.config/nixpkgs/jails -> .config/nixpkgs/shells

4 files changed, 188 insertions, 0 deletions

diff --git a/.config/nixpkgs/shells/bubblewrap/shell.nix b/.config/nixpkgs/shells/bubblewrap/shell.nix
new file mode 100644
index 0000000..aee8a8b
--- /dev/null
+++ b/.config/nixpkgs/shells/bubblewrap/shell.nix
@@ -0,0 +1,36 @@
+let
+
+  # nix-shell -E 'import (builtins.fetchurl "$url")'
+  # https://github.com/containers/bubblewrap/blob/main/demos/bubblewrap-shell.sh
+  # https://manpages.debian.org/testing/bubblewrap/bwrap.1.en.html
+
+  name = "nix-shell.bubblewrap";
+
+  pkgs = import (builtins.fetchTarball {
+    url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz";
+    sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg";
+  }) { };
+
+  bubblewrap = arguments@{ ... }: pkgs.writeShellApplication {
+    inherit name;
+    text = ''
+      PATH=${pkgs.lib.strings.makeBinPath [ pkgs.bubblewrap ]}
+      bwrap \
+    '' + pkgs.lib.strings.concatStringsSep " \\\n"
+    (pkgs.lib.attrsets.mapAttrsToList (argument: value: "--${argument} ${value} ")
+      arguments) + "/bin/sh\n";
+    };
+
+  jail = bubblewrap {
+   clearenv = "";
+   setenv = "PATH ${pkgs.lib.strings.makeBinPath [ pkgs.busybox ]}";
+   ro-bind = "/nix /nix" + " --ro-bind /bin /bin";
+  };
+
+in pkgs.mkShell {
+  inherit name;
+  shellHook = ''
+    printf '%s\n' "${jail}/bin/${jail.name}"
+    exec "${jail}/bin/${jail.name}"
+  '';
+}
diff --git a/.config/nixpkgs/shells/firejail/shell.nix b/.config/nixpkgs/shells/firejail/shell.nix
new file mode 100644
index 0000000..4f5e5e1
--- /dev/null
+++ b/.config/nixpkgs/shells/firejail/shell.nix
@@ -0,0 +1,48 @@
+let
+
+  # nix-shell -E 'import (builtins.fetchurl "$url")'
+  # https://www.man7.org/linux/man-pages/man1/Firejail.1.html
+
+  name = "nix-shell.firejail";
+
+  pkgs = import (builtins.fetchTarball {
+    url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz";
+    sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg";
+  }) { };
+
+  firejail = {
+    rootfs ? "rootfs",
+    options ? [ ],
+    path ? [ pkgs.busybox ],
+    entrypoint ? "/bin/sh"
+  }:
+  pkgs.writeShellApplication {
+    inherit name;
+    text =  ''
+    set -euxo pipefail
+    PATH=${pkgs.lib.strings.makeBinPath [ pkgs.firejail pkgs.coreutils ]}
+    mkdir --parents '${rootfs}'
+    firejail \
+      --chroot '${rootfs}' \
+      ${pkgs.lib.strings.concatMapStringsSep " " (value: value) options} \
+      -- /usr/bin/env --ignore-environment ${
+        pkgs.writeScript "entrypoint-${name}" ''
+          set -eu
+          export PATH=${pkgs.lib.strings.makeBinPath path}
+          ${entrypoint}
+        ''
+      };
+  '';
+  };
+
+  jail = firejail {
+    options = [ ];
+  };
+
+in pkgs.mkShell {
+  inherit name;
+  shellHook = ''
+    printf '%s\n' "${jail}/bin/${jail.name}"
+    exec "${jail}/bin/${jail.name}"
+  '';
+}
diff --git a/.config/nixpkgs/shells/nsjail/shell.nix b/.config/nixpkgs/shells/nsjail/shell.nix
new file mode 100644
index 0000000..d954588
--- /dev/null
+++ b/.config/nixpkgs/shells/nsjail/shell.nix
@@ -0,0 +1,52 @@
+let
+
+  # nix-shell -E 'import (builtins.fetchurl "$url")'
+  # https://nsjail.dev/
+
+  name = "nix-shell.nsjail";
+
+  pkgs = import (builtins.fetchTarball {
+    url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz";
+    sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg";
+  }) { };
+
+  nsjail = {
+    rootfs ? "rootfs",
+    options ? [ ],
+    path ? [ pkgs.busybox ],
+    entrypoint ? "/bin/sh"
+  }:
+  pkgs.writeShellApplication {
+    inherit name;
+    text =  ''
+    set -euxo pipefail
+    PATH=${pkgs.lib.strings.makeBinPath [ pkgs.nsjail pkgs.coreutils ]}
+    mkdir --parents '${rootfs}'
+    nsjail \
+      --chroot "$(pwd)"/'${rootfs}' \
+      ${pkgs.lib.strings.concatMapStringsSep " " (value: value) options} \
+      -- /usr/bin/env --ignore-environment ${
+        pkgs.writeScript "entrypoint-${name}" ''
+          set -eu
+          export PATH=${pkgs.lib.strings.makeBinPath path}
+          ${entrypoint}
+        ''
+      };
+  '';
+  };
+
+  jail = nsjail {
+    options = [
+      "--bindmount_ro /nix"
+      "--bindmount_ro /usr"
+      "--bindmount_ro /bin"
+    ];
+  };
+
+in pkgs.mkShell {
+  inherit name;
+  shellHook = ''
+    printf '%s\n' "${jail}/bin/${jail.name}"
+    exec "${jail}/bin/${jail.name}"
+  '';
+}
diff --git a/.config/nixpkgs/shells/proot/shell.nix b/.config/nixpkgs/shells/proot/shell.nix
new file mode 100644
index 0000000..46ed76f
--- /dev/null
+++ b/.config/nixpkgs/shells/proot/shell.nix
@@ -0,0 +1,52 @@
+let
+
+  # nix-shell -E 'import (builtins.fetchurl "$url")'
+  # https://manpages.ubuntu.com/manpages/trusty/man1/proot.1.html
+
+  name = "nix-shell.proot";
+
+  pkgs = import (builtins.fetchTarball {
+    url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz";
+    sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg";
+  }) { };
+
+  proot = {
+    rootfs ? "rootfs",
+    binds ? [ ],
+    options ? [ ],
+    path ? [ pkgs.busybox ],
+    entrypoint ? "/bin/sh"
+  }:
+  pkgs.writeShellApplication {
+    inherit name;
+    text =  ''
+    set -euxo pipefail
+    PATH=${pkgs.lib.strings.makeBinPath [ pkgs.proot pkgs.coreutils ]}
+    mkdir --parents '${rootfs}'
+    proot \
+      --rootfs='${rootfs}' \
+      ${pkgs.lib.strings.concatMapStringsSep " " (option: "--bind=${option}") binds} \
+      ${pkgs.lib.strings.concatMapStringsSep " " (value: value) options} \
+      /usr/bin/env --ignore-environment ${
+        pkgs.writeScript "entrypoint-${name}" ''
+          set -eu
+          export HISTFILE=/dev/null
+          export PATH=${pkgs.lib.strings.makeBinPath path}
+          ${entrypoint}
+        ''
+      };
+  '';
+  };
+
+  jail = proot {
+    binds = [ "/nix" "/usr" "/bin" ];
+    options = [ "--cwd=/" "--verbose=0" ];
+  };
+
+in pkgs.mkShell {
+  inherit name;
+  shellHook = ''
+    printf '%s\n' "${jail}/bin/${jail.name}"
+    exec "${jail}/bin/${jail.name}"
+  '';
+}