nix-required-mounts: guest and host paths may differ

2025-07-13 13:40:28 +03:00 · 2023-11-11 14:02:54 +00:00 · 2023-11-11 14:02:54 +00:00 · 5560f6a514
commit 5560f6a514
parent 7418e4fefd
5 changed files with 52 additions and 16 deletions
--- a/nixos/modules/programs/nix-required-mounts.nix
+++ b/nixos/modules/programs/nix-required-mounts.nix
@ -5,16 +5,23 @@ let
  package = pkgs.nix-required-mounts;
  overridenPackage = package.override { inherit (cfg) allowedPatterns; };

+  Mount = with lib; types.submodule {
+    options.host = mkOption { type = types.str; description = "Host path to mount"; };
+    options.guest = mkOption {
+      type = types.str;
+      description = "Location in the sandbox to mount the host path at";
+    };
+  };
  Pattern = with lib.types;
-    submodule ({ config, name, ... }: {
+    types.submodule ({ config, name, ... }: {
      options.onFeatures = lib.mkOption {
-        type = listOf str;
+        type = listOf types.str;
        description =
          "Which requiredSystemFeatures should trigger relaxation of the sandbox";
        default = [ name ];
      };
      options.paths = lib.mkOption {
-        type = listOf path;
+        type = listOf (oneOf [ path Mount ]);
        description =
          "A list of glob patterns, indicating which paths to expose to the sandbox";
      };
--- a/nixos/tests/nix-required-mounts/default.nix
+++ b/nixos/tests/nix-required-mounts/default.nix
@ -19,10 +19,19 @@ in
    programs.nix-required-mounts.enable = true;
    programs.nix-required-mounts.allowedPatterns.supported-feature = {
      onFeatures = [ "supported-feature" ];
-      paths = [ "/supported-feature-files" ];
+      paths = [
+        "/supported-feature-files"
+        {
+          host = "/usr/lib/imaginary-fhs-drivers";
+          guest = "/run/opengl-driver/lib";
+        }
+      ];
    };
    users.users.person.isNormalUser = true;
-    virtualisation.fileSystems."/supported-feature-files".fsType = "tmpfs";
+    systemd.tmpfiles.rules = [
+      "d /supported-feature-files 0755 person users -"
+      "f /usr/lib/imaginary-fhs-drivers/libcuda.so 0444 root root -"
+    ];
  };
  testScript = ''
    import shlex
--- a/nixos/tests/nix-required-mounts/test-require-feature.nix
+++ b/nixos/tests/nix-required-mounts/test-require-feature.nix
@ -4,9 +4,13 @@ pkgs.runCommandNoCC "${feature}-present"
 {
  requiredSystemFeatures = [ feature ];
 } ''
-  if [[ -e /${feature}-files ]]; then
-    touch $out
-  else
+  if [[ ! -e /${feature}-files ]]; then
    echo "The host declares ${feature} support, but doesn't expose /${feature}-files" >&2
+    exit 1
  fi
+  if [[ ! -f /run/opengl-driver/lib/libcuda.so ]] ; then
+    echo "The host declares ${feature} support, but it the hook fails to handle the hostPath != guestPath cases" >&2
+    exit 1
+  fi
+  touch $out
 ''