mirror of
https://git.sr.ht/~alexdavid/jail.nix
synced 2026-02-27 12:45:19 +02:00
No description
- Nix 52.4%
- Haskell 47.6%
c141cf8cc6
Sourcehut will not populate secrets when running CI for patches, but it would be better if CI runs and passes, even if CI can't push the artifacts. |
||
|---|---|---|
| lib | ||
| tests | ||
| website | ||
| .build.yml | ||
| default.nix | ||
| flake.nix | ||
| LICENSE | ||
| README.md | ||
jail.nix 
Docs | Source | Issues | Patches | Matrix
A helper to make it easy and ergonomic to wrap your derivations in bubblewrap.
Getting Started
Documentation to install and get started can be found here.
Example
# flake.nix
{
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
inputs.jail-nix.url = "sourcehut:~alexdavid/jail.nix";
outputs = { nixpkgs, jail-nix, ... }: let
pkgs = import nixpkgs { system = "x86_64-linux"; };
jail = jail-nix.lib.init pkgs;
untrusted-package = pkgs.writeScriptBin "untrusted" ''
ls -la $HOME
'';
in {
packages.x86_64-linux.jailed = jail "my-jail" untrusted-package (with jail.combinators; [
# See combinators section below for more functions that can go here
# Give program access to the network
network
# Allow program to create windows
gui
# Give program access to the GPU
gpu
# Give program read-only access to /var/log/journal
(readonly "/var/log/journal")
# Mount ~/foo to /bar in the jail as read-write
# (noescape due to `~` — all arguments are shell escaped by default)
(rw-bind (noescape "~/foo") "/bar")
]);
};
}
Combinators
By default, only the bare minimum permissions are exposed. By passing combinators into the jail you can modify the jail to expose more permissions.
Click here for a full list of combinators and their documentation.
Help / Comments / Suggestions
I am working on docs with examples of combinators for various common software projects, but this isn't finished yet. In the meantime, if you need help jailing software, run into issues, or have suggestions, feel free to join #jail.nix:woh.place on matrix, or open an issue.