1 files changed, 52 insertions, 0 deletions

diff --git a/.config/nixpkgs/shells/nsjail/shell.nix b/.config/nixpkgs/shells/nsjail/shell.nix
new file mode 100644
index 0000000..d954588
--- /dev/null
+++ b/.config/nixpkgs/shells/nsjail/shell.nix
@@ -0,0 +1,52 @@
+let
+
+  # nix-shell -E 'import (builtins.fetchurl "$url")'
+  # https://nsjail.dev/
+
+  name = "nix-shell.nsjail";
+
+  pkgs = import (builtins.fetchTarball {
+    url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz";
+    sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg";
+  }) { };
+
+  nsjail = {
+    rootfs ? "rootfs",
+    options ? [ ],
+    path ? [ pkgs.busybox ],
+    entrypoint ? "/bin/sh"
+  }:
+  pkgs.writeShellApplication {
+    inherit name;
+    text =  ''
+    set -euxo pipefail
+    PATH=${pkgs.lib.strings.makeBinPath [ pkgs.nsjail pkgs.coreutils ]}
+    mkdir --parents '${rootfs}'
+    nsjail \
+      --chroot "$(pwd)"/'${rootfs}' \
+      ${pkgs.lib.strings.concatMapStringsSep " " (value: value) options} \
+      -- /usr/bin/env --ignore-environment ${
+        pkgs.writeScript "entrypoint-${name}" ''
+          set -eu
+          export PATH=${pkgs.lib.strings.makeBinPath path}
+          ${entrypoint}
+        ''
+      };
+  '';
+  };
+
+  jail = nsjail {
+    options = [
+      "--bindmount_ro /nix"
+      "--bindmount_ro /usr"
+      "--bindmount_ro /bin"
+    ];
+  };
+
+in pkgs.mkShell {
+  inherit name;
+  shellHook = ''
+    printf '%s\n' "${jail}/bin/${jail.name}"
+    exec "${jail}/bin/${jail.name}"
+  '';
+}