pyrox.dev
1with import ./strings.nix;
2
3/* Helpers for creating lisp S-exprs for the Apple sandbox
4
5lib.sandbox.allowFileRead [ "/usr/bin/file" ];
6 # => "(allow file-read* (literal \"/usr/bin/file\"))";
7
8lib.sandbox.allowFileRead {
9 literal = [ "/usr/bin/file" ];
10 subpath = [ "/usr/lib/system" ];
11}
12 # => "(allow file-read* (literal \"/usr/bin/file\") (subpath \"/usr/lib/system\"))"
13*/
14
15let
16
17sexp = tokens: "(" + builtins.concatStringsSep " " tokens + ")";
18generateFileList = files:
19 if builtins.isList files
20 then concatMapStringsSep " " (x: sexp [ "literal" ''"${x}"'' ]) files
21 else if builtins.isString files
22 then generateFileList [ files ]
23 else concatStringsSep " " (
24 (map (x: sexp [ "literal" ''"${x}"'' ]) (files.literal or [])) ++
25 (map (x: sexp [ "subpath" ''"${x}"'' ]) (files.subpath or []))
26 );
27applyToFiles = f: act: files: f "${act} ${generateFileList files}";
28genActions = actionName: let
29 action = feature: sexp [ actionName feature ];
30 self = {
31 "${actionName}" = action;
32 "${actionName}File" = applyToFiles action "file*";
33 "${actionName}FileRead" = applyToFiles action "file-read*";
34 "${actionName}FileReadMetadata" = applyToFiles action "file-read-metadata";
35 "${actionName}DirectoryList" = self."${actionName}FileReadMetadata";
36 "${actionName}FileWrite" = applyToFiles action "file-write*";
37 "${actionName}FileWriteMetadata" = applyToFiles action "file-write-metadata";
38 };
39 in self;
40
41in
42
43genActions "allow" // genActions "deny" // {
44 importProfile = derivation: ''
45 (import "${derivation}")
46 '';
47}