Merge pull request #203779 from Radvendii/firejail

nixos/firejail: remove the need for qualifications
This commit is contained in:
Jonas Heinrich 2022-12-10 08:58:54 +01:00 committed by GitHub
commit 578dcac1a2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -8,18 +8,21 @@ let
wrappedBins = pkgs.runCommand "firejail-wrapped-binaries"
{ preferLocalBuild = true;
allowSubstitutes = false;
# take precedence over non-firejailed versions
meta.priority = -1;
}
''
mkdir -p $out/bin
mkdir -p $out/share/applications
${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value:
let
opts = if builtins.isAttrs value
then value
else { executable = value; profile = null; extraArgs = []; };
else { executable = value; desktop = null; profile = null; extraArgs = []; };
args = lib.escapeShellArgs (
opts.extraArgs
++ (optional (opts.profile != null) "--profile=${toString opts.profile}")
);
);
in
''
cat <<_EOF >$out/bin/${command}
@ -27,6 +30,11 @@ let
exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@"
_EOF
chmod 0755 $out/bin/${command}
${lib.optionalString (opts.desktop != null) ''
substitute ${opts.desktop} $out/share/applications/$(basename ${opts.desktop}) \
--replace ${opts.executable} $out/bin/${command}
''}
'') cfg.wrappedBinaries)}
'';
@ -42,6 +50,12 @@ in {
description = lib.mdDoc "Executable to run sandboxed";
example = literalExpression ''"''${lib.getBin pkgs.firefox}/bin/firefox"'';
};
desktop = mkOption {
type = types.nullOr types.path;
default = null;
description = lib.mkDoc ".desktop file to modify. Only necessary if it uses the absolute path to the executable.";
example = literalExpression ''"''${pkgs.firefox}/share/applications/firefox.desktop"'';
};
profile = mkOption {
type = types.nullOr types.path;
default = null;
@ -71,12 +85,6 @@ in {
'';
description = lib.mdDoc ''
Wrap the binaries in firejail and place them in the global path.
You will get file collisions if you put the actual application binary in
the global environment (such as by adding the application package to
`environment.systemPackages`), and applications started via
.desktop files are not wrapped if they specify the absolute path to the
binary.
'';
};
};