pkgs/profpatsch: add sandbox primitive

Small sandboxing utility, which unshares the filesystem via user-namespaces and can optionally bind-mount existing paths into the sandbox.
author: Profpatsch <mail@profpatsch.de> 2019-12-08 02:39:44 +0100
committer: Profpatsch <mail@profpatsch.de> 2019-12-08 02:39:44 +0100
commit: 3cd2df8f8eb3a63a5e8823ca094785589d4039df (patch)
tree: a78895d856609a1840abd3b53e0fbcdfdd0d4e45 /pkgs/profpatsch/default.nix
parent: 9d88b75f6261b9b4f5d280ec081cd0e53b47f6be (diff)
1 files changed, 3 insertions, 9 deletions
diff --git a/pkgs/profpatsch/default.nix b/pkgs/profpatsch/default.nix
index c6698d7b..14666867 100644
--- a/pkgs/profpatsch/default.nix
+++ b/pkgs/profpatsch/default.nix
@@ -109,15 +109,6 @@ let
     inherit pkgs execlineb-with-builtins;
   };
 
-  # remove everything but a few selected environment variables
-  runInEmptyEnv = keepVars:
-    let
-        importas = pkgs.lib.concatMap (var: [ "importas" "-i" var var ]) keepVars;
-        # we have to explicitely call export here, because PATH is probably empty
-        export = pkgs.lib.concatMap (var: [ "${pkgs.execline}/bin/export" var ''''${${var}}'' ]) keepVars;
-    in writeExeclineFns.writeExecline "empty-env" {}
-         (importas ++ [ "emptyenv" ] ++ export ++ [ "${pkgs.execline}/bin/exec" "$@" ]);
-
 
 in rec {
   inherit (nixperiments)
@@ -174,6 +165,9 @@ in rec {
 
   inherit getBins;
 
+  inherit (import ./sandbox.nix {inherit pkgs writeExecline; })
+    sandbox runInEmptyEnv;
+
   symlink = pkgs.callPackage ./execline/symlink.nix {
     inherit runExecline;
   };
author	Profpatsch <mail@profpatsch.de>	2019-12-08 02:39:44 +0100
committer	Profpatsch <mail@profpatsch.de>	2019-12-08 02:39:44 +0100
commit	3cd2df8f8eb3a63a5e8823ca094785589d4039df (patch)
tree	a78895d856609a1840abd3b53e0fbcdfdd0d4e45 /pkgs/profpatsch/default.nix
parent	9d88b75f6261b9b4f5d280ec081cd0e53b47f6be (diff)