pyrox.dev / nixpkgs
lol
fork atom

nixos/firejail: remove the need for qualifications

Taeer Bar-Yam 67d671d5 e4902f2e

options
unified split
Changed files
+16 -8
nixos
modules
programs
firejail.nix
+16 -8
nixos/modules/programs/firejail.nix 
···

       
8

       
 

       
  wrappedBins = pkgs.runCommand "firejail-wrapped-binaries"


     

       
9

       
 

       
    { preferLocalBuild = true;


     

       
10

       
 

       
      allowSubstitutes = false;


     

       

       

       
     

       

       

       
     

       
11

       
 

       
    }


     

       
12

       
 

       
    ''


     

       
13

       
 

       
      mkdir -p $out/bin


     

       

       

       
     

       
14

       
 

       
      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value:


     

       
15

       
 

       
      let


     

       
16

       
 

       
        opts = if builtins.isAttrs value


     

       
17

       
 

       
        then value


     

       
18

       
-

       
        else { executable = value; profile = null; extraArgs = []; };


     

       
19

       
 

       
        args = lib.escapeShellArgs (


     

       
20

       
 

       
          opts.extraArgs


     

       
21

       
 

       
          ++ (optional (opts.profile != null) "--profile=${toString opts.profile}")


     

       
22

       
-

       
          );


     

       
23

       
 

       
      in


     

       
24

       
 

       
      ''


     

       
25

       
 

       
        cat <<_EOF >$out/bin/${command}


     
···

       
27

       
 

       
        exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@"


     

       
28

       
 

       
        _EOF


     

       
29

       
 

       
        chmod 0755 $out/bin/${command}


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
30

       
 

       
      '') cfg.wrappedBinaries)}


     

       
31

       
 

       
    '';


     

       
32

       
 

       



     
···

       
42

       
 

       
            description = lib.mdDoc "Executable to run sandboxed";


     

       
43

       
 

       
            example = literalExpression ''"''${lib.getBin pkgs.firefox}/bin/firefox"'';


     

       
44

       
 

       
          };


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
45

       
 

       
          profile = mkOption {


     

       
46

       
 

       
            type = types.nullOr types.path;


     

       
47

       
 

       
            default = null;


     
···

       
71

       
 

       
      '';


     

       
72

       
 

       
      description = lib.mdDoc ''


     

       
73

       
 

       
        Wrap the binaries in firejail and place them in the global path.


     

       
74

       
-

       



     

       
75

       
-

       
        You will get file collisions if you put the actual application binary in


     

       
76

       
-

       
        the global environment (such as by adding the application package to


     

       
77

       
-

       
        `environment.systemPackages`), and applications started via


     

       
78

       
-

       
        .desktop files are not wrapped if they specify the absolute path to the


     

       
79

       
-

       
        binary.


     

       
80

       
 

       
      '';


     

       
81

       
 

       
    };


     

       
82

       
 

       
  };


     
···

       
8

       
 

       
  wrappedBins = pkgs.runCommand "firejail-wrapped-binaries"


     

       
9

       
 

       
    { preferLocalBuild = true;


     

       
10

       
 

       
      allowSubstitutes = false;


     

       
11

       
+

       
      # take precedence over non-firejailed versions


     

       
12

       
+

       
      meta.priority = -1;


     

       
13

       
 

       
    }


     

       
14

       
 

       
    ''


     

       
15

       
 

       
      mkdir -p $out/bin


     

       
16

       
+

       
      mkdir -p $out/share/applications


     

       
17

       
 

       
      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value:


     

       
18

       
 

       
      let


     

       
19

       
 

       
        opts = if builtins.isAttrs value


     

       
20

       
 

       
        then value


     

       
21

       
+

       
        else { executable = value; desktop = null; profile = null; extraArgs = []; };


     

       
22

       
 

       
        args = lib.escapeShellArgs (


     

       
23

       
 

       
          opts.extraArgs


     

       
24

       
 

       
          ++ (optional (opts.profile != null) "--profile=${toString opts.profile}")


     

       
25

       
+

       
        );


     

       
26

       
 

       
      in


     

       
27

       
 

       
      ''


     

       
28

       
 

       
        cat <<_EOF >$out/bin/${command}


     
···

       
30

       
 

       
        exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@"


     

       
31

       
 

       
        _EOF


     

       
32

       
 

       
        chmod 0755 $out/bin/${command}


     

       
33

       
+

       



     

       
34

       
+

       
        ${lib.optionalString (opts.desktop != null) ''


     

       
35

       
+

       
          substitute ${opts.desktop} $out/share/applications/$(basename ${opts.desktop}) \


     

       
36

       
+

       
            --replace ${opts.executable} $out/bin/${command}


     

       
37

       
+

       
        ''}


     

       
38

       
 

       
      '') cfg.wrappedBinaries)}


     

       
39

       
 

       
    '';


     

       
40

       
 

       



     
···

       
50

       
 

       
            description = lib.mdDoc "Executable to run sandboxed";


     

       
51

       
 

       
            example = literalExpression ''"''${lib.getBin pkgs.firefox}/bin/firefox"'';


     

       
52

       
 

       
          };


     

       
53

       
+

       
          desktop = mkOption {


     

       
54

       
+

       
            type = types.nullOr types.path;


     

       
55

       
+

       
            default = null;


     

       
56

       
+

       
            description = lib.mkDoc ".desktop file to modify. Only necessary if it uses the absolute path to the executable.";


     

       
57

       
+

       
            example = literalExpression ''"''${pkgs.firefox}/share/applications/firefox.desktop"'';


     

       
58

       
+

       
          };


     

       
59

       
 

       
          profile = mkOption {


     

       
60

       
 

       
            type = types.nullOr types.path;


     

       
61

       
 

       
            default = null;


     
···

       
85

       
 

       
      '';


     

       
86

       
 

       
      description = lib.mdDoc ''


     

       
87

       
 

       
        Wrap the binaries in firejail and place them in the global path.


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
88

       
 

       
      '';


     

       
89

       
 

       
    };


     

       
90

       
 

       
  };