blob: aee8a8b5ba3211bf1b1d41174f278263da4dda53 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
let
# nix-shell -E 'import (builtins.fetchurl "$url")'
# https://github.com/containers/bubblewrap/blob/main/demos/bubblewrap-shell.sh
# https://manpages.debian.org/testing/bubblewrap/bwrap.1.en.html
name = "nix-shell.bubblewrap";
pkgs = import (builtins.fetchTarball {
url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz";
sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg";
}) { };
bubblewrap = arguments@{ ... }: pkgs.writeShellApplication {
inherit name;
text = ''
PATH=${pkgs.lib.strings.makeBinPath [ pkgs.bubblewrap ]}
bwrap \
'' + pkgs.lib.strings.concatStringsSep " \\\n"
(pkgs.lib.attrsets.mapAttrsToList (argument: value: "--${argument} ${value} ")
arguments) + "/bin/sh\n";
};
jail = bubblewrap {
clearenv = "";
setenv = "PATH ${pkgs.lib.strings.makeBinPath [ pkgs.busybox ]}";
ro-bind = "/nix /nix" + " --ro-bind /bin /bin";
};
in pkgs.mkShell {
inherit name;
shellHook = ''
printf '%s\n' "${jail}/bin/${jail.name}"
exec "${jail}/bin/${jail.name}"
'';
}
|
