search

kurnevsky / nixfiles

Nix configs
GNU General Public License v3.0
24 stars 1 forks source link

Add documentation to sandbox module #1

Open maa-x opened 2 months ago

maa-x commented 2 months ago

Hiya, I found your sandbox module and believe it fits exactly with what I am after.

However, I'm struggling to add it to my system.

I've added the overlay but keep hitting the same problem where it cannot find the wrapped packages.

kurnevsky commented 2 months ago

You could try https://github.com/nixpak/nixpak - check if it fits you. For me it has a lot of missing features and sometimes does not what I want: https://github.com/nixpak/nixpak/issues/64

Regarding my configs and docs - I guess, I need to convert the whole bwrap function (which is a bit overcomplicated) to modules first. I also tried several different approaches how to add wrapped packages, but ended up just putting them into sandboxed object - at least this doesn't break anythin by default.

maa-x commented 2 months ago

I was looking at nixpak but agree with your points about it.

I've actually managed (much to my surprise), to get it working, though I can't seem to change for example the extensions. EDIT: Nope, just being silly

Thank you for publishing your config, that sandbox is really well done and I'd love to see it get its own repository, you're onto something!

beh-10257 commented 1 month ago

a quick question were you able to sandbox wine proton steam

I can make bash run using

bwrap --unshare-all --ro-bind /etc /etc --bind /home/behe/Games/wine /home/behe/Games/wine --bind /tmp/.wine-1000 /tmp/.wine-1000 --ro-bind /nix /nix --ro-bind /run/user/1000 /run/user/1000 --clearenv --ro-bind /run/current-system/sw/bin /run/current-system/sw/bin --setenv PATH $PATH --setenv HOME $HOME --dev /dev --dev-bind /dev/dri /dev/dri --proc /proc --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 --ro-bind /sys/dev/char /sys/dev/char --ro-bind /run/opengl-driver /run/opengl-driver --setenv XDG_RUNTIME_DIR $XDG_RUNTIME_DIR --setenv DISPLAY $DISPLAY --setenv WINEPREFIX $WINEPREFIX --new-session bash

but

bwrap --unshare-all --ro-bind /etc /etc --bind /home/behe/Games/wine /home/behe/Games/wine --bind /tmp/.wine-1000 /tmp/.wine-1000 --ro-bind /nix /nix --ro-bind /run/user/1000 /run/user/1000 --clearenv --ro-bind /run/current-system/sw/bin /run/current-system/sw/bin --setenv PATH $PATH --setenv HOME $HOME --dev /dev --dev-bind /dev/dri /dev/dri --proc /proc --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 --ro-bind /sys/dev/char /sys/dev/char --ro-bind /run/opengl-driver /run/opengl-driver --setenv XDG_RUNTIME_DIR $XDG_RUNTIME_DIR --setenv DISPLAY $DISPLAY --setenv WINEPREFIX $WINEPREFIX --new-session wine explorer

will not also are you exposing xdg_runtime_dir

kurnevsky commented 1 month ago

I do not use proton/steam. But I successfully wrapped plain wine: https://github.com/kurnevsky/nixfiles/blob/966fb4b7c980688fe2158ddf0803f56df78b4e2e/modules/sandbox.nix#L669

beh-10257 commented 1 month ago

@kurnevsky I looked at your module it outputs a bash script right can you upload that bash script for wine just realpath $(which wine) I guess

kurnevsky commented 1 month ago 
#!/nix/store/306znyj77fv49kwnkpxmb0j2znqpa8bj-bash-5.2p26/bin/bash
set -euETo pipefail
shopt -s inherit_errexit

if [ -n "${UNSANDBOXED-}" ]
then
  echo "Running in unsandboxed mode!" >&2
  exec /nix/store/k62zdn9mxgiw2hfq3rmsg9f94j3bvlnc-wine-wow-staging-9.9/bin/wine "$@"
fi

test ! -e ~/.cache/wine/ && mkdir -p ~/.cache/wine/
test ! -e ~/.cache/winetricks/ && mkdir -p ~/.cache/winetricks/
test ! -e ~/.config/pulse/ && mkdir -p ~/.config/pulse/

mapfile -t unshare_net < <(
  if [ -z "${WITH_NETWORK-}" ]
  then
    echo '--unshare-net'
  fi
)

mapfile -t localtime < <(
  if [ -z "${NOLOCALTIME-}" ]
  then
    echo '--ro-bind'
    echo '/etc/localtime'
    echo '/etc/localtime'
  fi
)

mapfile -t ro_whitelist < <(echo -n "${RO_WHITELIST-}" | grep -v '^[[:space:]]*$' | /nix/store/5zjms21vpxlkbc0qyl5pmj2sidfmzmd7-gnused-4.9/bin/sed 's/.*/--ro-bind\n&\n&/')
mapfile -t whitelist < <(echo -n "${WHITELIST-}" | grep -v '^[[:space:]]*$' | /nix/store/5zjms21vpxlkbc0qyl5pmj2sidfmzmd7-gnused-4.9/bin/sed 's/.*/--bind\n&\n&/')
mapfile -t blacklist < <(echo -n "${BLACKLIST-}" | grep -v '^[[:space:]]*$' | /nix/store/5zjms21vpxlkbc0qyl5pmj2sidfmzmd7-gnused-4.9/bin/sed 's/.*/--tmpfs\n&/')

mapfile -t xauthority < <(echo -n "${XAUTHORITY-}" | /nix/store/5zjms21vpxlkbc0qyl5pmj2sidfmzmd7-gnused-4.9/bin/sed 's/.*/--ro-bind\n&\n&/')

mapfile -t deps < <(/nix/store/5zjms21vpxlkbc0qyl5pmj2sidfmzmd7-gnused-4.9/bin/sed 's/.*/--ro-bind\n&\n&/' /nix/store/g9z6qrr0kvjqifrassyciapyxrdayym9-closure-info/store-paths )

FIFO_TMP=$(mktemp -u)
mkfifo "$FIFO_TMP"
exec 3<>"$FIFO_TMP"

SANDBOX_SYSTEM_BUS="$XDG_RUNTIME_DIR/sandbox-system-bus-$$"
/nix/store/kv09fs5yi6lqh7adrm1hl0hnbjq2q47d-bubblewrap-0.8.0/bin/bwrap \
  --ro-bind /nix/store /nix/store \
  --bind "$XDG_RUNTIME_DIR" "$XDG_RUNTIME_DIR" \
  --bind /run/dbus/system_bus_socket /run/dbus/system_bus_socket \
  --bind "$FIFO_TMP" "$FIFO_TMP" \
   \
  --new-session \
  --die-with-parent \
    /nix/store/4yrxkc1cv7k8zxyihj675p1c5my8327w-xdg-dbus-proxy-0.1.5/bin/xdg-dbus-proxy --fd=3 3>"$FIFO_TMP" unix:path=/run/dbus/system_bus_socket "$SANDBOX_SYSTEM_BUS" --talk=org.freedesktop.UDisks2 --talk=org.freedesktop.NetworkManager --filter &
head -c 1 <&3 > /dev/null

rm "$FIFO_TMP"

exec /nix/store/kv09fs5yi6lqh7adrm1hl0hnbjq2q47d-bubblewrap-0.8.0/bin/bwrap \
     "${deps[@]}" \
     \
      \
     \
     --proc /proc \
     \
     --dev /dev \
     --dev-bind /dev/dri /dev/dri --dev-bind /dev/snd /dev/snd \
      \
     \
     --ro-bind /sys/dev /sys/dev --ro-bind /sys/devices /sys/devices \
     \
     --tmpfs /run \
     --ro-bind /run/current-system/sw /run/current-system/sw \
     --ro-bind /run/opengl-driver /run/opengl-driver \
     --ro-bind /run/opengl-driver-32 /run/opengl-driver-32 \
     \
     --bind-try "$XDG_RUNTIME_DIR"/pulse "$XDG_RUNTIME_DIR"/pulse --bind-try "$XDG_RUNTIME_DIR"/pipewire-0 "$XDG_RUNTIME_DIR"/pipewire-0 \
     --bind-try "$XDG_RUNTIME_DIR"/"${WAYLAND_DISPLAY-wayland-0}" "$XDG_RUNTIME_DIR"/"${WAYLAND_DISPLAY-wayland-0}" \
     \
     --ro-bind /etc/profiles/per-user/"$(whoami)" /etc/profiles/per-user/"$(whoami)" \
     --ro-bind /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt --ro-bind /etc/fonts /etc/fonts \
     "${localtime[@]}" \
      \
     \
      \
     --bind /tmp/.X11-unix /tmp/.X11-unix \
     \
      \
      \
     \
      \
     --bind ${WINEPREFIX:-~/.wine/} ${WINEPREFIX:-~/.wine/} --bind ~/.cache/wine/ ~/.cache/wine/ --bind ~/.cache/winetricks/ ~/.cache/winetricks/ --bind ~/.config/pulse/ ~/.config/pulse/ --bind ~/.cache/fontconfig ~/.cache/fontconfig \
      \
     \
     "${xauthority[@]}" \
     \
     "${ro_whitelist[@]}" \
     "${whitelist[@]}" \
     "${blacklist[@]}" \
     \
     --unsetenv MAIL \
     --setenv SHELL /run/current-system/sw/bin/bash \
     \
     --unshare-user \
     --unshare-ipc \
      \
     "${unshare_net[@]}" \
     --unshare-uts \
      \
     \
     --disable-userns \
     \
     --new-session \
     \
     --cap-drop ALL \
     \
      \
     --bind "$SANDBOX_SYSTEM_BUS" /run/dbus/system_bus_socket \
      \
      \
     \
     /nix/store/k62zdn9mxgiw2hfq3rmsg9f94j3bvlnc-wine-wow-staging-9.9/bin/wine  "$@"
beh-10257 commented 1 month ago

thanks to you I made wine work thanks can you run vkbasalt inside it though ??