From 36b1dedddd1b63d83129856ea52f0208f99c672c Mon Sep 17 00:00:00 2001
From: Zane van Iperen <zane@zanevaniperen.com>
Date: Mon, 7 Feb 2022 00:27:25 +1000
Subject: [PATCH] firejail: 0.9.66 -> 0.9.68

Fixes #153430
---
 pkgs/os-specific/linux/firejail/default.nix   |  7 +--
 .../fbuilder-call-firejail-on-path.patch      | 18 +++----
 .../firejail/mount-nix-dir-on-overlay.patch   |  8 ++--
 .../linux/firejail/remove-link-check.patch    | 48 -------------------
 4 files changed, 15 insertions(+), 66 deletions(-)
 delete mode 100644 pkgs/os-specific/linux/firejail/remove-link-check.patch

diff --git a/pkgs/os-specific/linux/firejail/default.nix b/pkgs/os-specific/linux/firejail/default.nix
index 348be830562..c3dc819b5bc 100644
--- a/pkgs/os-specific/linux/firejail/default.nix
+++ b/pkgs/os-specific/linux/firejail/default.nix
@@ -11,13 +11,13 @@
 
 stdenv.mkDerivation rec {
   pname = "firejail";
-  version = "0.9.66";
+  version = "0.9.68";
 
   src = fetchFromGitHub {
     owner = "netblue30";
     repo = "firejail";
     rev = version;
-    sha256 = "sha256-oKstTiGt0r4wePaZ9u1o78GZ1XWJ27aS0BdLxmfYk9Q=";
+    sha256 = "18yy1mykx7h78yj7sz729i3dlsrgi25m17m5x9gbrvsx7f87rw7j";
   };
 
   nativeBuildInputs = [
@@ -40,9 +40,6 @@ stdenv.mkDerivation rec {
     # By default fbuilder hardcodes the firejail binary to the install path.
     # On NixOS the firejail binary is a setuid wrapper available in $PATH.
     ./fbuilder-call-firejail-on-path.patch
-    # Disable symlink check on /etc/hosts, see
-    # https://github.com/netblue30/firejail/issues/2758#issuecomment-805174951
-    ./remove-link-check.patch
   ];
 
   prePatch = ''
diff --git a/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch b/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
index 6016891655b..548bb80e7bf 100644
--- a/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
+++ b/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
@@ -1,11 +1,11 @@
 --- a/src/fbuilder/build_profile.c
 +++ b/src/fbuilder/build_profile.c
-@@ -67,7 +67,7 @@
- 		errExit("asprintf");
- 
- 	char *cmdlist[] = {
--	  BINDIR "/firejail",
-+	  "firejail",
- 	  "--quiet",
- 	  "--noprofile",
- 	  "--caps.drop=all",
+@@ -48,7 +48,7 @@
+ 	// build command
+ 	char *cmd[len];
+ 	unsigned curr_len = 0;
+-	cmd[curr_len++] = BINDIR "/firejail";
++	cmd[curr_len++] = "firejail";
+ 	cmd[curr_len++] = "--quiet";
+ 	cmd[curr_len++] = "--noprofile";
+ 	cmd[curr_len++] = "--caps.drop=all";
diff --git a/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch b/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
index 685314f9075..6493eb4fdf2 100644
--- a/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
+++ b/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
@@ -1,6 +1,6 @@
---- a/src/firejail/fs.c
-+++ b/src/firejail/fs.c
-@@ -1143,6 +1143,16 @@
+--- a/src/firejail/fs_overlayfs.c
++++ b/src/firejail/fs_overlayfs.c
+@@ -327,6 +327,16 @@
  		errExit("mounting /dev");
  	fs_logger("whitelist /dev");
  
@@ -17,7 +17,7 @@
  	// mount-bind run directory
  	if (arg_debug)
  		printf("Mounting /run\n");
-@@ -1201,6 +1211,7 @@
+@@ -384,6 +394,7 @@
  	free(odiff);
  	free(owork);
  	free(dev);
diff --git a/pkgs/os-specific/linux/firejail/remove-link-check.patch b/pkgs/os-specific/linux/firejail/remove-link-check.patch
deleted file mode 100644
index 477df57a241..00000000000
--- a/pkgs/os-specific/linux/firejail/remove-link-check.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From ccc726f8ec877d8cda720daa2498e43629b6dd48 Mon Sep 17 00:00:00 2001
-From: Jonas Heinrich <onny@project-insanity.org>
-Date: Sun, 19 Sep 2021 11:48:06 +0200
-Subject: [PATCH 1/2] remove hosts file link check
-
----
- src/firejail/fs_hostname.c | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
-index 42255070c4..97ce70f9c1 100644
---- a/src/firejail/fs_hostname.c
-+++ b/src/firejail/fs_hostname.c
-@@ -132,10 +132,6 @@ char *fs_check_hosts_file(const char *fname) {
- 	invalid_filename(fname);
- 	char *rv = expand_home(fname, cfg.homedir);
- 
--	// no a link
--	if (is_link(rv))
--		goto errexit;
--
- 	// the user has read access to the file
- 	if (access(rv, R_OK))
- 		goto errexit;
-
-From c2c51e7ca56075e7388b4f50922b148615d1b125 Mon Sep 17 00:00:00 2001
-From: Jonas Heinrich <onny@project-insanity.org>
-Date: Sun, 19 Sep 2021 11:49:08 +0200
-Subject: [PATCH 2/2] remove hosts file link check
-
----
- src/firejail/fs_hostname.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
-index 97ce70f9c1..b228707131 100644
---- a/src/firejail/fs_hostname.c
-+++ b/src/firejail/fs_hostname.c
-@@ -154,9 +154,6 @@ void fs_mount_hosts_file(void) {
- 	struct stat s;
- 	if (stat("/etc/hosts", &s) == -1)
- 		goto errexit;
--	// not a link
--	if (is_link("/etc/hosts"))
--		goto errexit;
- 	// owned by root
- 	if (s.st_uid != 0)
- 		goto errexit;