buildFHSUserEnvBubblewrap: use arrays for constructing argument list
Generally a cleaner way of doing it and prevents issues with spaces in paths Used to fix #97234 but #101967 already didt this with a smaller scope
This commit is contained in:
Atemu
parent
a322b32e9d
commit
74c4a55e10
@ -50,7 +50,7 @@ let
|
|||||||
"ssl/certs"
|
"ssl/certs"
|
||||||
"pki"
|
"pki"
|
||||||
];
|
];
|
||||||
in concatStringsSep " \\\n "
|
in concatStringsSep "\n "
|
||||||
(map (file: "--ro-bind-try /etc/${file} /etc/${file}") files);
|
(map (file: "--ro-bind-try /etc/${file} /etc/${file}") files);
|
||||||
|
|
||||||
init = run: writeShellScriptBin "${name}-init" ''
|
init = run: writeShellScriptBin "${name}-init" ''
|
||||||
@ -59,21 +59,21 @@ let
|
|||||||
'';
|
'';
|
||||||
|
|
||||||
bwrapCmd = { initArgs ? "" }: ''
|
bwrapCmd = { initArgs ? "" }: ''
|
||||||
blacklist="/nix /dev /proc /etc"
|
blacklist=(/nix /dev /proc /etc)
|
||||||
ro_mounts=""
|
ro_mounts=()
|
||||||
for i in ${env}/*; do
|
for i in ${env}/*; do
|
||||||
path="/''${i##*/}"
|
path="/''${i##*/}"
|
||||||
if [[ $path == '/etc' ]]; then
|
if [[ $path == '/etc' ]]; then
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
ro_mounts="$ro_mounts --ro-bind $i $path"
|
ro_mounts+=(--ro-bind "$i" "$path")
|
||||||
blacklist="$blacklist $path"
|
blacklist+=("$path")
|
||||||
done
|
done
|
||||||
|
|
||||||
if [[ -d ${env}/etc ]]; then
|
if [[ -d ${env}/etc ]]; then
|
||||||
for i in ${env}/etc/*; do
|
for i in ${env}/etc/*; do
|
||||||
path="/''${i##*/}"
|
path="/''${i##*/}"
|
||||||
ro_mounts="$ro_mounts --ro-bind $i /etc$path"
|
ro_mounts+=(--ro-bind "$i" "/etc$path")
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -81,24 +81,27 @@ let
|
|||||||
# loop through all directories in the root
|
# loop through all directories in the root
|
||||||
for dir in /*; do
|
for dir in /*; do
|
||||||
# if it is a directory and it is not in the blacklist
|
# if it is a directory and it is not in the blacklist
|
||||||
if [[ -d "$dir" ]] && grep -v "$dir" <<< "$blacklist" >/dev/null; then
|
if [[ -d "$dir" ]] && [[ ! "''${blacklist[@]}" =~ "$dir" ]]; then
|
||||||
# add it to the mount list
|
# add it to the mount list
|
||||||
auto_mounts+=(--bind "$dir" "$dir")
|
auto_mounts+=(--bind "$dir" "$dir")
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
exec ${bubblewrap}/bin/bwrap \
|
cmd=(
|
||||||
--dev-bind /dev /dev \
|
${bubblewrap}/bin/bwrap
|
||||||
--proc /proc \
|
--dev-bind /dev /dev
|
||||||
--chdir "$(pwd)" \
|
--proc /proc
|
||||||
--unshare-all \
|
--chdir "$(pwd)"
|
||||||
--share-net \
|
--unshare-all
|
||||||
--die-with-parent \
|
--share-net
|
||||||
--ro-bind /nix /nix \
|
--die-with-parent
|
||||||
${etcBindFlags} \
|
--ro-bind /nix /nix
|
||||||
$ro_mounts \
|
${etcBindFlags}
|
||||||
"''${auto_mounts[@]}" \
|
"''${ro_mounts[@]}"
|
||||||
|
"''${auto_mounts[@]}"
|
||||||
${init runScript}/bin/${name}-init ${initArgs}
|
${init runScript}/bin/${name}-init ${initArgs}
|
||||||
|
)
|
||||||
|
exec "''${cmd[@]}"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
bin = writeShellScriptBin name (bwrapCmd { initArgs = ''"$@"''; });
|
bin = writeShellScriptBin name (bwrapCmd { initArgs = ''"$@"''; });
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user