diff options
Diffstat (limited to 'infra/libkookie/nixpkgs/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix')
| -rw-r--r-- | infra/libkookie/nixpkgs/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix | 43 |
1 files changed, 23 insertions, 20 deletions
diff --git a/infra/libkookie/nixpkgs/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix b/infra/libkookie/nixpkgs/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix index c7cfd27d3faa..3a3c9e932fdb 100644 --- a/infra/libkookie/nixpkgs/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix +++ b/infra/libkookie/nixpkgs/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix @@ -50,7 +50,7 @@ let "ssl/certs" "pki" ]; - in concatStringsSep " \\\n " + in concatStringsSep "\n " (map (file: "--ro-bind-try /etc/${file} /etc/${file}") files); init = run: writeShellScriptBin "${name}-init" '' @@ -59,46 +59,49 @@ let ''; bwrapCmd = { initArgs ? "" }: '' - blacklist="/nix /dev /proc /etc" - ro_mounts="" + blacklist=(/nix /dev /proc /etc) + ro_mounts=() for i in ${env}/*; do path="/''${i##*/}" if [[ $path == '/etc' ]]; then continue fi - ro_mounts="$ro_mounts --ro-bind $i $path" - blacklist="$blacklist $path" + ro_mounts+=(--ro-bind "$i" "$path") + blacklist+=("$path") done if [[ -d ${env}/etc ]]; then for i in ${env}/etc/*; do path="/''${i##*/}" - ro_mounts="$ro_mounts --ro-bind $i /etc$path" + ro_mounts+=(--ro-bind "$i" "/etc$path") done fi - auto_mounts="" + declare -a auto_mounts # loop through all directories in the root for dir in /*; do # if it is a directory and it is not in the blacklist - if [[ -d "$dir" ]] && grep -v "$dir" <<< "$blacklist" >/dev/null; then + if [[ -d "$dir" ]] && [[ ! "''${blacklist[@]}" =~ "$dir" ]]; then # add it to the mount list - auto_mounts="$auto_mounts --bind $dir $dir" + auto_mounts+=(--bind "$dir" "$dir") fi done - exec ${bubblewrap}/bin/bwrap \ - --dev-bind /dev /dev \ - --proc /proc \ - --chdir "$(pwd)" \ - --unshare-all \ - --share-net \ - --die-with-parent \ - --ro-bind /nix /nix \ - ${etcBindFlags} \ - $ro_mounts \ - $auto_mounts \ + cmd=( + ${bubblewrap}/bin/bwrap + --dev-bind /dev /dev + --proc /proc + --chdir "$(pwd)" + --unshare-all + --share-net + --die-with-parent + --ro-bind /nix /nix + ${etcBindFlags} + "''${ro_mounts[@]}" + "''${auto_mounts[@]}" ${init runScript}/bin/${name}-init ${initArgs} + ) + exec "''${cmd[@]}" ''; bin = writeShellScriptBin name (bwrapCmd { initArgs = ''"$@"''; }); |