| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
I'm going to use the sandboxing implementation as the basis for
something else where I'm going to do additional mounts on top of the
existing ones. This is just to make it easier to find the mount target.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When using MS_BIND the mount flags aren't actually applied, so we need
to remount the bind mount with the flags we wanted if additional flags
are desired for the mount.
I've also removed the MS_NOATIME, because this doesn't work for kernel
4.14 (returns -EPERM) and it's really not necessary to change the atime
flags for our bind mounts.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
While the Nix store should be read-only by default, we can't guarantee
this as the Nix store could be mounted read-write (for example on
non-NixOS systems).
For paths other than store directories, I took a conservative approach
here where only /etc is mounted read-only, for all the pseudo-
filesystems such as /proc, /sys or /dev write access might still be
needed, for example to write to a hardware device exposed via /dev (eg.
a gamepad with rumble support).
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example the store path of libGL-1.0.0 is a symlink pointing to
libglvnd-1.0.0 right now on my machine.
If we have such a symlink the sandbox would just silently skip it and
only mount the *resolved* path instead of creating the symlink leading
to the target.
Now whenever bind_mount() with the resolve argument being true is used,
we create all the symlinks leading to the target path determined by
realpath().
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since the introduction and move of a few packages to use the sandbox, we
no longer have XDG desktop entries, because the sandbox only creates
wrappers for all programs in $drv/bin.
This now also copies the XDG desktop files and replaces absolute paths
to binaries to refer to the sandboxed binaries.
I also modified the test to go through the XDG desktop file by default
so we can ensure that this works properly.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
| |
In order to do integer comparisons on the Nix version, we need to
zero-pad the minor version, so that we always have two digits.
Since the change of Nix version 1.12 to 2.0 the minor version no longer
has two digits, so we get 20 instead of 112 and when compared the former
is smaller than the latter but it has to be the opposite.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
| |
Though we're already checking the realpath() let's actually make sure
that the path begins with a slash, otherwise we'll run into a segfault
later when we try to access the second byte of path.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We only handle XDG_DATA_HOME and XDG_CONFIG_HOME, but we've missed
XDG_CACHE_HOME. While the latter is used very rarely as it doesn't
matter a lot if it ends up within a tmpfs anyway. However if the cache
directory gets pretty large we might run out of space.
Not only do we now have proper fallbacks but this also adds tests for
all of the XDG environment variables we're using.
Signed-off-by: aszlig <aszlig@nix.build>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While we already have support for mounting plain files, this is done on
a very specific basis, mainly the .Xauthority file.
Whenever we use bind_mount() and the file is a regular file, mounting
that file will fail. So let's actually do a stat on the file and decide
whether we want to do bind_file() or bind_mount().
I've stumbled on this because one of the store paths of the run time
dependency graph was a plain file and thus the sandbox wrapper was
unable to mount it.
Signed-off-by: aszlig <aszlig@nix.build>
|
|
|
This is not only useful for packaging games, so let's make it available
from the vuizvui scope, so we can use it from other packages as well.
Signed-off-by: aszlig <aszlig@nix.build>
|
