security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 25 Wiki Activity

cmd/fpkg: optional network access when invoking with nix daemon
All checks were successful
Tests / Go tests (push) Successful in 34s
Details
Nix / NixOS tests (push) Successful in 3m36s
Details

Browse Source 
This is useful for building nixGL.

Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2024-12-29 18:32:44 +09:00
parent a98a176907
commit aff80b6b00
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
cmd/fpkg/install.go
View File

@ -154,7 +154,7 @@ func actionInstall(args []string) {
"rm -rf .local/state/{nix,home-manager}",
// run activation script
bundle.ActivationPackage + "/activate",
}, workDir, bundle, pathSet, dropShellActivate, cleanup)
}, false, workDir, bundle, pathSet, dropShellActivate, cleanup)
/*
Installation complete. Write metadata to block re-installs or downgrades.
@ -183,7 +183,7 @@ func actionInstall(args []string) {
cleanup()
}
func withNixDaemon(action string, command []string, workDir string, bundle *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
func withNixDaemon(action string, command []string, net bool, workDir string, bundle *bundleInfo, pathSet *appPathSet, dropShell bool, beforeFail func()) {
fortifyAppDropShell(&fst.Config{
ID: bundle.ID,
Command: []string{shell, "-lc", "rm -f /nix/var/nix/daemon-socket/socket && " +
@ -204,6 +204,7 @@ func withNixDaemon(action string, command []string, workDir string, bundle *bund
Sandbox: &fst.SandboxConfig{
Hostname: formatHostname(bundle.Name) + "-" + action,
UserNS: true, // nix sandbox requires userns
Net: net,
NoNewSession: dropShell,
Filesystem: []*fst.FilesystemConfig{
{Src: pathSet.nixPath, Dst: "/nix", Write: true, Must: true},