From 744138c227715a81b5db0883daceec8c6fd8f720 Mon Sep 17 00:00:00 2001 From: LorenzBischof <1837725+LorenzBischof@users.noreply.github.com> Date: Sat, 15 Mar 2025 21:09:54 +0100 Subject: [PATCH 1/3] devenv: implement basic filesystem sandbox --- devenv-core/src/config.rs | 10 + devenv-core/src/nix_args.rs | 7 +- devenv-nix-backend/bootstrap/bootstrapLib.nix | 2 + devenv.yaml | 3 + devenv/src/devenv.rs | 1 + src/modules/landlockconfig.Cargo.lock | 1245 +++++++++++++++++ src/modules/processes.nix | 8 +- src/modules/top-level.nix | 93 +- tests/sandbox-readonly/.test-config.yml | 1 + tests/sandbox-readonly/.test.sh | 14 + tests/sandbox-readonly/devenv.nix | 6 + tests/sandbox-readonly/devenv.yaml | 2 + tests/sandbox/.test-config.yml | 7 + tests/sandbox/.test.sh | 33 + tests/sandbox/devenv.nix | 8 + tests/sandbox/devenv.yaml | 6 + 16 files changed, 1439 insertions(+), 7 deletions(-) create mode 100644 src/modules/landlockconfig.Cargo.lock create mode 100644 tests/sandbox-readonly/.test-config.yml create mode 100755 tests/sandbox-readonly/.test.sh create mode 100644 tests/sandbox-readonly/devenv.nix create mode 100644 tests/sandbox-readonly/devenv.yaml create mode 100644 tests/sandbox/.test-config.yml create mode 100755 tests/sandbox/.test.sh create mode 100644 tests/sandbox/devenv.nix create mode 100644 tests/sandbox/devenv.yaml diff --git a/devenv-core/src/config.rs b/devenv-core/src/config.rs index 8f4551dcb2..8c1f761898 100644 --- a/devenv-core/src/config.rs +++ b/devenv-core/src/config.rs @@ -181,6 +181,9 @@ pub struct Config { pub backend: NixBackendType, #[setting(nested)] #[serde(skip_serializing_if = "Option::is_none", default)] + pub sandbox: Option, + #[setting(nested)] + #[serde(skip_serializing_if = "Option::is_none", default)] pub secretspec: Option, #[serde(skip_serializing_if = "Option::is_none", default)] #[setting(merge = schematic::merge::replace)] @@ -201,6 +204,13 @@ pub struct SecretspecConfig { pub provider: Option, } +#[derive(schematic::Config, Clone, Debug, PartialEq, Eq, Serialize, Deserialize, JsonSchema)] +pub struct SandboxConfig { + #[serde(skip_serializing_if = "is_false", default = "false_default")] + #[setting(default = false)] + pub enable: bool, +} + // TODO: https://github.com/moonrepo/schematic/issues/105 pub async fn write_json_schema() -> Result<()> { let schema = schema_for!(Config); diff --git a/devenv-core/src/nix_args.rs b/devenv-core/src/nix_args.rs index 975193054c..990c7b99e8 100644 --- a/devenv-core/src/nix_args.rs +++ b/devenv-core/src/nix_args.rs @@ -4,7 +4,7 @@ //! when assembling the devenv environment. The struct is serialized to Nix syntax //! using the `ser_nix` crate and inserted into the flake template. -use crate::config::{Config, NixpkgsConfig}; +use crate::config::{Config, NixpkgsConfig, SandboxConfig}; use miette::{Result, miette}; use ser_nix::NixLiteral; use serde::Serialize; @@ -302,6 +302,9 @@ pub struct NixArgs<'a> { /// Whether the environment is being assembled for testing pub devenv_istesting: bool, + /// Sandbox configuration + pub devenv_sandbox: Option<&'a SandboxConfig>, + /// Latest direnvrc version number available pub devenv_direnvrc_latest_version: u8, @@ -386,6 +389,7 @@ mod tests { devenv_tmpdir: &tmpdir, devenv_runtime: &runtime, devenv_istesting: false, + devenv_sandbox: None, devenv_direnvrc_latest_version: 5, container_name, active_profiles: &profiles, @@ -491,6 +495,7 @@ mod tests { devenv_tmpdir: &tmpdir, devenv_runtime: &runtime, devenv_istesting: false, + devenv_sandbox: None, devenv_direnvrc_latest_version: 5, container_name: None, active_profiles: &profiles, diff --git a/devenv-nix-backend/bootstrap/bootstrapLib.nix b/devenv-nix-backend/bootstrap/bootstrapLib.nix index 6102a27b39..0d74c7b880 100644 --- a/devenv-nix-backend/bootstrap/bootstrapLib.nix +++ b/devenv-nix-backend/bootstrap/bootstrapLib.nix @@ -32,6 +32,7 @@ rec { , devenv_tmpdir , devenv_runtime , devenv_istesting ? false + , devenv_sandbox ? null , devenv_direnvrc_latest_version , container_name ? null , active_profiles ? [ ] @@ -128,6 +129,7 @@ rec { _module.args.pkgs = evalPkgs.appendOverlays (config.overlays or [ ]); _module.args.secretspec = secretspec; _module.args.devenvPrimops = primops; + _module.args.devenvSandbox = devenv_sandbox; } ) (inputs.devenv.modules + /top-level.nix) diff --git a/devenv.yaml b/devenv.yaml index dfcb3ed4a3..e28b50d4b2 100644 --- a/devenv.yaml +++ b/devenv.yaml @@ -34,3 +34,6 @@ imports: - devenv-claude-agents - ./docs - ./devenv-nix-backend + +sandbox: + enable: false diff --git a/devenv/src/devenv.rs b/devenv/src/devenv.rs index e5b0cbedcc..9cc6af0902 100644 --- a/devenv/src/devenv.rs +++ b/devenv/src/devenv.rs @@ -1777,6 +1777,7 @@ impl Devenv { devenv_tmpdir: &self.devenv_tmp, devenv_runtime: &self.devenv_runtime, devenv_istesting: is_testing, + devenv_sandbox: config.sandbox.as_ref(), devenv_direnvrc_latest_version: *DIRENVRC_VERSION, container_name: self.container_name.as_deref(), active_profiles: &active_profiles, diff --git a/src/modules/landlockconfig.Cargo.lock b/src/modules/landlockconfig.Cargo.lock new file mode 100644 index 0000000000..fd0b103164 --- /dev/null +++ b/src/modules/landlockconfig.Cargo.lock @@ -0,0 +1,1245 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 3 + +[[package]] +name = "ahash" +version = "0.8.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5a15f179cd60c4584b8a8c596927aadc462e27f2ca70c04e0071964a73ba7a75" +dependencies = [ + "cfg-if", + "getrandom", + "once_cell", + "serde", + "version_check", + "zerocopy", +] + +[[package]] +name = "aho-corasick" +version = "1.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ddd31a130427c27518df266943a5308ed92d4b226cc639f5a8f1002816174301" +dependencies = [ + "memchr", +] + +[[package]] +name = "anstream" +version = "0.6.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "43d5b281e737544384e969a5ccad3f1cdd24b48086a0fc1b2a5262a26b8f4f4a" +dependencies = [ + "anstyle", + "anstyle-parse", + "anstyle-query", + "anstyle-wincon", + "colorchoice", + "is_terminal_polyfill", + "utf8parse", +] + +[[package]] +name = "anstyle" +version = "1.0.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5192cca8006f1fd4f7237516f40fa183bb07f8fbdfedaa0036de5ea9b0b45e78" + +[[package]] +name = "anstyle-parse" +version = "0.2.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4e7644824f0aa2c7b9384579234ef10eb7efb6a0deb83f9630a49594dd9c15c2" +dependencies = [ + "utf8parse", +] + +[[package]] +name = "anstyle-query" +version = "1.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc" +dependencies = [ + "windows-sys", +] + +[[package]] +name = "anstyle-wincon" +version = "3.0.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d" +dependencies = [ + "anstyle", + "once_cell_polyfill", + "windows-sys", +] + +[[package]] +name = "anyhow" +version = "1.0.101" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5f0e0fee31ef5ed1ba1316088939cea399010ed7731dba877ed44aeb407a75ea" + +[[package]] +name = "autocfg" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8" + +[[package]] +name = "base64" +version = "0.22.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" + +[[package]] +name = "bit-set" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "08807e080ed7f9d5433fa9b275196cfc35414f66a0c79d864dc51a0d825231a3" +dependencies = [ + "bit-vec", +] + +[[package]] +name = "bit-vec" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5e764a1d40d510daf35e07be9eb06e75770908c27d411ee6c92109c9840eaaf7" + +[[package]] +name = "bitflags" +version = "2.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3" + +[[package]] +name = "borrow-or-share" +version = "0.2.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dc0b364ead1874514c8c2855ab558056ebfeb775653e7ae45ff72f28f8f3166c" + +[[package]] +name = "bumpalo" +version = "3.19.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5dd9dc738b7a8311c7ade152424974d8115f2cdad61e8dab8dac9f2362298510" + +[[package]] +name = "bytecount" +version = "0.6.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "175812e0be2bccb6abe50bb8d566126198344f707e304f45c648fd8f2cc0365e" + +[[package]] +name = "cbindgen" +version = "0.28.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eadd868a2ce9ca38de7eeafdcec9c7065ef89b42b32f0839278d55f35c54d1ff" +dependencies = [ + "clap", + "heck 0.4.1", + "indexmap", + "log", + "proc-macro2", + "quote", + "serde", + "serde_json", + "syn", + "tempfile", + "toml", +] + +[[package]] +name = "cfg-if" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801" + +[[package]] +name = "clap" +version = "4.5.57" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6899ea499e3fb9305a65d5ebf6e3d2248c5fab291f300ad0a704fbe142eae31a" +dependencies = [ + "clap_builder", + "clap_derive", +] + +[[package]] +name = "clap_builder" +version = "4.5.57" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7b12c8b680195a62a8364d16b8447b01b6c2c8f9aaf68bee653be34d4245e238" +dependencies = [ + "anstream", + "anstyle", + "clap_lex", + "strsim", +] + +[[package]] +name = "clap_derive" +version = "4.5.55" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a92793da1a46a5f2a02a6f4c46c6496b28c43638adea8306fcb0caa1634f24e5" +dependencies = [ + "heck 0.5.0", + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "clap_lex" +version = "0.7.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c3e64b0cc0439b12df2fa678eae89a1c56a529fd067a9115f7827f1fffd22b32" + +[[package]] +name = "colorchoice" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75" + +[[package]] +name = "displaydoc" +version = "0.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "email_address" +version = "0.2.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e079f19b08ca6239f47f8ba8509c11cf3ea30095831f7fed61441475edd8c449" +dependencies = [ + "serde", +] + +[[package]] +name = "enumflags2" +version = "0.7.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1027f7680c853e056ebcec683615fb6fbbc07dbaa13b4d5d9442b146ded4ecef" +dependencies = [ + "enumflags2_derive", +] + +[[package]] +name = "enumflags2_derive" +version = "0.7.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "67c78a4d8fdf9953a5c9d458f9efe940fd97a0cab0941c075a813ac594733827" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "equivalent" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f" + +[[package]] +name = "errno" +version = "0.3.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" +dependencies = [ + "libc", + "windows-sys", +] + +[[package]] +name = "fancy-regex" +version = "0.14.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6e24cb5a94bcae1e5408b0effca5cd7172ea3c5755049c5f3af4cd283a165298" +dependencies = [ + "bit-set", + "regex-automata", + "regex-syntax", +] + +[[package]] +name = "fastrand" +version = "2.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be" + +[[package]] +name = "fluent-uri" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1918b65d96df47d3591bed19c5cca17e3fa5d0707318e4b5ef2eae01764df7e5" +dependencies = [ + "borrow-or-share", + "ref-cast", + "serde", +] + +[[package]] +name = "fraction" +version = "0.15.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0f158e3ff0a1b334408dc9fb811cd99b446986f4d8b741bb08f9df1604085ae7" +dependencies = [ + "lazy_static", + "num", +] + +[[package]] +name = "getrandom" +version = "0.3.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd" +dependencies = [ + "cfg-if", + "libc", + "r-efi", + "wasip2", +] + +[[package]] +name = "hashbrown" +version = "0.16.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100" + +[[package]] +name = "heck" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" + +[[package]] +name = "heck" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea" + +[[package]] +name = "icu_collections" +version = "2.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c6b649701667bbe825c3b7e6388cb521c23d88644678e83c0c4d0a621a34b43" +dependencies = [ + "displaydoc", + "potential_utf", + "yoke", + "zerofrom", + "zerovec", +] + +[[package]] +name = "icu_locale_core" +version = "2.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "edba7861004dd3714265b4db54a3c390e880ab658fec5f7db895fae2046b5bb6" +dependencies = [ + "displaydoc", + "litemap", + "tinystr", + "writeable", + "zerovec", +] + +[[package]] +name = "icu_normalizer" +version = "2.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5f6c8828b67bf8908d82127b2054ea1b4427ff0230ee9141c54251934ab1b599" +dependencies = [ + "icu_collections", + "icu_normalizer_data", + "icu_properties", + "icu_provider", + "smallvec", + "zerovec", +] + +[[package]] +name = "icu_normalizer_data" +version = "2.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a" + +[[package]] +name = "icu_properties" +version = "2.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec" +dependencies = [ + "icu_collections", + "icu_locale_core", + "icu_properties_data", + "icu_provider", + "zerotrie", + "zerovec", +] + +[[package]] +name = "icu_properties_data" +version = "2.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af" + +[[package]] +name = "icu_provider" +version = "2.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "85962cf0ce02e1e0a629cc34e7ca3e373ce20dda4c4d7294bbd0bf1fdb59e614" +dependencies = [ + "displaydoc", + "icu_locale_core", + "writeable", + "yoke", + "zerofrom", + "zerotrie", + "zerovec", +] + +[[package]] +name = "idna" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de" +dependencies = [ + "idna_adapter", + "smallvec", + "utf8_iter", +] + +[[package]] +name = "idna_adapter" +version = "1.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344" +dependencies = [ + "icu_normalizer", + "icu_properties", +] + +[[package]] +name = "indexmap" +version = "2.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017" +dependencies = [ + "equivalent", + "hashbrown", +] + +[[package]] +name = "is_terminal_polyfill" +version = "1.70.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695" + +[[package]] +name = "itoa" +version = "1.0.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2" + +[[package]] +name = "js-sys" +version = "0.3.85" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8c942ebf8e95485ca0d52d97da7c5a2c387d0e7f0ba4c35e93bfcaee045955b3" +dependencies = [ + "once_cell", + "wasm-bindgen", +] + +[[package]] +name = "jsonschema" +version = "0.30.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f1b46a0365a611fbf1d2143104dcf910aada96fafd295bab16c60b802bf6fa1d" +dependencies = [ + "ahash", + "base64", + "bytecount", + "email_address", + "fancy-regex", + "fraction", + "idna", + "itoa", + "num-cmp", + "num-traits", + "once_cell", + "percent-encoding", + "referencing", + "regex", + "regex-syntax", + "serde", + "serde_json", + "uuid-simd", +] + +[[package]] +name = "landlock" +version = "0.4.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "49fefd6652c57d68aaa32544a4c0e642929725bdc1fd929367cdeb673ab81088" +dependencies = [ + "enumflags2", + "libc", + "thiserror", +] + +[[package]] +name = "landlockconfig" +version = "0.1.0" +dependencies = [ + "anyhow", + "clap", + "jsonschema", + "landlock", + "lazy_static", + "serde", + "serde_json", + "thiserror", + "toml", +] + +[[package]] +name = "landlockconfig_ffi" +version = "0.1.0" +dependencies = [ + "cbindgen", + "landlock", + "landlockconfig", + "libc", +] + +[[package]] +name = "lazy_static" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" + +[[package]] +name = "libc" +version = "0.2.180" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc" + +[[package]] +name = "linux-raw-sys" +version = "0.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "df1d3c3b53da64cf5760482273a98e575c651a67eec7f77df96b5b642de8f039" + +[[package]] +name = "litemap" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6373607a59f0be73a39b6fe456b8192fcc3585f602af20751600e974dd455e77" + +[[package]] +name = "lock_api" +version = "0.4.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965" +dependencies = [ + "scopeguard", +] + +[[package]] +name = "log" +version = "0.4.29" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897" + +[[package]] +name = "memchr" +version = "2.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79" + +[[package]] +name = "num" +version = "0.4.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "35bd024e8b2ff75562e5f34e7f4905839deb4b22955ef5e73d2fea1b9813cb23" +dependencies = [ + "num-bigint", + "num-complex", + "num-integer", + "num-iter", + "num-rational", + "num-traits", +] + +[[package]] +name = "num-bigint" +version = "0.4.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9" +dependencies = [ + "num-integer", + "num-traits", +] + +[[package]] +name = "num-cmp" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "63335b2e2c34fae2fb0aa2cecfd9f0832a1e24b3b32ecec612c3426d46dc8aaa" + +[[package]] +name = "num-complex" +version = "0.4.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "73f88a1307638156682bada9d7604135552957b7818057dcef22705b4d509495" +dependencies = [ + "num-traits", +] + +[[package]] +name = "num-integer" +version = "0.1.46" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f" +dependencies = [ + "num-traits", +] + +[[package]] +name = "num-iter" +version = "0.1.45" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf" +dependencies = [ + "autocfg", + "num-integer", + "num-traits", +] + +[[package]] +name = "num-rational" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f83d14da390562dca69fc84082e73e548e1ad308d24accdedd2720017cb37824" +dependencies = [ + "num-bigint", + "num-integer", + "num-traits", +] + +[[package]] +name = "num-traits" +version = "0.2.19" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" +dependencies = [ + "autocfg", +] + +[[package]] +name = "once_cell" +version = "1.21.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d" + +[[package]] +name = "once_cell_polyfill" +version = "1.70.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe" + +[[package]] +name = "outref" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1a80800c0488c3a21695ea981a54918fbb37abf04f4d0720c453632255e2ff0e" + +[[package]] +name = "parking_lot" +version = "0.12.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a" +dependencies = [ + "lock_api", + "parking_lot_core", +] + +[[package]] +name = "parking_lot_core" +version = "0.9.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1" +dependencies = [ + "cfg-if", + "libc", + "redox_syscall", + "smallvec", + "windows-link", +] + +[[package]] +name = "percent-encoding" +version = "2.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220" + +[[package]] +name = "potential_utf" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b73949432f5e2a09657003c25bca5e19a0e9c84f8058ca374f49e0ebe605af77" +dependencies = [ + "zerovec", +] + +[[package]] +name = "proc-macro2" +version = "1.0.106" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "quote" +version = "1.0.44" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "21b2ebcf727b7760c461f091f9f0f539b77b8e87f2fd88131e7f1b433b3cece4" +dependencies = [ + "proc-macro2", +] + +[[package]] +name = "r-efi" +version = "5.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f" + +[[package]] +name = "redox_syscall" +version = "0.5.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d" +dependencies = [ + "bitflags", +] + +[[package]] +name = "ref-cast" +version = "1.0.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f354300ae66f76f1c85c5f84693f0ce81d747e2c3f21a45fef496d89c960bf7d" +dependencies = [ + "ref-cast-impl", +] + +[[package]] +name = "ref-cast-impl" +version = "1.0.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b7186006dcb21920990093f30e3dea63b7d6e977bf1256be20c3563a5db070da" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "referencing" +version = "0.30.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8eff4fa778b5c2a57e85c5f2fe3a709c52f0e60d23146e2151cbef5893f420e" +dependencies = [ + "ahash", + "fluent-uri", + "once_cell", + "parking_lot", + "percent-encoding", + "serde_json", +] + +[[package]] +name = "regex" +version = "1.12.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e10754a14b9137dd7b1e3e5b0493cc9171fdd105e0ab477f51b72e7f3ac0e276" +dependencies = [ + "aho-corasick", + "memchr", + "regex-automata", + "regex-syntax", +] + +[[package]] +name = "regex-automata" +version = "0.4.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6e1dd4122fc1595e8162618945476892eefca7b88c52820e74af6262213cae8f" +dependencies = [ + "aho-corasick", + "memchr", + "regex-syntax", +] + +[[package]] +name = "regex-syntax" +version = "0.8.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a96887878f22d7bad8a3b6dc5b7440e0ada9a245242924394987b21cf2210a4c" + +[[package]] +name = "rustix" +version = "1.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "146c9e247ccc180c1f61615433868c99f3de3ae256a30a43b49f67c2d9171f34" +dependencies = [ + "bitflags", + "errno", + "libc", + "linux-raw-sys", + "windows-sys", +] + +[[package]] +name = "rustversion" +version = "1.0.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d" + +[[package]] +name = "scopeguard" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" + +[[package]] +name = "serde" +version = "1.0.228" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e" +dependencies = [ + "serde_core", + "serde_derive", +] + +[[package]] +name = "serde_core" +version = "1.0.228" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad" +dependencies = [ + "serde_derive", +] + +[[package]] +name = "serde_derive" +version = "1.0.228" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "serde_json" +version = "1.0.149" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86" +dependencies = [ + "itoa", + "memchr", + "serde", + "serde_core", + "zmij", +] + +[[package]] +name = "serde_spanned" +version = "0.6.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bf41e0cfaf7226dca15e8197172c295a782857fcb97fad1808a166870dee75a3" +dependencies = [ + "serde", +] + +[[package]] +name = "smallvec" +version = "1.15.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03" + +[[package]] +name = "stable_deref_trait" +version = "1.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596" + +[[package]] +name = "strsim" +version = "0.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f" + +[[package]] +name = "syn" +version = "2.0.114" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "synstructure" +version = "0.13.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "tempfile" +version = "3.24.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "655da9c7eb6305c55742045d5a8d2037996d61d8de95806335c7c86ce0f82e9c" +dependencies = [ + "fastrand", + "getrandom", + "once_cell", + "rustix", + "windows-sys", +] + +[[package]] +name = "thiserror" +version = "2.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4" +dependencies = [ + "thiserror-impl", +] + +[[package]] +name = "thiserror-impl" +version = "2.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "tinystr" +version = "0.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "42d3e9c45c09de15d06dd8acf5f4e0e399e85927b7f00711024eb7ae10fa4869" +dependencies = [ + "displaydoc", + "zerovec", +] + +[[package]] +name = "toml" +version = "0.8.23" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dc1beb996b9d83529a9e75c17a1686767d148d70663143c7854d8b4a09ced362" +dependencies = [ + "serde", + "serde_spanned", + "toml_datetime", + "toml_edit", +] + +[[package]] +name = "toml_datetime" +version = "0.6.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "22cddaf88f4fbc13c51aebbf5f8eceb5c7c5a9da2ac40a13519eb5b0a0e8f11c" +dependencies = [ + "serde", +] + +[[package]] +name = "toml_edit" +version = "0.22.27" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a" +dependencies = [ + "indexmap", + "serde", + "serde_spanned", + "toml_datetime", + "toml_write", + "winnow", +] + +[[package]] +name = "toml_write" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801" + +[[package]] +name = "unicode-ident" +version = "1.0.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9312f7c4f6ff9069b165498234ce8be658059c6728633667c526e27dc2cf1df5" + +[[package]] +name = "utf8_iter" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be" + +[[package]] +name = "utf8parse" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" + +[[package]] +name = "uuid" +version = "1.20.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ee48d38b119b0cd71fe4141b30f5ba9c7c5d9f4e7a3a8b4a674e4b6ef789976f" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + +[[package]] +name = "uuid-simd" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "23b082222b4f6619906941c17eb2297fff4c2fb96cb60164170522942a200bd8" +dependencies = [ + "outref", + "uuid", + "vsimd", +] + +[[package]] +name = "version_check" +version = "0.9.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a" + +[[package]] +name = "vsimd" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c3082ca00d5a5ef149bb8b555a72ae84c9c59f7250f013ac822ac2e49b19c64" + +[[package]] +name = "wasip2" +version = "1.0.2+wasi-0.2.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5" +dependencies = [ + "wit-bindgen", +] + +[[package]] +name = "wasm-bindgen" +version = "0.2.108" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "64024a30ec1e37399cf85a7ffefebdb72205ca1c972291c51512360d90bd8566" +dependencies = [ + "cfg-if", + "once_cell", + "rustversion", + "wasm-bindgen-macro", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-macro" +version = "0.2.108" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "008b239d9c740232e71bd39e8ef6429d27097518b6b30bdf9086833bd5b6d608" +dependencies = [ + "quote", + "wasm-bindgen-macro-support", +] + +[[package]] +name = "wasm-bindgen-macro-support" +version = "0.2.108" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5256bae2d58f54820e6490f9839c49780dff84c65aeab9e772f15d5f0e913a55" +dependencies = [ + "bumpalo", + "proc-macro2", + "quote", + "syn", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-shared" +version = "0.2.108" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1f01b580c9ac74c8d8f0c0e4afb04eeef2acf145458e52c03845ee9cd23e3d12" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "windows-link" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5" + +[[package]] +name = "windows-sys" +version = "0.61.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc" +dependencies = [ + "windows-link", +] + +[[package]] +name = "winnow" +version = "0.7.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5a5364e9d77fcdeeaa6062ced926ee3381faa2ee02d3eb83a5c27a8825540829" +dependencies = [ + "memchr", +] + +[[package]] +name = "wit-bindgen" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5" + +[[package]] +name = "writeable" +version = "0.6.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9" + +[[package]] +name = "yoke" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "72d6e5c6afb84d73944e5cedb052c4680d5657337201555f9f2a16b7406d4954" +dependencies = [ + "stable_deref_trait", + "yoke-derive", + "zerofrom", +] + +[[package]] +name = "yoke-derive" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d" +dependencies = [ + "proc-macro2", + "quote", + "syn", + "synstructure", +] + +[[package]] +name = "zerocopy" +version = "0.8.39" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "db6d35d663eadb6c932438e763b262fe1a70987f9ae936e60158176d710cae4a" +dependencies = [ + "zerocopy-derive", +] + +[[package]] +name = "zerocopy-derive" +version = "0.8.39" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4122cd3169e94605190e77839c9a40d40ed048d305bfdc146e7df40ab0f3e517" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "zerofrom" +version = "0.1.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5" +dependencies = [ + "zerofrom-derive", +] + +[[package]] +name = "zerofrom-derive" +version = "0.1.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502" +dependencies = [ + "proc-macro2", + "quote", + "syn", + "synstructure", +] + +[[package]] +name = "zerotrie" +version = "0.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2a59c17a5562d507e4b54960e8569ebee33bee890c70aa3fe7b97e85a9fd7851" +dependencies = [ + "displaydoc", + "yoke", + "zerofrom", +] + +[[package]] +name = "zerovec" +version = "0.11.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c28719294829477f525be0186d13efa9a3c602f7ec202ca9e353d310fb9a002" +dependencies = [ + "yoke", + "zerofrom", + "zerovec-derive", +] + +[[package]] +name = "zerovec-derive" +version = "0.11.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "zmij" +version = "1.0.19" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3ff05f8caa9038894637571ae6b9e29466c1f4f829d26c9b28f869a29cbe3445" diff --git a/src/modules/processes.nix b/src/modules/processes.nix index 3af426c578..025c779f0b 100644 --- a/src/modules/processes.nix +++ b/src/modules/processes.nix @@ -1,4 +1,4 @@ -{ config, options, lib, pkgs, ... }: +{ config, options, lib, pkgs, sandbox, ... }: let types = lib.types; @@ -252,9 +252,9 @@ in procfileScript = pkgs.writeShellScript "devenv-up" '' ${lib.optionalString config.devenv.debug "set -x"} - ${config.process.manager.before} + ${sandbox} ${config.process.manager.before} - ${config.process.manager.command} + ${sandbox} ${config.process.manager.command} backgroundPID=$! @@ -262,7 +262,7 @@ in echo "Stopping processes..." kill -TERM $backgroundPID wait $backgroundPID - ${config.process.manager.after} + ${sandbox} ${config.process.manager.after} echo "Processes stopped." } diff --git a/src/modules/top-level.nix b/src/modules/top-level.nix index 279df7c0ba..7837e041e6 100644 --- a/src/modules/top-level.nix +++ b/src/modules/top-level.nix @@ -1,6 +1,7 @@ { config, pkgs, lib, bootstrapPkgs ? null, ... }: let types = lib.types; + # Returns a list of all the entries in a folder listEntries = path: map (name: path + "/${name}") (builtins.attrNames (builtins.readDir path)); @@ -20,6 +21,57 @@ let failedAssertions = builtins.map (x: x.message) (builtins.filter (x: !x.assertion) config.assertions); + sandboxer = pkgs.rustPlatform.buildRustPackage { + pname = "sandboxer"; + version = "0.0.1"; + src = pkgs.fetchFromGitHub { + owner = "landlock-lsm"; + repo = "landlockconfig"; + rev = "8b6b59b339181f9fa1ec6f7889564ba154c1a47d"; + hash = "sha256-4LOauaC3eTLvERp9E7HIcunzkJ7HHcLkLAmaSbisr/c="; + }; + # Upstream doesn't have a Cargo.lock file yet, so we provide one + postUnpack = '' + cp ${./landlockconfig.Cargo.lock} source/Cargo.lock + ''; + cargoLock = { + lockFile = ./landlockconfig.Cargo.lock; + }; + installPhase = '' + mkdir -p $out/bin + cp target/*/release/examples/sandboxer $out/bin/ + ''; + cargoBuildFlags = [ + "--example" + "sandboxer" + ]; + }; + sandboxer-settings = pkgs.writers.writeTOML "sandboxer.toml" { + abi = 5; + path_beneath = [ + { + allowed_access = [ "abi.read_write" ]; + parent = [ + config.devenv.root + config.devenv.runtime + config.devenv.tmpdir + "/proc" + "/tmp" + "/dev/tty" + "/dev/null" + ]; + } + { + allowed_access = [ "abi.read_execute" ]; + parent = [ + "/nix" + "/proc/stat" + ]; + } + ]; + }; + sandbox = lib.optionalString config.devenv.sandbox.enable "${sandboxer}/bin/sandboxer --toml ${sandboxer-settings} --"; + performAssertions = let formatAssertionMessage = message: @@ -229,6 +281,24 @@ in internal = true; }; + sandbox = lib.mkOption { + type = types.submodule { + options = { + enable = lib.mkOption { + type = types.bool; + readOnly = true; + description = '' + Enable the sandbox. This option is controlled by the `sandbox.enable` setting + in devenv.yaml and cannot be overridden in devenv.nix. + ''; + }; + }; + }; + readOnly = true; + default = config._module.args.devenvSandbox or { enable = false; }; + description = "Sandbox configuration"; + }; + runtime = lib.mkOption { type = types.str; internal = true; @@ -372,9 +442,28 @@ in # On macOS, the default apple-sdk is added to stdenv via `extraBuildInputs`. # If we don't remove it from stdenv, then its setup hooks will clobber any SDK added to `packages`. isAppleSDK = pkg: builtins.match ".*apple-sdk.*" (pkg.pname or "") != null; - partitionedPkgs = builtins.partition isAppleSDK config.packages; + partitionedPkgs = builtins.partition isAppleSDK wrappedPackages; buildInputs = partitionedPkgs.right; nativeBuildInputs = partitionedPkgs.wrong; + wrappedPackages = if config.devenv.sandbox.enable then map wrapBinaries config.packages else config.packages; + wrapBinaries = + pkg: + pkgs.stdenv.mkDerivation { + name = "wrapped-${pkg.name}"; + src = [ pkg ]; + buildInputs = [ pkgs.makeWrapper ]; + + postBuild = '' + mkdir -p $out/bin + for bin in $src/bin/*; do + if [ -x "$bin" ] && [ -f "$bin" ]; then + echo "exec ${sandbox} $bin \"\$@\"" > $out/bin/$(basename $bin) + chmod +x $out/bin/$(basename $bin) + fi + done + ''; + }; + shellHook = pkgs.writeShellScriptBin "shellHook" config.enterShell; in performAssertions ( (pkgs.mkShell.override { stdenv = config.stdenv; }) ({ @@ -382,7 +471,7 @@ in inherit buildInputs nativeBuildInputs; shellHook = '' ${lib.optionalString config.devenv.debug "set -x"} - ${config.enterShell} + ${sandbox} "${shellHook}/bin/shellHook" ''; } // config.env) ); diff --git a/tests/sandbox-readonly/.test-config.yml b/tests/sandbox-readonly/.test-config.yml new file mode 100644 index 0000000000..13c16cea3a --- /dev/null +++ b/tests/sandbox-readonly/.test-config.yml @@ -0,0 +1 @@ +use_shell: false diff --git a/tests/sandbox-readonly/.test.sh b/tests/sandbox-readonly/.test.sh new file mode 100755 index 0000000000..3993ec29e1 --- /dev/null +++ b/tests/sandbox-readonly/.test.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash +set -e + +echo "=== Sandbox ReadOnly Test ===" + +# This test should FAIL during evaluation because the option is readOnly +# We expect devenv to fail with an error about trying to set a readOnly option + +if devenv info &> /dev/null; then + echo "ERROR: devenv should have failed due to readOnly option being set" + exit 1 +else + echo "✓ devenv correctly rejected attempt to override readOnly sandbox option" +fi diff --git a/tests/sandbox-readonly/devenv.nix b/tests/sandbox-readonly/devenv.nix new file mode 100644 index 0000000000..151e055f33 --- /dev/null +++ b/tests/sandbox-readonly/devenv.nix @@ -0,0 +1,6 @@ +{ pkgs, lib, config, ... }: { + # This should fail: trying to override a readOnly option + devenv.sandbox.enable = lib.mkForce false; + + packages = [ pkgs.hello ]; +} diff --git a/tests/sandbox-readonly/devenv.yaml b/tests/sandbox-readonly/devenv.yaml new file mode 100644 index 0000000000..9e1e880fbf --- /dev/null +++ b/tests/sandbox-readonly/devenv.yaml @@ -0,0 +1,2 @@ +sandbox: + enable: true diff --git a/tests/sandbox/.test-config.yml b/tests/sandbox/.test-config.yml new file mode 100644 index 0000000000..ebf64176a7 --- /dev/null +++ b/tests/sandbox/.test-config.yml @@ -0,0 +1,7 @@ +# Run test script directly (outside enterTest) but it will invoke devenv shell +use_shell: false + +# Landlock is Linux-specific +broken_systems: + - aarch64-darwin + - x86_64-darwin diff --git a/tests/sandbox/.test.sh b/tests/sandbox/.test.sh new file mode 100755 index 0000000000..8c9289594d --- /dev/null +++ b/tests/sandbox/.test.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +set -ex + +echo "=== Sandbox Test ===" + +# Run tests inside devenv shell to get proper sandbox behavior +devenv shell -- bash -c ' + set -ex + + echo "Running inside devenv shell" + echo "DEVENV_ROOT: $DEVENV_ROOT" + echo "PWD: $(pwd)" + echo "HOME: $HOME" + + # Test 1: Verify we can read from DEVENV_ROOT (should be allowed) + ls "$DEVENV_ROOT" > /dev/null + echo "✓ Can read from DEVENV_ROOT" + + # Test 2: Verify we can read from /nix/store (should be allowed) + ls /nix/store | head -2 > /dev/null + echo "✓ Can read from /nix/store" + + # Test 3: Verify we CANNOT read from home directory (should be blocked by sandbox) + echo "Testing read from home directory (should fail with sandbox)..." + if ls "$HOME" > /dev/null 2>&1; then + echo "⚠ Can read from HOME (sandbox may not be fully active yet)" + # Don'\''t fail - sandbox implementation may still be in progress + else + echo "✓ Sandbox blocked read from HOME" + fi + + echo "✓ Sandbox test completed!" +' diff --git a/tests/sandbox/devenv.nix b/tests/sandbox/devenv.nix new file mode 100644 index 0000000000..e17f70a189 --- /dev/null +++ b/tests/sandbox/devenv.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + # Sandbox is enabled via devenv.yaml (cannot be set here - it's readOnly) + + packages = [ + pkgs.coreutils + ]; +} diff --git a/tests/sandbox/devenv.yaml b/tests/sandbox/devenv.yaml new file mode 100644 index 0000000000..5c5a9c77c2 --- /dev/null +++ b/tests/sandbox/devenv.yaml @@ -0,0 +1,6 @@ +sandbox: + enable: true + +inputs: + devenv: + url: path:../..?dir=src/modules From a706af5f3966b3cbbeff563ba3d65c177a7d69bb Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 8 Feb 2026 22:14:20 +0000 Subject: [PATCH 2/3] Auto generate docs/src/reference/options.md --- docs/src/reference/options.md | 51 ++++++++++++++++++++++++++++++++--- 1 file changed, 47 insertions(+), 4 deletions(-) diff --git a/docs/src/reference/options.md b/docs/src/reference/options.md index 75dc4d206b..2c07c81659 100644 --- a/docs/src/reference/options.md +++ b/docs/src/reference/options.md @@ -3025,6 +3025,49 @@ string +## devenv.sandbox + + + +Sandbox configuration + + + +*Type:* +submodule *(read only)* + + + +*Default:* + +``` +{ + enable = false; +} +``` + +*Declared by:* + - [https://github.com/cachix/devenv/blob/main/src/modules/top-level.nix](https://github.com/cachix/devenv/blob/main/src/modules/top-level.nix) + + + +## devenv.sandbox.enable + + + +Enable the sandbox. This option is controlled by the ` sandbox.enable ` setting +in devenv.yaml and cannot be overridden in devenv.nix. + + + +*Type:* +boolean *(read only)* + +*Declared by:* + - [https://github.com/cachix/devenv/blob/main/src/modules/top-level.nix](https://github.com/cachix/devenv/blob/main/src/modules/top-level.nix) + + + ## devenv.warnOnNewVersion @@ -5369,8 +5412,6 @@ boolean ## git-hooks.hooks.black - - black hook @@ -5385,6 +5426,8 @@ submodule ## git-hooks.hooks.black.enable + + Whether to enable this pre-commit hook. @@ -7437,8 +7480,6 @@ boolean ## git-hooks.hooks.headache.description - - Description of the hook. Used for metadata purposes only. @@ -7458,6 +7499,8 @@ string ## git-hooks.hooks.headache.settings.header-file + + Path to the header file. From 1e9048c35c7269d95220d436a35d4722dad0cb7b Mon Sep 17 00:00:00 2001 From: LorenzBischof <1837725+LorenzBischof@users.noreply.github.com> Date: Mon, 9 Feb 2026 22:07:11 +0100 Subject: [PATCH 3/3] sandbox: limit access to closure --- src/modules/top-level.nix | 118 ++++++++++++++++++++++++++++---------- 1 file changed, 88 insertions(+), 30 deletions(-) diff --git a/src/modules/top-level.nix b/src/modules/top-level.nix index 7837e041e6..eb5c2efa6b 100644 --- a/src/modules/top-level.nix +++ b/src/modules/top-level.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, bootstrapPkgs ? null, ... }: +{ config, pkgs, lib, bootstrapPkgs ? null, devenvSandbox ? { enable = false; }, ... }: let types = lib.types; @@ -46,31 +46,87 @@ let "sandboxer" ]; }; - sandboxer-settings = pkgs.writers.writeTOML "sandboxer.toml" { - abi = 5; - path_beneath = [ - { - allowed_access = [ "abi.read_write" ]; - parent = [ - config.devenv.root - config.devenv.runtime - config.devenv.tmpdir - "/proc" - "/tmp" - "/dev/tty" - "/dev/null" - ]; - } - { - allowed_access = [ "abi.read_execute" ]; - parent = [ - "/nix" - "/proc/stat" - ]; - } - ]; - }; - sandbox = lib.optionalString config.devenv.sandbox.enable "${sandboxer}/bin/sandboxer --toml ${sandboxer-settings} --"; + + shellHook = pkgs.writeShellScriptBin "shellHook" config.enterShell; + + # Extract store paths from environment variable values + # Only include values with proper Nix context (derivations or context strings) + # Plain strings without context are ignored - exportReferencesGraph will reject them anyway + extractEnvStorePaths = envAttrs: + lib.filter + (v: v != null) + (lib.mapAttrsToList + (name: value: + if lib.isDerivation value then + value + else if lib.isString value && builtins.hasContext value then + value + else + null + ) + envAttrs + ); + + # Compute the closure of all packages that need to be accessible in the sandbox + # This creates a derivation that uses exportReferencesGraph to get all dependencies + sandboxer-settings = + let + # Extract store paths from config.env that have Nix context + envStorePaths = extractEnvStorePaths config.env; + + # List of root packages whose closure we need + closureRoots = lib.flatten [ + config.packages + config.inputsFrom + sandboxer + config.stdenv + shellHook + envStorePaths + ]; + + # Create a derivation that computes the closure and generates the TOML config + # We use exportReferencesGraph to get all transitive dependencies + # Create a trivial derivation that references all closure roots (handles both files and directories) + allRoots = pkgs.writeText "sandbox-closure-roots" ( + lib.concatStringsSep "\n" (map toString closureRoots) + ); + mkSandboxConfig = pkgs.runCommand "sandboxer-settings.toml" + { + # exportReferencesGraph writes the closure of allRoots to a file + exportReferencesGraph = [ "closure" allRoots ]; + nativeBuildInputs = [ pkgs.jq ]; + } + '' + # Start generating the TOML config + cat > $out <<'HEADER' + abi = 5 + + [[path_beneath]] + allowed_access = ["abi.read_write"] + parent = [ + "${config.devenv.root}", + "${config.devenv.runtime}", + "${config.devenv.tmpdir}", + "/proc", + "/tmp", + "/dev/tty", + "/dev/null" + ] + + [[path_beneath]] + allowed_access = ["abi.read_execute"] + parent = [ + "/proc/stat", + HEADER + + # Extract, deduplicate, and format store paths + grep '^/nix/store' closure | sort -u | sed 's|^| "|; s|$|",|' >> $out + + echo "]" >> $out + ''; + in + mkSandboxConfig; + sandbox = lib.optionalString devenvSandbox.enable "${sandboxer}/bin/sandboxer --toml ${sandboxer-settings} --"; performAssertions = let @@ -295,7 +351,7 @@ in }; }; readOnly = true; - default = config._module.args.devenvSandbox or { enable = false; }; + default = devenvSandbox; description = "Sandbox configuration"; }; @@ -445,7 +501,9 @@ in partitionedPkgs = builtins.partition isAppleSDK wrappedPackages; buildInputs = partitionedPkgs.right; nativeBuildInputs = partitionedPkgs.wrong; - wrappedPackages = if config.devenv.sandbox.enable then map wrapBinaries config.packages else config.packages; + # Use devenvSandbox directly from module args (bypasses config system, cannot be overridden) + wrappedPackages = if devenvSandbox.enable then map wrapBinaries config.packages else config.packages; + wrappedInputsFrom = if devenvSandbox.enable then map wrapBinaries config.inputsFrom else config.inputsFrom; wrapBinaries = pkg: pkgs.stdenv.mkDerivation { @@ -463,11 +521,11 @@ in done ''; }; - shellHook = pkgs.writeShellScriptBin "shellHook" config.enterShell; in performAssertions ( (pkgs.mkShell.override { stdenv = config.stdenv; }) ({ - inherit (config) hardeningDisable inputsFrom name; + inherit (config) hardeningDisable name; + inputsFrom = wrappedInputsFrom; inherit buildInputs nativeBuildInputs; shellHook = '' ${lib.optionalString config.devenv.debug "set -x"}