From 14fdf2debdcc3db4d5eef0c2545bf5e7424f10e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Wed, 25 Dec 2024 18:33:00 +0100
Subject: [PATCH] vars/fact: isolate secret generation better from the system

---
 pkgs/clan-cli/clan_cli/facts/generate.py | 12 +++++++++---
 pkgs/clan-cli/clan_cli/vars/generate.py  | 12 +++++++++---
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/pkgs/clan-cli/clan_cli/facts/generate.py b/pkgs/clan-cli/clan_cli/facts/generate.py
index 39eaa258c..d82855623 100644
--- a/pkgs/clan-cli/clan_cli/facts/generate.py
+++ b/pkgs/clan-cli/clan_cli/facts/generate.py
@@ -46,14 +46,20 @@ def bubblewrap_cmd(generator: str, facts_dir: Path, secrets_dir: Path) -> list[s
         ],
         [
             "bwrap",
+            "--unshare-all",
+            "--tmpfs",  "/",
             "--ro-bind", "/nix/store", "/nix/store",
-            "--tmpfs",  "/usr/lib/systemd",
             "--dev", "/dev",
+            # not allowed to bind procfs in some sandboxes
             "--bind", str(facts_dir), str(facts_dir),
             "--bind", str(secrets_dir), str(secrets_dir),
-            "--unshare-all",
-            "--unshare-user",
+            "--chdir", "/",
+            # Doesn't work in our CI?
+            #"--proc", "/proc",
+            #"--hostname", "facts",
+            "--bind", "/proc", "/proc",
             "--uid", "1000",
+            "--gid", "1000",
             "--",
             "bash", "-c", generator
         ],
diff --git a/pkgs/clan-cli/clan_cli/vars/generate.py b/pkgs/clan-cli/clan_cli/vars/generate.py
index 7a4576637..bad8478c1 100644
--- a/pkgs/clan-cli/clan_cli/vars/generate.py
+++ b/pkgs/clan-cli/clan_cli/vars/generate.py
@@ -88,14 +88,20 @@ def bubblewrap_cmd(generator: str, tmpdir: Path) -> list[str]:
         ],
         [
             "bwrap",
+            "--unshare-all",
+            "--tmpfs",  "/",
             "--ro-bind", "/nix/store", "/nix/store",
             *(["--ro-bind", str(test_store), str(test_store)] if test_store else []),
-            "--tmpfs",  "/usr/lib/systemd",
             "--dev", "/dev",
+            # not allowed to bind procfs in some sandboxes
             "--bind", str(tmpdir), str(tmpdir),
-            "--unshare-all",
-            "--unshare-user",
+            "--chdir", "/",
+            # Doesn't work in our CI?
+            #"--proc", "/proc",
+            #"--hostname", "facts",
+            "--bind", "/proc", "/proc",
             "--uid", "1000",
+            "--gid", "1000",
             "--",
             "bash", "-c", generator
         ],