nonowrap

#!/usr/bin/env bash
set -e

if [[ $# -eq 0 ]]; then
  TARGET_CMD=$SHELL
else
  TARGET_CMD=("$@")
fi
# TODO: check that TARGET_CMD is not empty and show help otherwise

# declare that we are in a special shell, so that the user sees shell prompts like:
# nonowrap.sh:peter@aenderpad>
PROMPT_NAME=$(basename "$0")
export name=$PROMPT_NAME

# TODO: two nonowraps may share the same fs because this is racy
DATE=$(date --iso-8601=seconds)
PREFIX=/tmp/bwrap-$DATE
UPPER=$PREFIX/overlayfs-upper
WORK=$PREFIX/overlayfs-work
ENV=$PREFIX/env
mkdir -p "$UPPER"
mkdir -p "$WORK"
echo "# This is the environemnt that runs with the $UPPER overlayfs." > "$ENV"
export -p >> "$ENV"

echo "$ENV"

# sudo setpriv --reuid=peter --regid=users --init-groups --inh-caps=-all -- bash --rcfile $ENV -c "$@"

# sudo mkdir -p /alt-root
# sudo mount --bind / /alt-root
# 1. create overlayfs with bwrap
# 2. share special fses and socket: the current nix profiles as read only (current-system); the nix socket (we assume the daemon to be safe); the resolv.conf needed to resolve network addresses (--dir to make sure the path is world readable)
# 2. inject envfile as envvar
# 3. undo sudo
# 4. use bash to restore env for target process (bash will start non-interactively and hence populate env from BASH_ENV)
# 5. replace bash with target process (exec), preserving argument separation
sudo bwrap \
  --overlay-src / \
  --overlay "$UPPER" "$WORK" / \
  --ro-bind /run/current-system /run/current-system \
  --bind /nix/var/nix/daemon-socket /nix/var/nix/daemon-socket \
  --dir /run/systemd/resolve \
  --ro-bind /run/systemd/resolve/stub-resolv.conf /run/systemd/resolve/stub-resolv.conf \
  --ro-bind /run/nscd /run/nscd \
  --proc /proc \
  --dev /dev \
  --tmpfs "$XDG_RUNTIME_DIR" \
  --setenv BASH_ENV "$ENV" \
  -- \
  setpriv \
  --reuid=peter \
  --regid=users \
  --init-groups \
  --inh-caps=-all \
  -- \
  bash -c 'exec "$@"' _ "${TARGET_CMD[@]}"