fhs-userenv-bubblewrap: bind mount parts of host etc directly

2019-09-15 09:29:53 -04:00 · 2019-09-15 09:29:53 -04:00 · 2da4f24e22
commit 2da4f24e22
parent 2ddb43ec24
2 changed files with 46 additions and 40 deletions
--- a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix
+++ b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix
@ -19,20 +19,64 @@ let

  chrootenv = callPackage ./chrootenv {};

+  etcBindFlags = let
+    files = [
+      # NixOS Compatibility
+      "static"
+      # Users, Groups, NSS
+      "passwd"
+      "group"
+      "shadow"
+      "hosts"
+      "resolv.conf"
+      "nsswitch.conf"
+      # Sudo & Su
+      "login.defs"
+      "sudoers"
+      "sudoers.d"
+      # Time
+      "localtime"
+      "zoneinfo"
+      # Other Core Stuff
+      "machine-id"
+      "os-release"
+      # PAM
+      "pam.d"
+      # Fonts
+      "fonts"
+      # ALSA
+      "asound.conf"
+      # SSL
+      "ssl/certs"
+      "pki"
+    ];
+  in concatStringsSep " \\\n  "
+  (map (file: "--ro-bind-try /etc/${file} /etc/${file}") files);
+
  init = run: writeShellScriptBin "${name}-init" ''
    source /etc/profile
    exec ${run} "$@"
  '';

  bwrap_cmd = { init_args ? "" }: ''
-    blacklist="/nix /dev /proc"
+    blacklist="/nix /dev /proc /etc"
    ro_mounts=""
    for i in ${env}/*; do
      path="/''${i##*/}"
+      if [[ $path == '/etc' ]]; then
+        continue
+      fi
      ro_mounts="$ro_mounts --ro-bind $i $path"
      blacklist="$blacklist $path"
    done

+    if [[ -d ${env}/etc ]]; then
+      for i in ${env}/etc/*; do
+        path="/''${i##*/}"
+        ro_mounts="$ro_mounts --ro-bind $i /etc$path"
+      done
+    fi
+
    auto_mounts=""
    # loop through all directories in the root
    for dir in /*; do
@ -51,7 +95,7 @@ let
      --share-net \
      --die-with-parent \
      --ro-bind /nix /nix \
-      --ro-bind /etc /host-etc \
+      ${etcBindFlags} \
      $ro_mounts \
      $auto_mounts \
      ${init runScript}/bin/${name}-init ${init_args}
--- a/pkgs/build-support/build-fhs-userenv-bubblewrap/env.nix
+++ b/pkgs/build-support/build-fhs-userenv-bubblewrap/env.nix
@ -78,44 +78,6 @@ let
      # environment variables
      ln -s ${etcProfile} profile

-      # compatibility with NixOS
-      ln -s /host-etc/static static
-
-      # symlink some NSS stuff
-      ln -s /host-etc/passwd passwd
-      ln -s /host-etc/group group
-      ln -s /host-etc/shadow shadow
-      ln -s /host-etc/hosts hosts
-      ln -s /host-etc/resolv.conf resolv.conf
-      ln -s /host-etc/nsswitch.conf nsswitch.conf
-
-      # symlink sudo and su stuff
-      ln -s /host-etc/login.defs login.defs
-      ln -s /host-etc/sudoers sudoers
-      ln -s /host-etc/sudoers.d sudoers.d
-
-      # symlink other core stuff
-      ln -s /host-etc/localtime localtime
-      ln -s /host-etc/zoneinfo zoneinfo
-      ln -s /host-etc/machine-id machine-id
-      ln -s /host-etc/os-release os-release
-
-      # symlink PAM stuff
-      ln -s /host-etc/pam.d pam.d
-
-      # symlink fonts stuff
-      ln -s /host-etc/fonts fonts
-
-      # symlink ALSA stuff
-      ln -s /host-etc/asound.conf asound.conf
-
-      # symlink SSL certs
-      mkdir -p ssl
-      ln -s /host-etc/ssl/certs ssl/certs
-
-      # Fedora stores certs in another directory
-      ln -s /host-etc/pki pki
-
      # symlink /etc/mtab -> /proc/mounts (compat for old userspace progs)
      ln -s /proc/mounts mtab
    '';