1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
From 628066901e473c185da6f0aaf26ee826d2b4bd31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?No=C3=A9=20Lopez?= <noelopez@free.fr>
Date: Tue, 14 Oct 2025 22:20:42 +0200
Subject: [PATCH] glycin/sandbox: Adapt bwrap invocation to Guix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Firstly, we use @bwrap@ so that we can substitute it with an absolute
path to the bwrap binary.
Next, we change the /usr bind to be optional since there can be no
/usr in a Guix system (especially in the build daemon).
Lastly, we add /gnu/store. I don’t think this is needed, but it is the
upstream author’s wish with adding /nix/store. See also
<https://gitlab.gnome.org/GNOME/glycin/-/issues/224>.
Upstream-status: Not applicable.
---
glycin/src/sandbox.rs | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/glycin/src/sandbox.rs b/glycin/src/sandbox.rs
index 916a8f0..350ece3 100644
--- a/glycin/src/sandbox.rs
+++ b/glycin/src/sandbox.rs
@@ -271,7 +271,7 @@ impl Sandbox {
}
async fn bwrap_command(&self, seccomp_memfd: &Memfd) -> Result<Command, Error> {
- let mut command = Command::new("bwrap");
+ let mut command = Command::new("@bwrap@");
command.args([
"--unshare-all",
@@ -280,7 +280,7 @@ impl Sandbox {
"--chdir",
"/",
// Make /usr available as read only
- "--ro-bind",
+ "--ro-bind-try",
"/usr",
"/usr",
// Make tmpfs dev available
@@ -294,6 +294,10 @@ impl Sandbox {
"--ro-bind-try",
"/nix/store",
"/nix/store",
+ // Add /gnu/store on systems with Guix
+ "--ro-bind-try",
+ "@storedir@",
+ "@storedir@",
// Create a fake HOME for glib to not throw warnings
"--tmpfs",
"/tmp-home",
--
2.51.0
|
