831c700c5d
- The `-overlay` flag runs the specified binary inside an OverlayFS, since the /nix store may be in a different mount point than the user home, this patch explicitly bind mounts it so it's available inside the overlay. - profile builder: firejail provides facilities to build a new profiles. To do so, it execute the helper binary `fbuilder`, which in turn will execute firejail back with different options. This patch makes it use the binary available in PATH instead of the one produced at compile time. The compiled firejail binary doesn't have the necessary permissions, so the firejail NixOS module wraps it in a SUID wrapper available on PATH at runtime. Signed-off-by: Roosembert Palacios <roosemberth@posteo.ch>
27 lines
587 B
Diff
27 lines
587 B
Diff
--- a/src/firejail/fs.c
|
|
+++ b/src/firejail/fs.c
|
|
@@ -1143,6 +1143,16 @@
|
|
errExit("mounting /dev");
|
|
fs_logger("whitelist /dev");
|
|
|
|
+ // mount-bind /nix
|
|
+ if (arg_debug)
|
|
+ printf("Mounting /nix\n");
|
|
+ char *nix;
|
|
+ if (asprintf(&nix, "%s/nix", oroot) == -1)
|
|
+ errExit("asprintf");
|
|
+ if (mount("/nix", nix, NULL, MS_BIND|MS_REC, NULL) < 0)
|
|
+ errExit("mounting /nix");
|
|
+ fs_logger("whitelist /nix");
|
|
+
|
|
// mount-bind run directory
|
|
if (arg_debug)
|
|
printf("Mounting /run\n");
|
|
@@ -1201,6 +1211,7 @@
|
|
free(odiff);
|
|
free(owork);
|
|
free(dev);
|
|
+ free(nix);
|
|
free(run);
|
|
free(tmp);
|
|
}
|