diff options
| author | Jonas Heinrich <onny@project-insanity.org> | 2022-12-10 08:58:54 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-12-10 08:58:54 +0100 |
| commit | 578dcac1a2c103f7bb9590c58265676ea1917d9c (patch) | |
| tree | cfc5646d4bd9e7a3714e1f03c017aeb223e5a494 | |
| parent | Merge pull request #205297 from r-ryantm/auto-update/discord-canary (diff) | |
| parent | nixos/firejail: remove the need for qualifications (diff) | |
| download | nixpkgs-578dcac1a2c103f7bb9590c58265676ea1917d9c.tar.gz | |
Merge pull request #203779 from Radvendii/firejail
nixos/firejail: remove the need for qualifications
| -rw-r--r-- | nixos/modules/programs/firejail.nix | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix index a98c15a04517..6f79c13d94b4 100644 --- a/nixos/modules/programs/firejail.nix +++ b/nixos/modules/programs/firejail.nix @@ -8,18 +8,21 @@ let wrappedBins = pkgs.runCommand "firejail-wrapped-binaries" { preferLocalBuild = true; allowSubstitutes = false; + # take precedence over non-firejailed versions + meta.priority = -1; } '' mkdir -p $out/bin + mkdir -p $out/share/applications ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value: let opts = if builtins.isAttrs value then value - else { executable = value; profile = null; extraArgs = []; }; + else { executable = value; desktop = null; profile = null; extraArgs = []; }; args = lib.escapeShellArgs ( opts.extraArgs ++ (optional (opts.profile != null) "--profile=${toString opts.profile}") - ); + ); in '' cat <<_EOF >$out/bin/${command} @@ -27,6 +30,11 @@ let exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@" _EOF chmod 0755 $out/bin/${command} + + ${lib.optionalString (opts.desktop != null) '' + substitute ${opts.desktop} $out/share/applications/$(basename ${opts.desktop}) \ + --replace ${opts.executable} $out/bin/${command} + ''} '') cfg.wrappedBinaries)} ''; @@ -42,6 +50,12 @@ in { description = lib.mdDoc "Executable to run sandboxed"; example = literalExpression ''"''${lib.getBin pkgs.firefox}/bin/firefox"''; }; + desktop = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mkDoc ".desktop file to modify. Only necessary if it uses the absolute path to the executable."; + example = literalExpression ''"''${pkgs.firefox}/share/applications/firefox.desktop"''; + }; profile = mkOption { type = types.nullOr types.path; default = null; @@ -71,12 +85,6 @@ in { ''; description = lib.mdDoc '' Wrap the binaries in firejail and place them in the global path. - - You will get file collisions if you put the actual application binary in - the global environment (such as by adding the application package to - `environment.systemPackages`), and applications started via - .desktop files are not wrapped if they specify the absolute path to the - binary. ''; }; }; |