diff --git a/nixos.nix b/nixos.nix index 2c5b5db..7186cd7 100644 --- a/nixos.nix +++ b/nixos.nix @@ -84,6 +84,8 @@ in command = if app.command == null then app.name else app.command; script = if app.script == null then ("exec " + command + " $@") else app.script; enablements = with app.capability; (if wayland then 1 else 0) + (if x11 then 2 else 0) + (if dbus then 4 else 0) + (if pulse then 8 else 0); + isGraphical = if app.gpu != null then app.gpu else app.capability.wayland || app.capability.x11; + conf = { inherit (app) id; path = pkgs.writeScript "${app.name}-start" '' @@ -91,6 +93,7 @@ in ${script} ''; args = [ "${app.name}-start" ]; + confinement = { app_id = aid; inherit (app) groups; @@ -108,6 +111,7 @@ in ; map_real_uid = app.mapRealUid; direct_wayland = app.insecureWayland; + filesystem = let bind = src: { inherit src; }; @@ -135,8 +139,7 @@ in (mustBind "/nix/var") (bind "/var/db/nix-channels") ] - ++ optionals (if app.gpu != null then app.gpu else app.capability.wayland || app.capability.x11) [ - (bind "/run/opengl-driver") + ++ optionals isGraphical [ (devBind "/dev/dri") (devBind "/dev/nvidiactl") (devBind "/dev/nvidia-modeset") @@ -147,7 +150,23 @@ in ++ app.extraPaths; auto_etc = true; cover = [ "/var/run/nscd" ]; + + symlink = optionals (isGraphical && config.hardware.graphics.enable) ( + [ + [ + config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver"."L+".argument + "/run/opengl-driver" + ] + ] + ++ optionals (app.multiarch && config.hardware.graphics.enable32Bit) [ + [ + config.systemd.tmpfiles.settings.graphics-driver."/run/opengl-driver-32"."L+".argument + /run/opengl-driver-32 + ] + ] + ); }; + inherit enablements; inherit (dbusConfig) session_bus system_bus; }; diff --git a/test/sandbox/case/mapuid.nix b/test/sandbox/case/mapuid.nix index c44a2ae..30969a4 100644 --- a/test/sandbox/case/mapuid.nix +++ b/test/sandbox/case/mapuid.nix @@ -113,7 +113,7 @@ proc = fs "8000016d" null null; run = fs "800001c0" { current-system = fs "8000016d" null null; - opengl-driver = fs "8000016d" null null; + opengl-driver = fs "80001ff" null null; user = fs "800001ed" { "1000" = fs "800001ed" { bus = fs "10001fd" null null; @@ -201,7 +201,6 @@ (ent "/class" "/sys/class" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") - (ent ignore "/run/opengl-driver" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on") (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) (ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003") diff --git a/test/sandbox/case/preset.nix b/test/sandbox/case/preset.nix index 57ac821..5366fd4 100644 --- a/test/sandbox/case/preset.nix +++ b/test/sandbox/case/preset.nix @@ -113,7 +113,7 @@ proc = fs "8000016d" null null; run = fs "800001c0" { current-system = fs "8000016d" null null; - opengl-driver = fs "8000016d" null null; + opengl-driver = fs "80001ff" null null; user = fs "800001ed" { "65534" = fs "800001ed" { bus = fs "10001fd" null null; @@ -201,7 +201,6 @@ (ent "/class" "/sys/class" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") - (ent ignore "/run/opengl-driver" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on") (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) (ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000001,gid=1000001") diff --git a/test/sandbox/case/tty.nix b/test/sandbox/case/tty.nix index ef7e3e8..65bdc19 100644 --- a/test/sandbox/case/tty.nix +++ b/test/sandbox/case/tty.nix @@ -114,7 +114,7 @@ proc = fs "8000016d" null null; run = fs "800001c0" { current-system = fs "8000016d" null null; - opengl-driver = fs "8000016d" null null; + opengl-driver = fs "80001ff" null null; user = fs "800001ed" { "65534" = fs "800001ed" { bus = fs "10001fd" null null; @@ -203,7 +203,6 @@ (ent "/class" "/sys/class" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") - (ent ignore "/run/opengl-driver" "ro,nosuid,nodev,relatime" "overlay" "overlay" "rw,lowerdir=/mnt-root/nix/.ro-store,upperdir=/mnt-root/nix/.rw-store/upper,workdir=/mnt-root/nix/.rw-store/work,uuid=on") (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) (ent "/etc" "/.fortify/etc" "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002")