viber: wrap with bubblewrap to disable $HOME access

packages: add bubblewrap with overlay patches
Revert "flake: update"
2023-11-03 00:38:02 +01:00 · 2023-11-03 00:37:32 +01:00 · 2023-11-02 17:01:04 +01:00
4 changed files with 86 additions and 15 deletions
--- a/flake.lock
+++ b/flake.lock
@ -89,11 +89,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1698873617,
+        "lastModified": 1698250431,
-        "narHash": "sha256-FfGFcfbULwbK1vD+H0rslIOfmy4g8f2hXiPkQG3ZCTk=",
+        "narHash": "sha256-qs2gTeH4wpnWPO6Oi6sOhp2IhG0i0DzcnrJxIY3/CP8=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "48b0a30202516e25d9885525fbb200a045f23f26",
+        "rev": "09587fbbc6a669f7725613e044c2577dc5d43ab5",
        "type": "github"
      },
      "original": {
@ -125,11 +125,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1698611440,
+        "lastModified": 1697723726,
-        "narHash": "sha256-jPjHjrerhYDy3q9+s5EAsuhyhuknNfowY6yt6pjn9pc=",
+        "narHash": "sha256-SaTWPkI8a5xSHX/rrKzUe+/uVNy6zCGMXgoeMb7T9rg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "0cbe9f69c234a7700596e943bfae7ef27a31b735",
+        "rev": "7c9cc5a6e5d38010801741ac830a3f8fd667a7a0",
        "type": "github"
      },
      "original": {
@ -171,11 +171,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1698544399,
+        "lastModified": 1697929210,
-        "narHash": "sha256-vhRmPyEyoPkrXF2iykBsWHA05MIaOSmMRLMF7Hul6+s=",
+        "narHash": "sha256-RkQZif6QhswEwv7484mrKfIU8XmIWm+ED6llbr4IyxM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "d87c5d8c41c9b3b39592563242f3a448b5cc4bc9",
+        "rev": "fb000224952bf7749a9e8b3779104ef7ea4465c8",
        "type": "github"
      },
      "original": {
@ -273,11 +273,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1698929376,
+        "lastModified": 1697943852,
-        "narHash": "sha256-TmROaV9W6HArdTUgxLN334Kw+CradxWHw1HYM/3H6xI=",
+        "narHash": "sha256-DaBxUPaZhQ3yLCmAATshYB7qo7NwcMvSFWz9T3bjYYY=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "84d6b27dc71ac02422e192c35806d06915d2bf67",
+        "rev": "30a0ba4a20703b4bfe047fe5def1fc24978e322c",
        "type": "github"
      },
      "original": {
--- a/home/home_packages.nix
+++ b/home/home_packages.nix
@ -109,5 +109,6 @@
      inputs.nvim.packages.x86_64-linux.nvim
      (import ../packages/zapzap/default.nix {inherit pkgs;})
      (pkgs.callPackage ../packages/viber/default.nix {})
      (pkgs.callPackage ../packages/bubblewrap/default.nix {})
    ];
 }
--- a/packages/bubblewrap/default.nix
+++ b/packages/bubblewrap/default.nix
@ -0,0 +1,56 @@
 {
  lib,
  stdenv,
  fetchFromGitHub,
  docbook_xsl,
  libxslt,
  meson,
  ninja,
  pkg-config,
  bash-completion,
  libcap,
  libselinux,
 }:
 stdenv.mkDerivation rec {
  pname = "bubblewrap";
  version = "0.8.0";
  src = fetchFromGitHub {
    owner = "rhendric";
    repo = "bubblewrap";
    rev = "23ff0f875b3a0200c1796daa01173ecec7deaf88";
    hash = "sha256-EWsuAGsShaHEmLi0jUHX2bFQZkinIOsRbgB7tZSfq8E=";
  };
  postPatch = ''
    substituteInPlace tests/libtest.sh \
      --replace "/var/tmp" "$TMPDIR"
  '';
  nativeBuildInputs = [
    docbook_xsl
    libxslt
    meson
    ninja
    pkg-config
  ];
  buildInputs = [
    bash-completion
    libcap
    libselinux
  ];
  # incompatible with Nix sandbox
  doCheck = false;
  meta = with lib; {
    changelog = "https://github.com/containers/bubblewrap/releases/tag/${src.rev}";
    description = "Unprivileged sandboxing tool";
    homepage = "https://github.com/containers/bubblewrap";
    license = licenses.lgpl2Plus;
    maintainers = with maintainers; [dotlambda];
    platforms = platforms.linux;
    mainProgram = "bwrap";
  };
 }
--- a/packages/viber/default.nix
+++ b/packages/viber/default.nix
@ -3,6 +3,9 @@
  brotli,
  cups,
  curl,
  bubblewrap,
  bash,
  writeShellScriptBin,
  dbus,
  dpkg,
  expat,
@ -112,7 +115,16 @@ stdenv.mkDerivation {
    xorg.libxkbfile
  ];
-  installPhase = ''
+  installPhase = let
    viberWrap = writeShellScriptBin "viberWrap" ''
      ${bubblewrap}/bin/bwrap --bind / / \
      --dev /dev \
      --tmpfs $HOME \
      --bind  $HOME/.ViberPC/ $HOME/.ViberPC \
      --bind  $HOME/Downloads/ $HOME/Downloads \
      $@
    '';
  in ''
    dpkg-deb -x $src $out
    mkdir -p $out/bin
@ -130,7 +142,10 @@ stdenv.mkDerivation {
      --set QT_XKB_CONFIG_ROOT "${xorg.xkeyboardconfig}/share/X11/xkb" \
      --set QTCOMPOSE "${xorg.libX11.out}/share/X11/locale" \
      --set QML2_IMPORT_PATH "$out/opt/viber/qml"
-    ln -s $out/opt/viber/Viber $out/bin/viber
+
    echo "#!${bash}/bin/bash" > $out/bin/viber
    echo "${viberWrap}/bin/viberWrap $out/opt/viber/Viber" >> $out/bin/viber
    chmod +x $out/bin/viber
    mv $out/usr/share $out/share
    rm -rf $out/usr
@ -140,7 +155,6 @@ stdenv.mkDerivation {
      --replace /opt/viber/Viber $out/opt/viber/Viber \
      --replace /usr/share/ $out/share/
  '';
  dontStrip = true;
  dontPatchELF = true;
Author	SHA1	Message	Date
Asmir A	3d2d8ea274	viber: wrap with bubblewrap to disable $HOME access	2023-11-03 00:38:02 +01:00
Asmir A	70efe40a80	packages: add bubblewrap with overlay patches	2023-11-03 00:37:32 +01:00
Asmir A	4ce7d3fc89	Revert "flake: update" This reverts commit `3106fe565d`.	2023-11-02 17:01:04 +01:00