From 0f1895c5d2bd43d57c04f8a31b94054f8fda280e Mon Sep 17 00:00:00 2001
From: Ivan Malison <IvanMalison@gmail.com>
Date: Mon, 30 Dec 2024 20:11:59 -0700
Subject: [PATCH] [NixOS] Add overlay to log all runc invocations

---
 nixos/overlay.nix | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/nixos/overlay.nix b/nixos/overlay.nix
index 7e5b1e7d..b21d44d7 100644
--- a/nixos/overlay.nix
+++ b/nixos/overlay.nix
@@ -1,5 +1,46 @@
 final: prev:
 {
+  runc = final.stdenv.mkDerivation {
+    pname = "runc-with-logging";
+    version = builtins.getAttr "version" prev.runc or "unknown";
+
+    # No sources; we're only wrapping
+    src = null;
+    dontUnpack = true;
+    dontPatchShell = true;
+    dontBuild = true;
+    dontConfigure = true;
+
+    nativeBuildInputs = [];
+    buildInputs = [];
+
+    installPhase = ''
+      mkdir -p "$out/bin"
+
+      cat > "$out/bin/runc" <<EOF
+      #!${final.stdenv.shell}
+
+      # If we're running as root, ensure the /var/log/debug/runc directory exists
+      # with the desired permissions.
+      if [ "\$(id -u)" -eq 0 ]; then
+      mkdir -p /var/log/debug/runc
+      chown root:users /var/log/debug/runc
+      chmod 2777 /var/log/debug/runc
+      fi
+
+      # Log this invocation to /var/log/debug/runc/invocations.log
+      echo "\$(date) - runc invoked with: \$@" >> /var/log/debug/runc/invocations.log
+
+      # Hand off control to the original runc from prev.runc.
+      exec ${prev.runc}/bin/runc "\$@"
+      EOF
+
+      chmod +x "$out/bin/runc"
+    '';
+
+    # Optionally inherit original metadata
+    meta = prev.runc.meta // {};
+  };
   nvidia-container-toolkit = final.stdenv.mkDerivation {
     pname = "nvidia-container-toolkit-debug";
     version = prev.nvidia-container-toolkit.version;