insync: fix bwrap namespaces

- share bwrap namespaces as possible with the user
2024-11-18 02:05:51 +03:00 · 2023-08-13 15:20:13 +03:00 · 2023-08-13 15:20:13 +03:00 · e96a0b3c8b
commit e96a0b3c8b
parent 63ad638743
1 changed files with 37 additions and 30 deletions
--- a/pkgs/applications/networking/insync/default.nix
+++ b/pkgs/applications/networking/insync/default.nix
@ -1,6 +1,6 @@
 { lib
 , writeShellScript
-, buildFHSEnv
+, buildFHSEnvBubblewrap
 , stdenvNoCC
 , fetchurl
 , autoPatchelfHook
@ -40,11 +40,12 @@ let
  };

  insync-pkg = stdenvNoCC.mkDerivation {
-    inherit pname version meta;
+    name = "${pname}-pkg-${version}";
+    inherit version meta;

    src = fetchurl {
      # Find a binary from https://www.insynchq.com/downloads/linux#ubuntu.
-      url = "https://cdn.insynchq.com/builds/linux/${pname}_${version}-lunar_amd64.deb";
+      url = "https://cdn.insynchq.com/builds/linux/insync_${version}-lunar_amd64.deb";
      sha256 = "sha256-BxTFtQ1rAsOuhKnH5vsl3zkM7WOd+vjA4LKZGxl4jk0=";
    };

@ -66,7 +67,7 @@ let
    installPhase = ''
      runHook preInstall

-      mkdir -p $out/bin $out/lib $out/share
+      mkdir -p $out
      cp -R usr/* $out/

      # use system glibc
@ -75,6 +76,9 @@ let
      # remove badly packaged plugins
      rm $out/lib/insync/PySide2/plugins/platforminputcontexts/libqtvirtualkeyboardplugin.so

+      # remove the unused vendor wrapper
+      rm $out/bin/insync
+
      runHook postInstall
    '';

@ -82,37 +86,40 @@ let
    dontStrip = true;
  };

-  insync-fhsenv = buildFHSEnv {
-    name = "${pname}-${version}";
-    inherit meta;
+in buildFHSEnvBubblewrap {
+  name = pname;
+  inherit meta;

-    # for including insync's xdg data dirs
-    extraOutputsToInstall = [ "share" ];
+  targetPkgs = pkgs: with pkgs; [
+    insync-pkg
+    libudev0-shim
+  ];

-    targetPkgs = pkgs: with pkgs; [
-      insync-pkg
-      libudev0-shim
-    ];
-
-    runScript = writeShellScript "insync-wrapper.sh" ''
+  runScript = writeShellScript "insync-wrapper.sh" ''
    # QT_STYLE_OVERRIDE was used to suppress a QT warning, it should have no actual effect for this binary.
-    export QT_STYLE_OVERRIDE=Fusion
+    echo Unsetting QT_STYLE_OVERRIDE=$QT_STYLE_OVERRIDE
+    echo Unsetting QT_QPA_PLATFORMTHEME=$QT_QPA_PLATFORMTHEME
+    unset QT_STYLE_OVERRIDE
+    unset QPA_PLATFORMTHEME
+
    # xkb configuration needed: https://github.com/NixOS/nixpkgs/issues/236365
    export XKB_CONFIG_ROOT=${xkeyboard_config}/share/X11/xkb/
-    exec "${insync-pkg.outPath}/lib/insync/insync" "$@"
+    echo XKB_CONFIG_ROOT=$XKB_CONFIG_ROOT
+
+    # For debuging:
+    # export QT_DEBUG_PLUGINS=1
+    # find -L /usr/share -name "*insync*"
+
+    exec /usr/lib/insync/insync "$@"
    '';

-    # "insync start" command starts a daemon.
-    dieWithParent = false;
-  };
-
-in stdenvNoCC.mkDerivation {
-  inherit pname version meta;
-
-  dontUnpack = true;
-  installPhase = ''
-    mkdir -p $out/bin
-    ln -s ${insync-fhsenv}/bin/${insync-fhsenv.name} $out/bin/insync
-    ln -s ${insync-pkg}/share $out/share
-  '';
+  # As intended by this bubble wrap, share as much namespaces as possible with user.
+  unshareUser   = false;
+  unshareIpc    = false;
+  unsharePid    = false;
+  unshareNet    = false;
+  unshareUts    = false;
+  unshareCgroup = false;
+  # Since "insync start" command starts a daemon, this daemon should die with it.
+  dieWithParent = false;
 }