blob: d954588e4ff084e9de7ef8d0e0d26082549e49ce (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
let
# nix-shell -E 'import (builtins.fetchurl "$url")'
# https://nsjail.dev/
name = "nix-shell.nsjail";
pkgs = import (builtins.fetchTarball {
url = "https://releases.nixos.org/nixos/22.11/nixos-22.11.466.596a8e828c5/nixexprs.tar.xz";
sha256 = "1367bad5zz0mfm4czb6p0s0ni38f0x1ffh02z76rx4nranipqbgg";
}) { };
nsjail = {
rootfs ? "rootfs",
options ? [ ],
path ? [ pkgs.busybox ],
entrypoint ? "/bin/sh"
}:
pkgs.writeShellApplication {
inherit name;
text = ''
set -euxo pipefail
PATH=${pkgs.lib.strings.makeBinPath [ pkgs.nsjail pkgs.coreutils ]}
mkdir --parents '${rootfs}'
nsjail \
--chroot "$(pwd)"/'${rootfs}' \
${pkgs.lib.strings.concatMapStringsSep " " (value: value) options} \
-- /usr/bin/env --ignore-environment ${
pkgs.writeScript "entrypoint-${name}" ''
set -eu
export PATH=${pkgs.lib.strings.makeBinPath path}
${entrypoint}
''
};
'';
};
jail = nsjail {
options = [
"--bindmount_ro /nix"
"--bindmount_ro /usr"
"--bindmount_ro /bin"
];
};
in pkgs.mkShell {
inherit name;
shellHook = ''
printf '%s\n' "${jail}/bin/${jail.name}"
exec "${jail}/bin/${jail.name}"
'';
}
|