74107a7867
This takes another approach at binding FHS directory structure. We now bind-mount all the root filesystem to directory "/host" in the target tree. From that we symlink all the directories into the tree if they do not already exist in FHS structure. This probably makes `CHROOTENV_EXTRA_BINDS` unnecessary -- its main usecase was to add bound directories from the host to the sandbox, and we not just symlink all of them. I plan to get some feedback on its usage and maybe deprecate it. This also drops old `buildFHSChrootEnv` infrastructure. The main problem with it is it's very difficult to unmount a recursive-bound directory when mount is not sandboxed. This problem is a bug even without these changes -- if you have for example `/home/alice` mounted to somewhere, you wouldn't see it in `buildFHSChrootEnv` now. With the new directory structure, it's impossible to use regular bind at all. After some tackling with this I realized that the fix would be brittle and dangerous (if you don't unmount everything clearly and proceed to removing the temporary directory, bye-bye fs!). It also probably doesn't worth it because I haven't heard that someone actually uses it for a long time, and `buildFHSUserEnv` should cover most cases while being much more maintainable and safe for the end-user.
55 lines
1.5 KiB
Nix
55 lines
1.5 KiB
Nix
{ callPackage, runCommand, lib, writeScript, stdenv, coreutils, ruby }:
|
|
|
|
let buildFHSEnv = callPackage ./env.nix { }; in
|
|
|
|
args@{ name, runScript ? "bash", extraBindMounts ? [], extraInstallCommands ? "", meta ? {}, passthru ? {}, ... }:
|
|
|
|
let
|
|
env = buildFHSEnv (removeAttrs args [ "runScript" "extraBindMounts" "extraInstallCommands" "meta" "passthru" ]);
|
|
|
|
# Sandboxing script
|
|
chroot-user = writeScript "chroot-user" ''
|
|
#! ${ruby}/bin/ruby
|
|
${builtins.readFile ./chroot-user.rb}
|
|
'';
|
|
|
|
init = run: writeScript "${name}-init" ''
|
|
#! ${stdenv.shell}
|
|
for i in ${env}/* /host/*; do
|
|
path="/''${i##*/}"
|
|
[ -e "$path" ] || ${coreutils}/bin/ln -s "$i" "$path"
|
|
done
|
|
|
|
[ -d "$1" ] && [ -r "$1" ] && cd "$1"
|
|
shift
|
|
|
|
source /etc/profile
|
|
exec ${run} "$@"
|
|
'';
|
|
|
|
in runCommand name {
|
|
inherit meta;
|
|
passthru = passthru // {
|
|
env = runCommand "${name}-shell-env" {
|
|
shellHook = ''
|
|
export CHROOTENV_EXTRA_BINDS="${lib.concatStringsSep ":" extraBindMounts}:$CHROOTENV_EXTRA_BINDS"
|
|
exec ${chroot-user} ${init "bash"} "$(pwd)"
|
|
'';
|
|
} ''
|
|
echo >&2 ""
|
|
echo >&2 "*** User chroot 'env' attributes are intended for interactive nix-shell sessions, not for building! ***"
|
|
echo >&2 ""
|
|
exit 1
|
|
'';
|
|
};
|
|
} ''
|
|
mkdir -p $out/bin
|
|
cat <<EOF >$out/bin/${name}
|
|
#! ${stdenv.shell}
|
|
export CHROOTENV_EXTRA_BINDS="${lib.concatStringsSep ":" extraBindMounts}:\$CHROOTENV_EXTRA_BINDS"
|
|
exec ${chroot-user} ${init runScript} "\$(pwd)" "\$@"
|
|
EOF
|
|
chmod +x $out/bin/${name}
|
|
${extraInstallCommands}
|
|
''
|