buildFHSUserEnvBubblewrap: expand unshare options

pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix

@@ -1,20 +1,27 @@
-{ callPackage, runCommandLocal, writeShellScriptBin, stdenv, coreutils, bubblewrap }:
+{ lib, callPackage, runCommandLocal, writeShellScriptBin, stdenv, coreutils, bubblewrap }:
-
-let buildFHSEnv = callPackage ./env.nix { }; in
 
 args @ {
-  name,
+  name
-  runScript ? "bash",
+, runScript ? "bash"
-  extraInstallCommands ? "",
+, extraInstallCommands ? ""
-  meta ? {},
+, meta ? {}
-  passthru ? {},
+, passthru ? {}
-  ...
+, unshareUser ? true
+, unshareIpc ? true
+, unsharePid ? true
+, unshareNet ? false
+, unshareUts ? true
+, unshareCgroup ? true
+, ...
 }:
 
 with builtins;
 let
+  buildFHSEnv = callPackage ./env.nix { };
+
   env = buildFHSEnv (removeAttrs args [
     "runScript" "extraInstallCommands" "meta" "passthru"
+    "unshareUser" "unshareCgroup" "unshareUts" "unshareNet" "unsharePid" "unshareIpc"
   ]);
 
   chrootenv = callPackage ./chrootenv {};
@@ -92,8 +99,12 @@ let
       --dev-bind /dev /dev
       --proc /proc
       --chdir "$(pwd)"
-      --unshare-all
+      ${lib.optionalString unshareUser "--unshare-user"}
-      --share-net
+      ${lib.optionalString unshareIpc "--unshare-ipc"}
+      ${lib.optionalString unsharePid "--unshare-pid"}
+      ${lib.optionalString unshareNet "--unshare-net"}
+      ${lib.optionalString unshareUts "--unshare-uts"}
+      ${lib.optionalString unshareCgroup "--unshare-cgroup"}
       --die-with-parent
       --ro-bind /nix /nix
       ${etcBindFlags}