From f30a439bcd6aa97fac0f99cdd94381ae025aa64d Mon Sep 17 00:00:00 2001 From: Ophestra Date: Fri, 16 May 2025 04:38:08 +0900 Subject: [PATCH] nix: improve common usability Signed-off-by: Ophestra --- cmd/fpkg/test/configuration.nix | 4 ++- nixos.nix | 6 ++-- options.nix | 62 +++++++++++++++++++++++++++------ test/configuration.nix | 32 ++++++++++++----- test/sandbox/case/default.nix | 7 +++- test/sandbox/case/device.nix | 3 ++ test/sandbox/case/mapuid.nix | 3 ++ test/sandbox/case/preset.nix | 1 + test/sandbox/case/tty.nix | 3 ++ test/sandbox/configuration.nix | 11 +++++- 10 files changed, 107 insertions(+), 25 deletions(-) diff --git a/cmd/fpkg/test/configuration.nix b/cmd/fpkg/test/configuration.nix index 6940a28..2608fed 100644 --- a/cmd/fpkg/test/configuration.nix +++ b/cmd/fpkg/test/configuration.nix @@ -55,6 +55,8 @@ stateDir = "/var/lib/fortify"; users.alice = 0; - home-manager = _: _: { home.stateVersion = "23.05"; }; + extraHomeConfig = { + home.stateVersion = "23.05"; + }; }; } diff --git a/nixos.nix b/nixos.nix index 49d41f3..12b283a 100644 --- a/nixos.nix +++ b/nixos.nix @@ -146,7 +146,6 @@ in ] ++ optionals app.nix [ (mustBind "/nix/var") - (bind "/var/db/nix-channels") ] ++ optionals isGraphical [ (devBind "/dev/dri") @@ -156,6 +155,7 @@ in (devBind "/dev/nvidia-uvm-tools") (devBind "/dev/nvidia0") ] + ++ optionals app.useCommonPaths cfg.commonPaths ++ app.extraPaths; auto_etc = true; cover = [ "/var/run/nscd" ]; @@ -225,13 +225,13 @@ in # aid 0 is reserved imap1 (aid: app: { ${getsubname fid aid} = mkMerge [ - (cfg.home-manager (getsubname fid aid) (getsubuid fid aid)) + cfg.extraHomeConfig app.extraConfig { home.packages = app.packages; } ]; }) cfg.apps )) - { ${getsubname fid 0} = cfg.home-manager (getsubname fid 0) (getsubuid fid 0); } + { ${getsubname fid 0} = cfg.extraHomeConfig; } acc ] ) privPackages cfg.users; diff --git a/options.nix b/options.nix index 8af00c5..c8747f2 100644 --- a/options.nix +++ b/options.nix @@ -3,6 +3,38 @@ packages: let inherit (lib) types mkOption mkEnableOption; + + mountPoint = + let + inherit (types) + str + submodule + nullOr + listOf + ; + in + listOf (submodule { + options = { + dst = mkOption { + type = nullOr str; + default = null; + description = '' + Mount point in container, same as src if null. + ''; + }; + + src = mkOption { + type = str; + description = '' + Host filesystem path to make available to the container. + ''; + }; + + write = mkEnableOption "mounting path as writable"; + dev = mkEnableOption "use of device files"; + require = mkEnableOption "start failure if the bind mount cannot be established for any reason"; + }; + }); in { @@ -33,14 +65,10 @@ in ''; }; - home-manager = mkOption { - type = - let - inherit (types) functionTo attrsOf anything; - in - functionTo (functionTo (attrsOf anything)); + extraHomeConfig = mkOption { + type = types.anything; description = '' - Target user shared home-manager configuration. + Extra home-manager configuration to merge with all target users. ''; }; @@ -189,11 +217,15 @@ in ''; }; + useCommonPaths = mkEnableOption "common extra paths" // { + default = true; + }; + extraPaths = mkOption { - type = listOf anything; + type = mountPoint; default = [ ]; description = '' - Extra paths to make available to the sandbox. + Extra paths to make available to the container. ''; }; @@ -242,7 +274,17 @@ in }; }); default = [ ]; - description = "Declarative fortify apps."; + description = '' + Declaratively configured fortify apps. + ''; + }; + + commonPaths = mkOption { + type = mountPoint; + default = [ ]; + description = '' + Common extra paths to make available to the container. + ''; }; stateDir = mkOption { diff --git a/test/configuration.nix b/test/configuration.nix index 8afe0ca..6b3090c 100644 --- a/test/configuration.nix +++ b/test/configuration.nix @@ -30,13 +30,9 @@ environment = { systemPackages = with pkgs; [ - # For glinfo and wayland-info: - mesa-demos - wayland-utils - # For D-Bus tests: - libnotify mako + libnotify ]; variables = { @@ -99,14 +95,21 @@ stateDir = "/var/lib/fortify"; users.alice = 0; - home-manager = _: _: { home.stateVersion = "23.05"; }; + extraHomeConfig = { + home.stateVersion = "23.05"; + }; apps = [ { name = "ne-foot"; verbose = true; share = pkgs.foot; - packages = [ pkgs.foot ]; + packages = with pkgs; [ + foot + + # For wayland-info: + wayland-utils + ]; command = "foot"; capability = { dbus = false; @@ -125,7 +128,13 @@ name = "x11-alacritty"; verbose = true; share = pkgs.alacritty; - packages = [ pkgs.alacritty ]; + packages = with pkgs; [ + # For X11 terminal emulator: + alacritty + + # For glinfo: + mesa-demos + ]; command = "alacritty"; capability = { wayland = false; @@ -139,7 +148,12 @@ verbose = true; insecureWayland = true; share = pkgs.foot; - packages = [ pkgs.foot ]; + packages = with pkgs; [ + foot + + # For wayland-info: + wayland-utils + ]; command = "foot"; capability = { dbus = false; diff --git a/test/sandbox/case/default.nix b/test/sandbox/case/default.nix index 3a8c4ec..d860b1e 100644 --- a/test/sandbox/case/default.nix +++ b/test/sandbox/case/default.nix @@ -37,7 +37,12 @@ let { name = "check-sandbox-${tc.name}"; verbose = true; - inherit (tc) tty device mapRealUid; + inherit (tc) + tty + device + mapRealUid + useCommonPaths + ; share = testProgram; packages = [ ]; path = "${testProgram}/bin/fortify-test"; diff --git a/test/sandbox/case/device.nix b/test/sandbox/case/device.nix index 389e9f7..173b3e0 100644 --- a/test/sandbox/case/device.nix +++ b/test/sandbox/case/device.nix @@ -8,6 +8,7 @@ tty = false; device = true; mapRealUid = false; + useCommonPaths = true; want = { env = [ @@ -169,6 +170,7 @@ } null; } null; run = fs "800001ed" { nscd = fs "800001ed" { } null; } null; + cache = fs "800001ed" { private = fs "800001c0" null null; } null; } null; } null; @@ -190,6 +192,7 @@ (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) + (ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000004,gid=1000004") (ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000004,gid=1000004") diff --git a/test/sandbox/case/mapuid.nix b/test/sandbox/case/mapuid.nix index a68d06c..21c89c2 100644 --- a/test/sandbox/case/mapuid.nix +++ b/test/sandbox/case/mapuid.nix @@ -8,6 +8,7 @@ tty = false; device = false; mapRealUid = true; + useCommonPaths = true; want = { env = [ @@ -193,6 +194,7 @@ } null; } null; run = fs "800001ed" { nscd = fs "800001ed" { } null; } null; + cache = fs "800001ed" { private = fs "800001c0" null null; } null; } null; } null; @@ -218,6 +220,7 @@ (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) + (ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003") (ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000003,gid=1000003") diff --git a/test/sandbox/case/preset.nix b/test/sandbox/case/preset.nix index 75ca2e7..bbea0e4 100644 --- a/test/sandbox/case/preset.nix +++ b/test/sandbox/case/preset.nix @@ -8,6 +8,7 @@ tty = false; device = false; mapRealUid = false; + useCommonPaths = false; want = { env = [ diff --git a/test/sandbox/case/tty.nix b/test/sandbox/case/tty.nix index ab50d42..72b2c29 100644 --- a/test/sandbox/case/tty.nix +++ b/test/sandbox/case/tty.nix @@ -8,6 +8,7 @@ tty = true; device = false; mapRealUid = false; + useCommonPaths = true; want = { env = [ @@ -194,6 +195,7 @@ } null; } null; run = fs "800001ed" { nscd = fs "800001ed" { } null; } null; + cache = fs "800001ed" { private = fs "800001c0" null null; } null; } null; } null; @@ -220,6 +222,7 @@ (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) + (ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002") (ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000002,gid=1000002") diff --git a/test/sandbox/configuration.nix b/test/sandbox/configuration.nix index dc96d64..903b99a 100644 --- a/test/sandbox/configuration.nix +++ b/test/sandbox/configuration.nix @@ -65,7 +65,16 @@ in stateDir = "/var/lib/fortify"; users.alice = 0; - home-manager = _: _: { home.stateVersion = "23.05"; }; + extraHomeConfig = { + home.stateVersion = "23.05"; + }; + + commonPaths = [ + { + src = "/var/cache"; + write = true; + } + ]; apps = with testCases; [ preset