diff options
author | tdro <tdro@users.noreply.github.com> | 2023-07-08 20:38:52 -0400 |
---|---|---|
committer | tdro <tdro@users.noreply.github.com> | 2023-07-08 20:38:52 -0400 |
commit | 9ebbcebe53411322185d565c19bdce7810df6dc9 (patch) | |
tree | 7fa4000fd19ff001e2af866e1ce108df094a8257 | |
parent | c5378a3f71b6d53f7db9c852c43981647cb2f2ff (diff) | |
download | dotfiles-9ebbcebe53411322185d565c19bdce7810df6dc9.tar.gz dotfiles-9ebbcebe53411322185d565c19bdce7810df6dc9.tar.bz2 dotfiles-9ebbcebe53411322185d565c19bdce7810df6dc9.zip |
.config/nixpkgs/jails: Add nsjail
-rw-r--r-- | .config/nixpkgs/jails/nsjail/jail.nix | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/.config/nixpkgs/jails/nsjail/jail.nix b/.config/nixpkgs/jails/nsjail/jail.nix new file mode 100644 index 0000000..d954588 --- /dev/null +++ b/.config/nixpkgs/jails/nsjail/jail.nix @@ -0,0 +1,52 @@ +let + + # nix-shell -E 'import (builtins.fetchurl "$url")' + # https://nsjail.dev/ + + name = "nix-shell.nsjail"; + + pkgs = import (builtins.fetchTarball { + url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz"; + sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg"; + }) { }; + + nsjail = { + rootfs ? "rootfs", + options ? [ ], + path ? [ pkgs.busybox ], + entrypoint ? "/bin/sh" + }: + pkgs.writeShellApplication { + inherit name; + text = '' + set -euxo pipefail + PATH=${pkgs.lib.strings.makeBinPath [ pkgs.nsjail pkgs.coreutils ]} + mkdir --parents '${rootfs}' + nsjail \ + --chroot "$(pwd)"/'${rootfs}' \ + ${pkgs.lib.strings.concatMapStringsSep " " (value: value) options} \ + -- /usr/bin/env --ignore-environment ${ + pkgs.writeScript "entrypoint-${name}" '' + set -eu + export PATH=${pkgs.lib.strings.makeBinPath path} + ${entrypoint} + '' + }; + ''; + }; + + jail = nsjail { + options = [ + "--bindmount_ro /nix" + "--bindmount_ro /usr" + "--bindmount_ro /bin" + ]; + }; + +in pkgs.mkShell { + inherit name; + shellHook = '' + printf '%s\n' "${jail}/bin/${jail.name}" + exec "${jail}/bin/${jail.name}" + ''; +} |