From 32627a64b95c2294f38810b17bb22081f36e017e Mon Sep 17 00:00:00 2001 From: alexhulbert Date: Wed, 27 May 2026 13:45:22 -0400 Subject: [PATCH 1/2] Prevent host PATH from leaking into nix build env --- flake.nix | 59 +++++++++++++++++++++++++++++++++---------------------- 1 file changed, 36 insertions(+), 23 deletions(-) diff --git a/flake.nix b/flake.nix index c1f4c0cf..d3a46887 100644 --- a/flake.nix +++ b/flake.nix @@ -51,30 +51,43 @@ }; mkosi = system: let pkgsForSystem = import nixpkgs {inherit system;}; + mkosiTools = with pkgsForSystem; [ + apt + dpkg + gnupg + debootstrap + dosfstools + e2fsprogs + mtools + gptfdisk + util-linux + zstd + which + qemu-utils + parted + jq + reprepro + systemd + bash + coreutils + findutils + gnused + gnugrep + gnutar + gzip + xz + curl + git + patch + ncurses + ]; + mkosiToolsEnv = pkgsForSystem.buildEnv { + name = "mkosi-tools"; + paths = mkosiTools; + }; mkosi-unwrapped = (pkgsForSystem.mkosi.override { - extraDeps = with pkgsForSystem; - [ - apt - dpkg - gnupg - debootstrap - squashfsTools - dosfstools - e2fsprogs - mtools - mustache-go - cryptsetup - gptfdisk - util-linux - zstd - which - qemu-utils - parted - unzip - jq - ] - ++ [reprepro]; + extraDeps = mkosiTools; }).overrideAttrs (old: { src = pkgsForSystem.fetchFromGitHub { owner = "systemd"; @@ -102,7 +115,7 @@ --map-auto --map-root-user \ --setuid=0 --setgid=0 \ -- \ - env PATH="$PATH" \ + env PATH="${mkosiToolsEnv}/bin" \ ${mkosi-unwrapped}/bin/mkosi "$@" ''; in { From ad33949f87d94275bf8853e1a1c02cc8bb49dd59 Mon Sep 17 00:00:00 2001 From: alexhulbert Date: Thu, 28 May 2026 13:21:01 -0400 Subject: [PATCH 2/2] Prevent mkosi from automatically adding /usr/sbin and /usr/bin back into env --- flake.nix | 3 +++ mkosi.profiles/gcp/mkosi.postoutput | 8 +------- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/flake.nix b/flake.nix index d3a46887..b5533853 100644 --- a/flake.nix +++ b/flake.nix @@ -105,6 +105,9 @@ ${fd} -i '*/run.py' --hunks=x1-2 ${builtins.elemAt old.patches 0} ${fd} --hunks=x1 ${builtins.elemAt old.patches 1} } | patch -p1 + + # Don't add /usr/bin and /usr/sbin to the PATH, only use /nix + sed -i -E '\#^\s+"/usr/(bin|sbin)",$#d' mkosi/run.py ''; }); in diff --git a/mkosi.profiles/gcp/mkosi.postoutput b/mkosi.profiles/gcp/mkosi.postoutput index c59f38e6..a7f9ba48 100755 --- a/mkosi.profiles/gcp/mkosi.postoutput +++ b/mkosi.profiles/gcp/mkosi.postoutput @@ -21,13 +21,7 @@ cp mkosi.profiles/gcp/repart.d/00-uki.conf "${REPART_TMPDIR}/00-uki.conf" echo "SizeMinBytes=${ESP_BYTES}" >> "${REPART_TMPDIR}/00-uki.conf" echo "SizeMaxBytes=${ESP_BYTES}" >> "${REPART_TMPDIR}/00-uki.conf" -# -# - default systemd-repart (in /usr/bin) is "systemd 252 (252.39-1~deb12u2)" -# - the one from nix (/nix/store/*-systemd-*/bin) is newer ("systemd 258 (258.3)" a.t.m.) -# - to use "--copy-source" CLI option we need a newer one -# - this hack ensures systemd-repart resolves to the nix one -# -PATH="${PATH#/usr/bin:/usr/sbin:}" systemd-repart \ +systemd-repart \ --empty=create \ --size=${DISK_GIB}G \ --definitions="${REPART_TMPDIR}" \