From c4de45021759e9c384485a451dfdf9c1d73f04ea Mon Sep 17 00:00:00 2001 From: Ophestra Date: Fri, 17 Jan 2025 22:56:16 +0900 Subject: [PATCH] nix: do not force static linking on nix In a typical Nix or NixOS-based setup, the entire /nix/store directory is available to the sandbox. Signed-off-by: Ophestra --- flake.nix | 24 ++++++++++++++++++++++-- package.nix | 13 +++++++------ 2 files changed, 29 insertions(+), 8 deletions(-) diff --git a/flake.nix b/flake.nix index 0277975..6d8e66e 100644 --- a/flake.nix +++ b/flake.nix @@ -166,8 +166,28 @@ go gcc ] - ++ fortify.buildInputs - ++ fortify.nativeBuildInputs; + # buildInputs + ++ ( + with pkgsStatic; + [ + musl + libffi + acl + wayland + wayland-protocols + ] + ++ (with xorg; [ + libxcb + libXau + libXdmcp + ]) + ) + # nativeBuildInputs + ++ [ + pkg-config + wayland-scanner + makeBinaryWrapper + ]; }; fhs = fhs.env; diff --git a/package.nix b/package.nix index 85a3859..0141dda 100644 --- a/package.nix +++ b/package.nix @@ -1,11 +1,16 @@ { lib, buildGoModule, + makeBinaryWrapper, xdg-dbus-proxy, bubblewrap, - pkgsStatic, pkg-config, + libffi, + acl, + wayland, + wayland-protocols, wayland-scanner, + xorg, }: buildGoModule rec { @@ -27,7 +32,6 @@ buildGoModule rec { ) [ "-s -w" - "-extldflags '-static'" "-X main.Fmain=${placeholder "out"}/libexec/fortify" "-X main.Fshim=${placeholder "out"}/libexec/fshim" ] @@ -42,10 +46,7 @@ buildGoModule rec { GO_TEST_SKIP_ACL = 1; buildInputs = - # cannot find a cleaner way to do this - with pkgsStatic; [ - musl libffi acl wayland @@ -60,7 +61,7 @@ buildGoModule rec { nativeBuildInputs = [ pkg-config wayland-scanner - pkgsStatic.makeBinaryWrapper + makeBinaryWrapper ]; preConfigure = ''