buildFHS …
I occasionallly want to run 3rd party applacations without hassle:
tailwind
android studio
fuse
while buildFHS comes close admin caps are missing and it still doesn’t seem to
work. buildFHSChroot also fails
Is there any simple way to separate security concerns and chroot so that stuff
just works ? Something like buildFHS but without trying to be secure. It takes much time to debug all the details OR try to maintain the nix and the others ways of doing things.
buildFHSEnv actually works. Some libraries were missing.
# $(nix-build ./android-fhs.nix)/bin/*
let pkgs = import <nixpkgs> {};
inherit (pkgs) lib;
env_packages = pkgs: with pkgs; [
git
gitRepo
gnupg
python2
curl
procps
openssl
gnumake
nettools
# For nixos < 19.03, use `androidenv.platformTools`
# androidenv.androidPkgs_9_0.platform-tools
jdk
schedtool
util-linux
m4
gperf
perl
libxml2
zip
unzip
bison
flex
lzop
python3
libGL
mesa
# emulator
nss nssTools nspr expat libdrm libbsd
freetype fontconfig
xorg.libSM
xorg.libICE
xorg.libX11
xorg.libX11
xorg.libXau
xorg.libXcomposite
xorg.libXdamage
xorg.libXdmcp
xorg.libXext
xorg.libXfixes
xorg.libXi
xorg.libXrandr
xorg.libXrender
xorg.libXtst
xorg.libxcb
xorg.libxkbfile
xorg.xcbutil
xorg.xcbutilimage
xorg.xcbutilkeysyms
xorg.xcbutilrenderutil
xorg.xcbutilwm
pulseaudio
libpng
ncurses5
pkgsi686Linux.glibc
pkgsi686Linux.zlib
pkgsi686Linux.gcc
];
in
(pkgs.buildFHSEnv {
name = "androidenv";
targetPkgs = pkgs: env_packages pkgs;
multiPkgs = pkgs: with pkgs;
[ zlib
ncurses5
pkgsi686Linux.glibc
pkgsi686Linux.zlib
pkgsi686Linux.gcc
# pkgsi686Linux.libstdcxx
];
extraBwrapArgs = [
"--cap-add" "CAP_SYS_ADMIN"
"--cap-add" "cap_chown"
"--cap-add" "cap_dac_override"
"--cap-add" "cap_dac_read_search"
"--cap-add" "cap_fowner"
"--cap-add" "cap_fsetid"
"--cap-add" "cap_kill"
"--cap-add" "cap_setgid"
"--cap-add" "cap_setuid"
"--cap-add" "cap_setpcap"
"--cap-add" "cap_linux_immutable"
"--cap-add" "cap_net_bind_service"
"--cap-add" "cap_net_broadcast"
"--cap-add" "cap_net_admin"
"--cap-add" "cap_net_raw"
"--cap-add" "cap_ipc_lock"
"--cap-add" "cap_ipc_owner"
"--cap-add" "cap_sys_module"
"--cap-add" "cap_sys_rawio"
"--cap-add" "cap_sys_chroot"
"--cap-add" "cap_sys_ptrace"
"--cap-add" "cap_sys_pacct"
"--cap-add" "cap_sys_admin"
"--cap-add" "cap_sys_boot"
"--cap-add" "cap_sys_nice"
"--cap-add" "cap_sys_resource"
"--cap-add" "cap_sys_time"
"--cap-add" "cap_sys_tty_config"
"--cap-add" "cap_mknod"
"--cap-add" "cap_lease"
"--cap-add" "cap_audit_write"
"--cap-add" "cap_audit_control"
"--cap-add" "cap_setfcap"
"--cap-add" "cap_mac_override"
"--cap-add" "cap_mac_admin"
"--cap-add" "cap_syslog"
"--cap-add" "cap_wake_alarm"
"--cap-add" "cap_block_suspend"
"--cap-add" "cap_audit_read"
"--cap-add" "cap_perfmon"
"--cap-add" "cap_bpf"
"--cap-add" "cap_checkpoint_restore"
"--dev-bind" "/dev/fuse" "/dev/fuse"
"--dev-bind" "/dev/kvm" "/dev/kvm"
];
profile = ''
export ALLOW_NINJA_ENV=true
export USE_CCACHE=1
export ANDROID_JAVA_HOME=${pkgs.jdk.home}sdkmanager install avd
export LD_LIBRARY_PATH=/usr/lib:/usr/lib32
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/run/opengl-driver/lib:/run/opengl-driver-32/lib:/lib:${lib.makeLibraryPath (env_packages pkgs)}:${pkgs.stdenv.cc.cc.lib}/lib
export FONTCONFIG_FILE=/etc/fonts/fonts.conf
export QT_QPA_PLATFORM_PLUGIN_PATH="${pkgs.qt5.qtbase.bin}/lib/qt-${pkgs.qt5.qtbase.version}/plugins/platforms";
export PKG_CONFIG_PATH="${lib.makeSearchPathOutput "dev" "lib/pkgconfig" (env_packages pkgs)}";
'';
runScript = pkgs.writeShellScript "android-wrapper.sh" ''
exec "$@"
'';
# As intended by this bubble wrap, share as much namespaces as possible with user.
unshareUser = false;
unshareIpc = false;
unsharePid = false;
unshareNet = false;
unshareUts = false;
unshareCgroup = false;
# Since "insync start" command starts a daemon, this daemon should die with it.
dieWithParent = false;
})
# $(nix-build ./playwright-fhs.nix)/bin/*