nix run: allow derivations to specify default run
It might be useful allow derivations to specify a default run command with a "meta.run" attribute.
So currently we have:
$ nix run nixpkgs.firefox -c firefox
If firefox had meta.run = "/bin/firefox";, you could just run:
$ nix run nixpkgs.firefox
Obviously a small tweak but might make nix run a little more usable.
matthewbauer
All 3 comments
The problem though is that this gives us inconsistent behaviour, since now some nix run commands will start a shell while others will start some arbitrary command.
Also, I think a run attribute is too limited. We should have a concept of a Nix app complete with sandboxing information, something like
nixApp {
name = "blender";
command = [ "${pkgs}/bin/blender" ];
permissions = {
networkAccess = false;
x11Access = true;
roDirs = [ ];
rwDirs = [ "~/.config/blender" "~/Blender" ];
};
};
which would give you a sandboxed blender that only has access to a couple of directories.
edolstra
on 14 May 2018
Ok that definitely would be nice to have. Does this make sense to you for Nix to manage apps like this? Right now Nix gets away without having to manage anything at runtime. Is that planned to change or would you just pass those permissions to something else like firejail?
matthewbauer
on 14 May 2018
Addressed with https://github.com/NixOS/nix/pull/2909
matthewbauer
on 4 Jun 2019
Related issues
rbvermaa
路
3Comments
drewm1980
路
3Comments
ihsanturk
路
3Comments
ericsagnes
路
4Comments
vaibhavsagar
路
3Comments
Most helpful comment
The problem though is that this gives us inconsistent behaviour, since now some
nix runcommands will start a shell while others will start some arbitrary command.Also, I think a
runattribute is too limited. We should have a concept of a Nix app complete with sandboxing information, something likewhich would give you a sandboxed blender that only has access to a couple of directories.