buildFHS - alternatives?

buildFHS …

I occasionallly want to run 3rd party applacations without hassle:

tailwind
android studio
fuse

while buildFHS comes close admin caps are missing and it still doesn’t seem to
work. buildFHSChroot also fails

Is there any simple way to separate security concerns and chroot so that stuff
just works ? Something like buildFHS but without trying to be secure. It takes much time to debug all the details OR try to maintain the nix and the others ways of doing things.

buildFHSEnv actually works. Some libraries were missing.

# $(nix-build  ./android-fhs.nix)/bin/*

let pkgs = import <nixpkgs> {};

  inherit (pkgs) lib;

  env_packages = pkgs: with pkgs; [

      git
      gitRepo
      gnupg
      python2
      curl
      procps
      openssl
      gnumake
      nettools
      # For nixos < 19.03, use `androidenv.platformTools`
      # androidenv.androidPkgs_9_0.platform-tools
      jdk
      schedtool
      util-linux
      m4
      gperf
      perl
      libxml2
      zip
      unzip
      bison
      flex
      lzop
      python3

      libGL
      mesa

      # emulator 
      nss nssTools nspr expat libdrm libbsd


      freetype fontconfig
      xorg.libSM
      xorg.libICE
      xorg.libX11
      xorg.libX11
      xorg.libXau 
      xorg.libXcomposite
      xorg.libXdamage
      xorg.libXdmcp
      xorg.libXext
      xorg.libXfixes
      xorg.libXi
      xorg.libXrandr
      xorg.libXrender
      xorg.libXtst
      xorg.libxcb
      xorg.libxkbfile
      xorg.xcbutil
      xorg.xcbutilimage 
      xorg.xcbutilkeysyms
      xorg.xcbutilrenderutil
      xorg.xcbutilwm

      pulseaudio
      libpng

      ncurses5
      pkgsi686Linux.glibc
      pkgsi686Linux.zlib
      pkgsi686Linux.gcc
  ];

in 

(pkgs.buildFHSEnv {

  name = "androidenv";

    targetPkgs = pkgs: env_packages pkgs;

    multiPkgs = pkgs: with pkgs;
      [ zlib
        ncurses5
        pkgsi686Linux.glibc
        pkgsi686Linux.zlib
        pkgsi686Linux.gcc
       # pkgsi686Linux.libstdcxx
      ];


  extraBwrapArgs = [
    "--cap-add" "CAP_SYS_ADMIN"
    "--cap-add" "cap_chown"
    "--cap-add" "cap_dac_override"
    "--cap-add" "cap_dac_read_search"
    "--cap-add" "cap_fowner"
    "--cap-add" "cap_fsetid"
    "--cap-add" "cap_kill"
    "--cap-add" "cap_setgid"
    "--cap-add" "cap_setuid"
    "--cap-add" "cap_setpcap"
    "--cap-add" "cap_linux_immutable"
    "--cap-add" "cap_net_bind_service"
    "--cap-add" "cap_net_broadcast"
    "--cap-add" "cap_net_admin"
    "--cap-add" "cap_net_raw"
    "--cap-add" "cap_ipc_lock"
    "--cap-add" "cap_ipc_owner"
    "--cap-add" "cap_sys_module"
    "--cap-add" "cap_sys_rawio"
    "--cap-add" "cap_sys_chroot"
    "--cap-add" "cap_sys_ptrace"
    "--cap-add" "cap_sys_pacct"
    "--cap-add" "cap_sys_admin"
    "--cap-add" "cap_sys_boot"
    "--cap-add" "cap_sys_nice"
    "--cap-add" "cap_sys_resource"
    "--cap-add" "cap_sys_time"
    "--cap-add" "cap_sys_tty_config"
    "--cap-add" "cap_mknod"
    "--cap-add" "cap_lease"
    "--cap-add" "cap_audit_write"
    "--cap-add" "cap_audit_control"
    "--cap-add" "cap_setfcap"
    "--cap-add" "cap_mac_override"
    "--cap-add" "cap_mac_admin"
    "--cap-add" "cap_syslog"
    "--cap-add" "cap_wake_alarm"
    "--cap-add" "cap_block_suspend"
    "--cap-add" "cap_audit_read"
    "--cap-add" "cap_perfmon"
    "--cap-add" "cap_bpf"
    "--cap-add" "cap_checkpoint_restore"


    "--dev-bind" "/dev/fuse" "/dev/fuse"
    "--dev-bind" "/dev/kvm" "/dev/kvm"
  ];

  profile = ''
    export ALLOW_NINJA_ENV=true
    export USE_CCACHE=1
    export ANDROID_JAVA_HOME=${pkgs.jdk.home}sdkmanager install avd
    export LD_LIBRARY_PATH=/usr/lib:/usr/lib32
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/run/opengl-driver/lib:/run/opengl-driver-32/lib:/lib:${lib.makeLibraryPath (env_packages pkgs)}:${pkgs.stdenv.cc.cc.lib}/lib
    export FONTCONFIG_FILE=/etc/fonts/fonts.conf
    export QT_QPA_PLATFORM_PLUGIN_PATH="${pkgs.qt5.qtbase.bin}/lib/qt-${pkgs.qt5.qtbase.version}/plugins/platforms";
    export PKG_CONFIG_PATH="${lib.makeSearchPathOutput "dev" "lib/pkgconfig" (env_packages pkgs)}";
  '';


  runScript = pkgs.writeShellScript "android-wrapper.sh" ''
    exec "$@"
  '';

  # As intended by this bubble wrap, share as much namespaces as possible with user.
  unshareUser   = false;
  unshareIpc    = false;
  unsharePid    = false;
  unshareNet    = false;
  unshareUts    = false;
  unshareCgroup = false;
  # Since "insync start" command starts a daemon, this daemon should die with it.
  dieWithParent = false;

})
# $(nix-build  ./playwright-fhs.nix)/bin/*