From 2554e3ce9096c7036cbea55d78828794085734af Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 27 Sep 2017 19:58:21 +0200 Subject: pkgs/build-game: Add preliminary sandbox hook This is basically to make sure various games can't write to whatever they want in the file system, so it's not a complete sandboxing solution. Currently there's a drawback in that we can't easily determine the runtime dependencies while building a particular game, so we need to recursively dig through all referenced store paths to look them up. A better solution for this would be to gather the build time reference graph prior to building so that we can limit searching for these references within only the actual build outputs instead of churning through all inputs. In addition to that, we currently mount the namespaced root file system on top of /tmp, which makes the real /tmp unavailable to us. While in theory this shouldn't be a problem, it actually turns out it is indeed a problem if the application wants to connect to the X server socket, which is at something like /tmp/.X11-unix/X0 for display :0. Apart from these drawbacks we have a working solution for simple applications (not games, because they usually require X), which now get its own chroot with only the paths accessible that are strictly necessary. Signed-off-by: aszlig --- pkgs/games/build-support/build-game.nix | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) (limited to 'pkgs/games/build-support/build-game.nix') diff --git a/pkgs/games/build-support/build-game.nix b/pkgs/games/build-support/build-game.nix index b64f7457..e402787c 100644 --- a/pkgs/games/build-support/build-game.nix +++ b/pkgs/games/build-support/build-game.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, file, unzip +{ stdenv, lib, file, unzip, gcc, makeSetupHook , withPulseAudio ? true, libpulseaudio ? null , alsaLib @@ -12,10 +12,19 @@ assert withPulseAudio -> libpulseaudio != null; , setSourceRoot ? "" , installCheckPhase ? "" , runtimeDependencies ? [] +, extraSandboxPaths ? [ "$XDG_DATA_HOME" "$XDG_CONFIG_HOME" ] , ... }@attrs: -stdenv.mkDerivation ({ +let + sandboxHook = makeSetupHook { + substitutions = { + inherit gcc; + sandbox_main = ./sandbox.c; + }; + } ./setup-hooks/make-sandbox.sh; + +in stdenv.mkDerivation ({ buildInputs = [ stdenv.cc.cc ] ++ buildInputs; nativeBuildInputs = [ @@ -39,6 +48,11 @@ stdenv.mkDerivation ({ fi ''; + # Use ":!*!:" as delimiter as we can consider this highly unlikely to + # be part of a real path component and we're out of Nix territory, so + # the path components could contain almost anything. + extraSandboxPaths = lib.concatStringsSep ":!*!:" extraSandboxPaths; + runtimeDependencies = let deps = lib.singleton alsaLib ++ lib.optional withPulseAudio libpulseaudio @@ -71,5 +85,5 @@ stdenv.mkDerivation ({ dontPatchELF = true; } // removeAttrs attrs [ "buildInputs" "nativeBuildInputs" "preUnpack" "setSourceRoot" - "installCheckPhase" "runtimeDependencies" + "installCheckPhase" "runtimeDependencies" "extraSandboxPaths" ]) -- cgit 1.4.1