blob: 4177846c4336715ccc5f404c3c15549d48eb7bcf (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
{ runCommand, lib, writeText, writeScriptBin, stdenv, bash, ruby } :
{ env, runScript ? "${bash}/bin/bash", extraBindMounts ? [], extraInstallCommands ? "", importMeta ? {} } :
let
name = env.pname;
bash' = "${bash}/bin/bash";
# Sandboxing script
chroot-user = writeScriptBin "chroot-user" ''
#! ${ruby}/bin/ruby
${builtins.readFile ./chroot-user.rb}
'';
init = run: writeText "${name}-init" ''
source /etc/profile
# Make /tmp directory
mkdir -m 1777 /tmp
# Expose sockets in /tmp
for i in /host-tmp/.*-unix; do
ln -s "$i" "/tmp/$(basename "$i")"
done
[ -d "$1" ] && [ -r "$1" ] && cd "$1"
shift
exec ${run} "$@"
'';
in runCommand name {
meta = importMeta;
passthru.env =
runCommand "${name}-shell-env" {
shellHook = ''
export CHROOTENV_EXTRA_BINDS="${lib.concatStringsSep ":" extraBindMounts}:$CHROOTENV_EXTRA_BINDS"
exec ${chroot-user}/bin/chroot-user ${env} ${bash'} -l ${init bash'} "$(pwd)"
'';
} ''
echo >&2 ""
echo >&2 "*** User chroot 'env' attributes are intended for interactive nix-shell sessions, not for building! ***"
echo >&2 ""
exit 1
'';
} ''
mkdir -p $out/bin
cat <<EOF >$out/bin/${name}
#! ${stdenv.shell}
export CHROOTENV_EXTRA_BINDS="${lib.concatStringsSep ":" extraBindMounts}:\$CHROOTENV_EXTRA_BINDS"
exec ${chroot-user}/bin/chroot-user ${env} ${bash'} ${init runScript} "\$(pwd)" "\$@"
EOF
chmod +x $out/bin/${name}
${extraInstallCommands}
''
|