xdg-dbus-proxy path is hardcoded in the common.h file in the firejail
source code. if this binary is not found, dbus filtering capabilities
of firejail get limited i.e. you can only entirely disable or entirely
enable dbus communication.
See https://www.redhat.com/sysadmin/fedora-31-control-group-v2 for
details on why this is desirable, and how it impacts containers.
Users that need to keep using the old cgroup hierarchy can re-enable it
by setting `systemd.unifiedCgroupHierarchy` to `false`.
Well-known candidates not supporting that hierarchy, like docker and
hidepid=… will disable it automatically.
Fixes#73800
We currently build CONFIG_IPV6=m.
This seems to be not really well-supported in mainline kernels - see
https://lore.kernel.org/netdev/20201115224509.2020651-1-flokli@flokli.de/T/#u
Compiling it as a module doesn't give too much benefit - even for people
who did explicitly set `enableIPv6` to false, the `ipv6` module was
still loaded, as soon as another module was loaded that requires it
(bridge,br_netfilter,wireguard,ip6table_mangle,sctp,…).
By compiling it in, we only loose the possibility to not add it to
`boot.kernelModules` anymore (as it's part of the kernel directly). The
space savings are negligible.
People wanting to disable IPv6 still get the appropriate sysctls and
options set (while having the kernel code loaded), nothing is really
changing here.
Patch copied from https://github.com/archlinux/svntogit-packages/blob/packages/wireguard-dkms/trunk/lts.diff
This fixes:
```
In file included from <command-line>:
/build/source/src/compat/compat-asm.h:44: warning: "SYM_FUNC_START" redefined
44 | #define SYM_FUNC_START ENTRY
|
In file included from /build/source/src/compat/compat-asm.h:9,
from <command-line>:
/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/include/linux/linkage.h:218: note: this is the location of the previous definition
218 | #define SYM_FUNC_START(name) \
|
In file included from <command-line>:
/build/source/src/compat/compat-asm.h:45: warning: "SYM_FUNC_END" redefined
45 | #define SYM_FUNC_END ENDPROC
|
In file included from /build/source/src/compat/compat-asm.h:9,
from <command-line>:
/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/include/linux/linkage.h:265: note: this is the location of the previous definition
265 | #define SYM_FUNC_END(name) \
|
/build/source/src/crypto/zinc/blake2s/blake2s-x86_64.S: Assembler messages:
/build/source/src/crypto/zinc/blake2s/blake2s-x86_64.S:50: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/blake2s/blake2s-x86_64.S:176: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/blake2s/blake2s-x86_64.S:180: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/blake2s/blake2s-x86_64.S:257: Error: invalid character '(' in mnemonic
make[3]: *** [/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/scripts/Makefile.build:348: /build/source/src/crypto/zinc/blake2s/blake2s-x86_64.o] Error 1
make[3]: *** Waiting for unfinished jobs....
In file included from <command-line>:
/build/source/src/compat/compat-asm.h:44: warning: "SYM_FUNC_START" redefined
44 | #define SYM_FUNC_START ENTRY
|
In file included from /build/source/src/compat/compat-asm.h:9,
from <command-line>:
/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/include/linux/linkage.h:218: note: this is the location of the previous definition
218 | #define SYM_FUNC_START(name) \
|
In file included from <command-line>:
/build/source/src/compat/compat-asm.h:45: warning: "SYM_FUNC_END" redefined
45 | #define SYM_FUNC_END ENDPROC
|
In file included from /build/source/src/compat/compat-asm.h:9,
from <command-line>:
/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/include/linux/linkage.h:265: note: this is the location of the previous definition
265 | #define SYM_FUNC_END(name) \
|
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S: Assembler messages:
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:123: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:185: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:187: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:319: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:1016: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:1616: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:1620: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:1810: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:1812: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:1959: Error: invalid character '(' in mnemonic
make[3]: *** [/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/scripts/Makefile.build:348: /build/source/src/crypto/zinc/chacha20/chacha20-x86_64.o] Error 1
make[2]: *** [/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/Makefile:1729: /build/source/src] Error 2
make[1]: *** [/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/Makefile:179: sub-make] Error 2
make: *** [Makefile:26: module] Error 2
builder for '/nix/store/hll3sjyrwa55arzlsxnbacqdd8s842l1-wireguard-1.0.20200908.drv' failed with exit code 2
```
sudo the package is not suid, so remove it from the PATH. Extend
PATH with $PATH to fetch sudo from the outer PATH. Move the generation
of `path` in to Nix, so the sed expression can use single quotes,
which prevents $PATH being interpolated at build-time.
