From 1b706b5ae3514082f4d64eb5718a9f73bcdd46bd Mon Sep 17 00:00:00 2001 From: Profpatsch Date: Tue, 9 Feb 2021 21:50:21 +0100 Subject: feat(users/Profpatsch/lib): add runInEmptyEnv Small helper that empties out the environment, except for the given list of variables. Change-Id: I5e265496aaa5c248136318aa1c6cd91a67d3f028 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2506 Tested-by: BuildkiteCI Reviewed-by: Profpatsch --- users/Profpatsch/lib.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'users') diff --git a/users/Profpatsch/lib.nix b/users/Profpatsch/lib.nix index 05d931b841e5..9dd3cd481d7e 100644 --- a/users/Profpatsch/lib.nix +++ b/users/Profpatsch/lib.nix @@ -25,11 +25,22 @@ let "fdmove" "-c" "1" "2" bins.printenv "$1" "$@" ]; + # remove everything but a few selected environment variables + runInEmptyEnv = keepVars: + let + importas = pkgs.lib.concatMap (var: [ "importas" "-i" var var ]) keepVars; + # we have to explicitely call export here, because PATH is probably empty + export = pkgs.lib.concatMap (var: [ "${pkgs.execline}/bin/export" var ''''${${var}}'' ]) keepVars; + in depot.nix.writeExecline "empty-env" {} + (importas ++ [ "emptyenv" ] ++ export ++ [ "${pkgs.execline}/bin/exec" "$@" ]); + + in { inherit debugExec eprintf eprint-stdin eprintenv + runInEmptyEnv ; } -- cgit 1.4.1