bwrap sandbox thing

Signed-off-by: Magic_RB <magic_rb@redalder.org>
2024-11-26 01:56:13 +01:00 · 2022-09-11 01:50:32 +02:00 · 2022-09-11 01:50:32 +02:00 · edbe703a92
parent 114ce2ba6d
commit edbe703a92
1 changed files with 140 additions and 0 deletions
--- a/overlays/bwrap-x.nix
+++ b/overlays/bwrap-x.nix
@ -0,0 +1,140 @@
+# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
+#
+# SPDX-License-Identifier: LGPL-3.0-or-later
+{
+  name = "bwrap-x";
+  overlay = {}: final: prev: {
+    bwrap-factorio = final.bwrap-x {
+      pkgs = with prev; [
+        xorg.libX11
+        xorg.libXext
+        xorg.libXinerama
+        xorg.libXrandr
+        xorg.libXcursor
+        pulseaudio
+        libglvnd
+        alsa-lib
+      ];
+    };
+    bwrap-x =
+      { defaultPackages ? (with prev; [ bashInteractive coreutils-full gawk gzip gnutar gnugrep glibc.bin ])
+      , pkgs ? []
+      }:
+      with prev.lib;
+      prev.writeShellScriptBin "bwrap-x" ''
+       nixpkgs="${prev.path}"
+
+       store_paths=()
+       preload_libraries=()
+
+       for package in ${concatStringsSep " " (pkgs ++ defaultPackages)}
+       do
+         for path in $(nix path-info -r $package)
+         do
+           store_paths+=("$path")
+         done
+       done
+
+       for path in $(nix path-info -r $(for package in $EXTRA_PACKAGES ; do echo $nixpkgs#$package ; done))
+       do
+         store_paths+=("$path")
+       done
+
+       for package in ${concatStringsSep " " (pkgs ++ defaultPackages)}
+       do
+         for path in $(nix build --no-link --print-out-paths $package)
+         do
+           if [ -e "$path/lib" ]
+           then
+             preload_libraries+=("$path/lib")
+           fi
+         done
+       done
+
+
+       for path in $(nix build --no-link --print-out-paths $(for package in $EXTRA_PACKAGES ; do echo $nixpkgs#$package ; done))
+       do
+         if [ -e "$path/lib" ]
+         then
+           preload_libraries+=("$path/lib")
+         fi
+       done
+
+       if [ "$ENABLE_XORG" == "1" ]
+       then
+         for package in $(readlink /run/opengl-driver /run/opengl-driver-32)
+         do
+           for path in $(nix path-info -r $package)
+           do
+             store_paths+=("$path")
+           done
+         done
+         preload_libraries+=("/run/opengl-driver/lib" "/run/opengl-driver-32/lib")
+       fi
+
+       preload_libraries_new="$(echo "''${preload_libraries[@]}" | tr ' ' '\n' | sort | uniq | tr '\n' ' ')"
+       store_paths_new="$(echo "''${store_paths[@]}" | tr ' ' '\n' | sort | uniq | tr '\n' ' ')"
+
+       ${prev.bubblewrap}/bin/bwrap \
+         --unshare-all \
+         --ro-bind /bin/sh /bin/sh \
+         --ro-bind /usr/bin/env /usr/bin/env \
+         --ro-bind ${prev.glibc}/lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 \
+         --ro-bind /nix/store /nix/store \
+         `# $(for path in ''${store_paths_new[@]} ;` \
+         `#    do` \
+         `#    nix path-info $path -r | sed 's/\(.*\)/--ro-bind \1 \1/m' | tr '\n' ' ' ;` \
+         `#  done)` \
+         --ro-bind /bin/sh /bin/sh \
+         --setenv PATH \
+           $(for path in ''${store_paths_new[@]} ; \
+               do \
+               echo $path | sed 's~\(.*\)~\1/bin~m' | tr '\n' ':' ; \
+             done) \
+         --tmpfs /tmp \
+         --proc /proc \
+         --dev /dev \
+         \
+         \
+           $(for path in $BIND_PATHS ; \
+               do \
+               echo "--bind $path $path" ; \
+             done) \
+           $(for path in $BIND_RO_PATHS ; \
+               do \
+               echo "--ro-bind $path $path" ; \
+             done) \
+         $([ "$CWD" = "" ] && echo "--cwd $CWD") \
+         \
+         \
+         $([ "$ENABLE_PULSEAUDIO" == "1" ] && echo "${concatStringsSep " " [
+           "--dev-bind /dev/snd /dev/snd"
+           "--ro-bind /etc/group /etc/group"
+           "--bind /run/user/1000/pulse/ /run/user/1000/pulse/"
+         ]}") \
+         \
+         \
+         $([ "$ENABLE_XORG" == "1" ] && echo "${concatStringsSep " " [
+           "--bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X0"
+           "--ro-bind /home/main/.Xauthority /home/main/.Xauthority"
+
+           "--bind /run/nvidia-xdriver-e0a0641b /run/nvidia-xdriver-e0a0641b"
+           "--ro-bind /run/opengl-driver-32 /run/opengl-driver-32"
+           "--ro-bind /run/opengl-driver /run/opengl-driver"
+           "--ro-bind /sys/dev/char /sys/dev/char"
+           "--dev-bind /dev/dri /dev/dri"
+           "--ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00"
+           "$(for dev in /dev/nvidia* ; do echo \"--dev-bind $dev $dev\" ; done)"
+         ]}") \
+         \
+         $([ "ENABLE_NETWORK" == "1" ] && echo "${concatStringsSep " " [
+           "--ro-bind /etc/ssl /etc/ssl"
+           "--ro-bind /etc/static/ssl /etc/static/ssl"
+           "--ro-bind /etc/resolv.conf /etc/resolv.conf"
+           "--share-net"
+         ]}") \
+         --setenv LD_LIBRARY_PATH "$(echo "''${preload_libraries_new[@]}" | tr ' ' ':')" \
+         "$@"
+      '';
+  };
+}