diff options
author | Nikolay Amiantov <ab@fmap.me> | 2016-06-05 04:44:06 +0300 |
---|---|---|
committer | Nikolay Amiantov <ab@fmap.me> | 2016-06-07 04:06:35 +0300 |
commit | 74107a7867aa0c55c9d823726f80f9fb6cf3251c (patch) | |
tree | 5cac2890e379d3be9affbb5243feaf836ec971cd /pkgs/build-support/build-fhs-userenv/default.nix | |
parent | 38ba56863435c5f791083a638f06eda7da876265 (diff) | |
download | nixpkgs-74107a7867aa0c55c9d823726f80f9fb6cf3251c.tar nixpkgs-74107a7867aa0c55c9d823726f80f9fb6cf3251c.tar.gz nixpkgs-74107a7867aa0c55c9d823726f80f9fb6cf3251c.tar.bz2 nixpkgs-74107a7867aa0c55c9d823726f80f9fb6cf3251c.tar.lz nixpkgs-74107a7867aa0c55c9d823726f80f9fb6cf3251c.tar.xz nixpkgs-74107a7867aa0c55c9d823726f80f9fb6cf3251c.tar.zst nixpkgs-74107a7867aa0c55c9d823726f80f9fb6cf3251c.zip |
buildFHSEnv: refactor and simplify, drop buildFHSChrootEnv
This takes another approach at binding FHS directory structure. We now bind-mount all the root filesystem to directory "/host" in the target tree. From that we symlink all the directories into the tree if they do not already exist in FHS structure. This probably makes `CHROOTENV_EXTRA_BINDS` unnecessary -- its main usecase was to add bound directories from the host to the sandbox, and we not just symlink all of them. I plan to get some feedback on its usage and maybe deprecate it. This also drops old `buildFHSChrootEnv` infrastructure. The main problem with it is it's very difficult to unmount a recursive-bound directory when mount is not sandboxed. This problem is a bug even without these changes -- if you have for example `/home/alice` mounted to somewhere, you wouldn't see it in `buildFHSChrootEnv` now. With the new directory structure, it's impossible to use regular bind at all. After some tackling with this I realized that the fix would be brittle and dangerous (if you don't unmount everything clearly and proceed to removing the temporary directory, bye-bye fs!). It also probably doesn't worth it because I haven't heard that someone actually uses it for a long time, and `buildFHSUserEnv` should cover most cases while being much more maintainable and safe for the end-user.
Diffstat (limited to 'pkgs/build-support/build-fhs-userenv/default.nix')
-rw-r--r-- | pkgs/build-support/build-fhs-userenv/default.nix | 31 |
1 files changed, 16 insertions, 15 deletions
diff --git a/pkgs/build-support/build-fhs-userenv/default.nix b/pkgs/build-support/build-fhs-userenv/default.nix index 94c72e29a22..233db39788b 100644 --- a/pkgs/build-support/build-fhs-userenv/default.nix +++ b/pkgs/build-support/build-fhs-userenv/default.nix @@ -1,28 +1,29 @@ -{ runCommand, lib, writeText, writeScriptBin, stdenv, ruby } : -{ env, runScript ? "bash", extraBindMounts ? [], extraInstallCommands ? "", meta ? {}, passthru ? {} } : +{ callPackage, runCommand, lib, writeScript, stdenv, coreutils, ruby }: + +let buildFHSEnv = callPackage ./env.nix { }; in + +args@{ name, runScript ? "bash", extraBindMounts ? [], extraInstallCommands ? "", meta ? {}, passthru ? {}, ... }: let - name = env.pname; + env = buildFHSEnv (removeAttrs args [ "runScript" "extraBindMounts" "extraInstallCommands" "meta" "passthru" ]); # Sandboxing script - chroot-user = writeScriptBin "chroot-user" '' + chroot-user = writeScript "chroot-user" '' #! ${ruby}/bin/ruby ${builtins.readFile ./chroot-user.rb} ''; - init = run: writeText "${name}-init" '' - source /etc/profile - - # Make /tmp directory - mkdir -m 1777 /tmp - - # Expose sockets in /tmp - for i in /host-tmp/.*-unix; do - ln -s "$i" "/tmp/$(basename "$i")" + init = run: writeScript "${name}-init" '' + #! ${stdenv.shell} + for i in ${env}/* /host/*; do + path="/''${i##*/}" + [ -e "$path" ] || ${coreutils}/bin/ln -s "$i" "$path" done [ -d "$1" ] && [ -r "$1" ] && cd "$1" shift + + source /etc/profile exec ${run} "$@" ''; @@ -32,7 +33,7 @@ in runCommand name { env = runCommand "${name}-shell-env" { shellHook = '' export CHROOTENV_EXTRA_BINDS="${lib.concatStringsSep ":" extraBindMounts}:$CHROOTENV_EXTRA_BINDS" - exec ${chroot-user}/bin/chroot-user ${env} bash ${init "bash"} "$(pwd)" + exec ${chroot-user} ${init "bash"} "$(pwd)" ''; } '' echo >&2 "" @@ -46,7 +47,7 @@ in runCommand name { cat <<EOF >$out/bin/${name} #! ${stdenv.shell} export CHROOTENV_EXTRA_BINDS="${lib.concatStringsSep ":" extraBindMounts}:\$CHROOTENV_EXTRA_BINDS" - exec ${chroot-user}/bin/chroot-user ${env} bash ${init runScript} "\$(pwd)" "\$@" + exec ${chroot-user} ${init runScript} "\$(pwd)" "\$@" EOF chmod +x $out/bin/${name} ${extraInstallCommands} |