cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

Merge pull request #203779 from Radvendii/firejail

Browse source 
nixos/firejail: remove the need for qualifications
This commit is contained in:
Jonas Heinrich 2022-12-10 08:58:54 +01:00 committed by GitHub
commit 578dcac1a2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
nixos/modules/programs/firejail.nix
View file

@ -8,18 +8,21 @@ let
wrappedBins = pkgs.runCommand "firejail-wrapped-binaries" wrappedBins = pkgs.runCommand "firejail-wrapped-binaries"
{ preferLocalBuild = true; { preferLocalBuild = true;
allowSubstitutes = false; allowSubstitutes = false;
# take precedence over non-firejailed versions
meta.priority = -1;
} }
'' ''
mkdir -p $out/bin mkdir -p $out/bin
mkdir -p $out/share/applications
${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value: ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value:
let let
opts = if builtins.isAttrs value opts = if builtins.isAttrs value
then value then value
else { executable = value; profile = null; extraArgs = []; }; else { executable = value; desktop = null; profile = null; extraArgs = []; };
args = lib.escapeShellArgs ( args = lib.escapeShellArgs (
opts.extraArgs opts.extraArgs
++ (optional (opts.profile != null) "--profile=${toString opts.profile}") ++ (optional (opts.profile != null) "--profile=${toString opts.profile}")
); );
in in
'' ''
cat <<_EOF >$out/bin/${command} cat <<_EOF >$out/bin/${command}
@ -27,6 +30,11 @@ let
exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@" exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@"
_EOF _EOF
chmod 0755 $out/bin/${command} chmod 0755 $out/bin/${command}
${lib.optionalString (opts.desktop != null) ''
substitute ${opts.desktop} $out/share/applications/$(basename ${opts.desktop}) \
--replace ${opts.executable} $out/bin/${command}
''}
'') cfg.wrappedBinaries)} '') cfg.wrappedBinaries)}
''; '';
@ -42,6 +50,12 @@ in {
description = lib.mdDoc "Executable to run sandboxed"; description = lib.mdDoc "Executable to run sandboxed";
example = literalExpression ''"''${lib.getBin pkgs.firefox}/bin/firefox"''; example = literalExpression ''"''${lib.getBin pkgs.firefox}/bin/firefox"'';
}; };
desktop = mkOption {
type = types.nullOr types.path;
default = null;
description = lib.mkDoc ".desktop file to modify. Only necessary if it uses the absolute path to the executable.";
example = literalExpression ''"''${pkgs.firefox}/share/applications/firefox.desktop"'';
};
profile = mkOption { profile = mkOption {
type = types.nullOr types.path; type = types.nullOr types.path;
default = null; default = null;
@ -71,12 +85,6 @@ in {
''; '';
description = lib.mdDoc '' description = lib.mdDoc ''
Wrap the binaries in firejail and place them in the global path. Wrap the binaries in firejail and place them in the global path.
You will get file collisions if you put the actual application binary in
the global environment (such as by adding the application package to
`environment.systemPackages`), and applications started via
.desktop files are not wrapped if they specify the absolute path to the
binary.
''; '';
}; };
}; };