nix { inherit runExecline; }; |