From 9bc6d2311105f2b46653cb8d39bf4a4c45db1a3c Mon Sep 17 00:00:00 2001 From: benaryorg Date: Wed, 25 Sep 2024 09:32:41 +0000 Subject: [PATCH] buildFHSEnvBubblewrap: extraPreBwrapCmds after variable initialisation Prior to this commit it was not possible to modify e.g. the list of ignored directories at all, however given that `buildFHSEnvBubblewrap` effectively uses a sandboxing tool (*bwrap*) I feel like this is a missed opportunity. The code in nixpkgs already covers all the knobs that are required to get *Nix* itself to run inside bubblewrap, so why not allow users to make that additional modification? While additional `ro_mounts` and such can be *added* to the bubblewrap invocation, the already mounted directories cannot be removed, and even if shadowed by e.g. a tmpfs mount, this would still allow something inside the sandbox to potentially unmount the tmpfs and access the data. So what this change does is moving the snippet where custom code can be injected down by four lines so that users can actually modify those variables e.g. using `ignored+=( /home /srv /mnt /boot )`. The only cases in which this would break is: - someone using those variable names in `extraPreBwrapCmds` already and relying on them being overwritten; I would consider that chance slim, and the fix would be easy enough - someone using a construct like `false && \` to disable the `ignored` initialisation and effectively working around this limitation; again the chances are slim (even though I know I'd be affected), and the fix would be easy enough (as this change makes the workaround needless anyway so it's an improvement) Signed-off-by: benaryorg --- pkgs/build-support/build-fhsenv-bubblewrap/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/build-support/build-fhsenv-bubblewrap/default.nix b/pkgs/build-support/build-fhsenv-bubblewrap/default.nix index 398a99e80e8cd..25fcabf7a408e 100644 --- a/pkgs/build-support/build-fhsenv-bubblewrap/default.nix +++ b/pkgs/build-support/build-fhsenv-bubblewrap/default.nix @@ -125,12 +125,13 @@ let indentLines = str: concatLines (map (s: " " + s) (filter (s: s != "") (splitString "\n" str))); bwrapCmd = { initArgs ? "" }: '' - ${extraPreBwrapCmds} ignored=(/nix /dev /proc /etc ${optionalString privateTmp "/tmp"}) ro_mounts=() symlinks=() etc_ignored=() + ${extraPreBwrapCmds} + # loop through all entries of root in the fhs environment, except its /etc. for i in ${fhsenv}/*; do path="/''${i##*/}"