diff options
| author | Zane van Iperen <zane@zanevaniperen.com> | 2022-02-07 00:27:25 +1000 |
|---|---|---|
| committer | github-actions[bot] <github-actions[bot]@users.noreply.github.com> | 2022-02-06 15:00:28 +0000 |
| commit | 4083a183e8c2674794b2e17d284dc38e950abf79 (patch) | |
| tree | c8bd1d42c3f4f32c64e30d50db6ed9ca21894433 | |
| parent | collectd-data: we only need collectd.src - not collectd.out (diff) | |
| download | nixpkgs-origin/backport-158360-to-release-21.11.tar.gz | |
firejail: 0.9.66 -> 0.9.68origin/backport-158360-to-release-21.11
Fixes #153430
(cherry picked from commit 36b1dedddd1b63d83129856ea52f0208f99c672c)
4 files changed, 15 insertions, 66 deletions
diff --git a/pkgs/os-specific/linux/firejail/default.nix b/pkgs/os-specific/linux/firejail/default.nix index 47fce3df5332..d43d8db49ee6 100644 --- a/pkgs/os-specific/linux/firejail/default.nix +++ b/pkgs/os-specific/linux/firejail/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "firejail"; - version = "0.9.66"; + version = "0.9.68"; src = fetchFromGitHub { owner = "netblue30"; repo = "firejail"; rev = version; - sha256 = "sha256-oKstTiGt0r4wePaZ9u1o78GZ1XWJ27aS0BdLxmfYk9Q="; + sha256 = "18yy1mykx7h78yj7sz729i3dlsrgi25m17m5x9gbrvsx7f87rw7j"; }; buildInputs = [ which ]; @@ -20,9 +20,6 @@ stdenv.mkDerivation rec { # By default fbuilder hardcodes the firejail binary to the install path. # On NixOS the firejail binary is a setuid wrapper available in $PATH. ./fbuilder-call-firejail-on-path.patch - # Disable symlink check on /etc/hosts, see - # https://github.com/netblue30/firejail/issues/2758#issuecomment-805174951 - ./remove-link-check.patch ]; prePatch = '' diff --git a/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch b/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch index 6016891655b1..548bb80e7bf7 100644 --- a/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch +++ b/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch @@ -1,11 +1,11 @@ --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c -@@ -67,7 +67,7 @@ - errExit("asprintf"); - - char *cmdlist[] = { -- BINDIR "/firejail", -+ "firejail", - "--quiet", - "--noprofile", - "--caps.drop=all", +@@ -48,7 +48,7 @@ + // build command + char *cmd[len]; + unsigned curr_len = 0; +- cmd[curr_len++] = BINDIR "/firejail"; ++ cmd[curr_len++] = "firejail"; + cmd[curr_len++] = "--quiet"; + cmd[curr_len++] = "--noprofile"; + cmd[curr_len++] = "--caps.drop=all"; diff --git a/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch b/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch index 685314f90758..6493eb4fdf26 100644 --- a/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch +++ b/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch @@ -1,6 +1,6 @@ ---- a/src/firejail/fs.c -+++ b/src/firejail/fs.c -@@ -1143,6 +1143,16 @@ +--- a/src/firejail/fs_overlayfs.c ++++ b/src/firejail/fs_overlayfs.c +@@ -327,6 +327,16 @@ errExit("mounting /dev"); fs_logger("whitelist /dev"); @@ -17,7 +17,7 @@ // mount-bind run directory if (arg_debug) printf("Mounting /run\n"); -@@ -1201,6 +1211,7 @@ +@@ -384,6 +394,7 @@ free(odiff); free(owork); free(dev); diff --git a/pkgs/os-specific/linux/firejail/remove-link-check.patch b/pkgs/os-specific/linux/firejail/remove-link-check.patch deleted file mode 100644 index 477df57a2411..000000000000 --- a/pkgs/os-specific/linux/firejail/remove-link-check.patch +++ /dev/null @@ -1,48 +0,0 @@ -From ccc726f8ec877d8cda720daa2498e43629b6dd48 Mon Sep 17 00:00:00 2001 -From: Jonas Heinrich <onny@project-insanity.org> -Date: Sun, 19 Sep 2021 11:48:06 +0200 -Subject: [PATCH 1/2] remove hosts file link check - ---- - src/firejail/fs_hostname.c | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c -index 42255070c4..97ce70f9c1 100644 ---- a/src/firejail/fs_hostname.c -+++ b/src/firejail/fs_hostname.c -@@ -132,10 +132,6 @@ char *fs_check_hosts_file(const char *fname) { - invalid_filename(fname); - char *rv = expand_home(fname, cfg.homedir); - -- // no a link -- if (is_link(rv)) -- goto errexit; -- - // the user has read access to the file - if (access(rv, R_OK)) - goto errexit; - -From c2c51e7ca56075e7388b4f50922b148615d1b125 Mon Sep 17 00:00:00 2001 -From: Jonas Heinrich <onny@project-insanity.org> -Date: Sun, 19 Sep 2021 11:49:08 +0200 -Subject: [PATCH 2/2] remove hosts file link check - ---- - src/firejail/fs_hostname.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c -index 97ce70f9c1..b228707131 100644 ---- a/src/firejail/fs_hostname.c -+++ b/src/firejail/fs_hostname.c -@@ -154,9 +154,6 @@ void fs_mount_hosts_file(void) { - struct stat s; - if (stat("/etc/hosts", &s) == -1) - goto errexit; -- // not a link -- if (is_link("/etc/hosts")) -- goto errexit; - // owned by root - if (s.st_uid != 0) - goto errexit; |