tilpner/bubblewrapPresets.nix Secret

## bubblewrapPresets.nix
{ }:

{
  base = [
    "unshare-user"
    "unshare-ipc"
    "unshare-pid"
    "unshare-uts"
    "unshare-cgroup"
    "proc /proc"
    "dev /dev"
    "bind /tmp /tmp" # tmpfs /tmp
    "ro-bind /nix /nix"
    "ro-bind /bin /bin"
    "ro-bind /etc/static /etc/static"
    "ro-bind /etc/ssl /etc/ssl"
    "ro-bind /etc/localtime /etc/localtime"
    "ro-bind /etc/nsswitch.conf /etc/nsswitch.conf"
    "ro-bind /etc/resolv.conf /etc/resolv.conf"
    "ro-bind /var/run/nscd /var/run/nscd"
    "bind /run /run" # tmpfs /run
    "die-with-parent"
  ];

  x11 = [
    "ro-bind ~/.Xauthority ~/.Xauthority"
    "ro-bind /tmp/.X11-unix /tmp/.X11-unix"
    "ro-bind /etc/fonts /etc/fonts"
  ];

  gpu = [
    "dev-bind /dev/dri /dev/dri"
    "bind /sys /sys"
  ];

  pulse = [
    "ro-bind /etc/pulse /etc/pulse"
    "ro-bind /etc/asound.conf /etc/asound.conf"
    "bind ~/.config/pulse ~/.config/pulse"
    "bind ~/.pulse ~/.pulse"
  ];

  gtk = [
    "ro-bind ~/.config/gtk-2.0 ~/.config/gtk-2.0"
    "ro-bind ~/.config/gtk-3.0 ~/.config/gtk-3.0"
  ];
}

## makeBubblewrap.nix
{ stdenv, lib, writeScriptBin, bubblewrap, bubblewrapPresets }:
{ name ? argv, argv,
  presets ? p: [ p.base ], rules ? [],
  roBind ? [], rwBind ? [] }:

with lib;
let
  fmtArg = a: "  --${a} \\";
  mapBinds = bind: map (p: "${bind} ${p} ${p}");
  selectedPresets = presets bubblewrapPresets;
  finalRules = lib.flatten selectedPresets ++ rules
            ++ (mapBinds "ro-bind" roBind)
            ++ (mapBinds "bind" rwBind);
  args = map fmtArg finalRules;
  argsStr = concatStringsSep "\n" args;
in writeScriptBin name ''
  #!${stdenv.shell}
  exec ${bubblewrap}/bin/bwrap \
  ${argsStr}
    ${argv} "$@"
''
	{ }:

	{
	base = [
	"unshare-user"
	"unshare-ipc"
	"unshare-pid"
	"unshare-uts"
	"unshare-cgroup"
	"proc /proc"
	"dev /dev"
	"bind /tmp /tmp" # tmpfs /tmp
	"ro-bind /nix /nix"
	"ro-bind /bin /bin"
	"ro-bind /etc/static /etc/static"
	"ro-bind /etc/ssl /etc/ssl"
	"ro-bind /etc/localtime /etc/localtime"
	"ro-bind /etc/nsswitch.conf /etc/nsswitch.conf"
	"ro-bind /etc/resolv.conf /etc/resolv.conf"
	"ro-bind /var/run/nscd /var/run/nscd"
	"bind /run /run" # tmpfs /run
	"die-with-parent"
	];

	x11 = [
	"ro-bind ~/.Xauthority ~/.Xauthority"
	"ro-bind /tmp/.X11-unix /tmp/.X11-unix"
	"ro-bind /etc/fonts /etc/fonts"
	];

	gpu = [
	"dev-bind /dev/dri /dev/dri"
	"bind /sys /sys"
	];

	pulse = [
	"ro-bind /etc/pulse /etc/pulse"
	"ro-bind /etc/asound.conf /etc/asound.conf"
	"bind ~/.config/pulse ~/.config/pulse"
	"bind ~/.pulse ~/.pulse"
	];

	gtk = [
	"ro-bind ~/.config/gtk-2.0 ~/.config/gtk-2.0"
	"ro-bind ~/.config/gtk-3.0 ~/.config/gtk-3.0"
	];
	}
	{ stdenv, lib, writeScriptBin, bubblewrap, bubblewrapPresets }:
	{ name ? argv, argv,
	presets ? p: [ p.base ], rules ? [],
	roBind ? [], rwBind ? [] }:

	with lib;
	let
	fmtArg = a: " --${a} \\";
	mapBinds = bind: map (p: "${bind} ${p} ${p}");
	selectedPresets = presets bubblewrapPresets;
	finalRules = lib.flatten selectedPresets ++ rules
	++ (mapBinds "ro-bind" roBind)
	++ (mapBinds "bind" rwBind);
	args = map fmtArg finalRules;
	argsStr = concatStringsSep "\n" args;
	in writeScriptBin name ''
	#!${stdenv.shell}
	exec ${bubblewrap}/bin/bwrap \
	${argsStr}
	${argv} "$@"
	''