From 67d671d5b7b353e3cc8261e829a0f1b933cfda8e Mon Sep 17 00:00:00 2001 From: Taeer Bar-Yam Date: Wed, 30 Nov 2022 12:45:16 -0500 Subject: [PATCH] nixos/firejail: remove the need for qualifications --- nixos/modules/programs/firejail.nix | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix index a98c15a04517..6f79c13d94b4 100644 --- a/nixos/modules/programs/firejail.nix +++ b/nixos/modules/programs/firejail.nix @@ -8,18 +8,21 @@ let wrappedBins = pkgs.runCommand "firejail-wrapped-binaries" { preferLocalBuild = true; allowSubstitutes = false; + # take precedence over non-firejailed versions + meta.priority = -1; } '' mkdir -p $out/bin + mkdir -p $out/share/applications ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value: let opts = if builtins.isAttrs value then value - else { executable = value; profile = null; extraArgs = []; }; + else { executable = value; desktop = null; profile = null; extraArgs = []; }; args = lib.escapeShellArgs ( opts.extraArgs ++ (optional (opts.profile != null) "--profile=${toString opts.profile}") - ); + ); in '' cat <<_EOF >$out/bin/${command} @@ -27,6 +30,11 @@ let exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@" _EOF chmod 0755 $out/bin/${command} + + ${lib.optionalString (opts.desktop != null) '' + substitute ${opts.desktop} $out/share/applications/$(basename ${opts.desktop}) \ + --replace ${opts.executable} $out/bin/${command} + ''} '') cfg.wrappedBinaries)} ''; @@ -42,6 +50,12 @@ in { description = lib.mdDoc "Executable to run sandboxed"; example = literalExpression ''"''${lib.getBin pkgs.firefox}/bin/firefox"''; }; + desktop = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mkDoc ".desktop file to modify. Only necessary if it uses the absolute path to the executable."; + example = literalExpression ''"''${pkgs.firefox}/share/applications/firefox.desktop"''; + }; profile = mkOption { type = types.nullOr types.path; default = null; @@ -71,12 +85,6 @@ in { ''; description = lib.mdDoc '' Wrap the binaries in firejail and place them in the global path. - - You will get file collisions if you put the actual application binary in - the global environment (such as by adding the application package to - `environment.systemPackages`), and applications started via - .desktop files are not wrapped if they specify the absolute path to the - binary. ''; }; };