~fgaz/nix-bubblewrap

Nix - bubblewrap integration

Ellis Kesterton via public-inbox

1 year, 6 months ago
1 year, 8 months ago

#nix-bubblewrap

Nix - bubblewrap integration

#Why

In a typical Linux system, bubblewrap is run like this:

bwrap --ro-bind /usr /usr --proc /proc --dev /dev --unshare-pid bash

With Nix, one would have to replace /usr with /nix/store... but all kinds of stuff you may not want an attacker to see can end up in the store. Binding individual store paths can also be a pain since the whole closure is needed. This script automates that process. Additional flags to add permissions in a nixos-specific way (eg. keeping /run/opengl-driver and /etc/ssl into account) are provided.

#Installation

Both a traditional default.nix and a flake are provided. Install with:

$ nix-env -f . -i

or:

nix install

#Usage

nix-bwrap [OPTIONS] COMMAND ...

Run nix-bwrap -help to list the available options.

Examples:

$ nix-shell -p hello --run "nix-bwrap hello"
Hello, world!
$ nix-shell -p tree --run "nix-bwrap tree -L 3 /"
/
`-- nix
    `-- store
        |-- 0ldsqvqp3y1bn6852ymksfa2kfkr3dkb-tree-1.8.0
        |-- 563528481rvhc5kxwipjmg6rqrl95mdx-glibc-2.33-56
        |-- qbdsd82q5fyr0v31cvfxda0n0h7jh03g-libunistring-0.9.10
        `-- scz4zbxirykss3hh5iahgl39wk9wpaps-libidn2-2.3.2

6 directories, 0 files

#Wrapping

In lib.nix (lib output in the flake) there are wrapper functions to create wrapped versions of existing packages. For example:

with import ./lib.nix {};
wrapPackage {
  package = (import <nixpkgs> {}).firefox;
  options = [
    "-x11"
    "-gpu"
    "-net"
    "-pulse"
  ];
}

#Troubeshooting

You may want to add a realpath call to remove layers of indirection that won't be found in the sandbox, such as /run/current-system/sw/bin/ for packages installed through /etc/nixos/configuration.nix.

$ nix-bwrap -x11 -gpu -net firefox
bwrap: execvp /run/current-system/sw/bin/firefox: No such file or directory
$ nix-bwrap -x11 -gpu -net $(realpath $(which firefox)) https://example.org
[firefox starts...]

This is not done automatically because it breaks executables that rely on argv[0], such as coreutils and busybox.

#Missing -gpu

The following messages may indicate the application requires the -gpu flag:

  • Can't find icudtl.dat

#Missing -x11

The following messages may indicate the application requires the -x11 flag:

  • Missing X server or $DISPLAY

#Contributing

You can send patches to my public-inbox mailing list or to any of the contacts listed at fgaz.me/about. Or you can send a pull request to the GitHub mirror.

Issues are tracked at https://todo.sr.ht/~fgaz/nix-bubblewrap

#Alternatives

Using writeReferencesToFile or closureInfo from nixpkgs, the same can be made to work entirely within nix, without needing an external program such as this one. Why does this tool exist then? Because when only using writeReferencesToFile at build time, wrappers of programs that need access to resources such as /etc/ssl would need to have access to the same expressions as the NixOS system, and that can become troublesome for user environments and shells. With nix-bwrap there are no such problems, at a small runtime cost.