nixos/firejail: allow to pass options to firejail

2 files changed, 50 insertions, 5 deletions

diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix
index 484f9eb4440..ad4ef1a3945 100644
--- a/nixos/modules/programs/firejail.nix
+++ b/nixos/modules/programs/firejail.nix
@@ -11,10 +11,20 @@ let
     }
     ''
       mkdir -p $out/bin
-      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: binary: ''
+      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value:
+      let
+        opts = if builtins.isAttrs value
+        then value
+        else { executable = value; profile = null; extraArgs = []; };
+        args = lib.escapeShellArgs (
+          (optional (opts.profile != null) "--profile=${toString opts.profile}")
+          ++ opts.extraArgs
+          );
+      in
+      ''
         cat <<_EOF >$out/bin/${command}
         #! ${pkgs.runtimeShell} -e
-        exec /run/wrappers/bin/firejail ${binary} "\$@"
+        exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@"
         _EOF
         chmod 0755 $out/bin/${command}
       '') cfg.wrappedBinaries)}
@@ -25,12 +35,38 @@ in {
     enable = mkEnableOption "firejail";
 
     wrappedBinaries = mkOption {
-      type = types.attrsOf types.path;
+      type = types.attrsOf (types.either types.path (types.submodule {
+        options = {
+          executable = mkOption {
+            type = types.path;
+            description = "Executable to run sandboxed";
+            example = literalExample "''${lib.getBin pkgs.firefox}/bin/firefox";
+          };
+          profile = mkOption {
+            type = types.nullOr types.path;
+            default = null;
+            description = "Profile to use";
+            example = literalExample "''${pkgs.firejail}/etc/firejail/firefox.profile";
+          };
+          extraArgs = mkOption {
+            type = types.listOf types.str;
+            default = [];
+            description = "Extra arguments to pass to firejail";
+            example = [ "--private=~/.firejail_home" ];
+          };
+        };
+      }));
       default = {};
       example = literalExample ''
         {
-          firefox = "''${lib.getBin pkgs.firefox}/bin/firefox";
-          mpv = "''${lib.getBin pkgs.mpv}/bin/mpv";
+          firefox = {
+            executable = "''${lib.getBin pkgs.firefox}/bin/firefox";
+            profile = "''${pkgs.firejail}/etc/firejail/firefox.profile";
+          };
+          mpv = {
+            executable = "''${lib.getBin pkgs.mpv}/bin/mpv";
+            profile = "''${pkgs.firejail}/etc/firejail/mpv.profile";
+          };
         }
       '';
       description = ''
diff --git a/nixos/tests/firejail.nix b/nixos/tests/firejail.nix
index a723cb01664..5f122c3fa94 100644
--- a/nixos/tests/firejail.nix
+++ b/nixos/tests/firejail.nix
@@ -11,6 +11,10 @@ import ./make-test-python.nix ({ pkgs, ...} : {
       enable = true;
       wrappedBinaries = {
         bash-jailed  = "${pkgs.bash}/bin/bash";
+        bash-jailed2  = {
+          executable = "${pkgs.bash}/bin/bash";
+          extraArgs = [ "--private=~/firejail-home" ];
+        };
       };
     };
 
@@ -53,6 +57,11 @@ import ./make-test-python.nix ({ pkgs, ...} : {
     )
     machine.fail("sudo -u alice bash-jailed -c 'cat ~/my-secrets/secret' | grep -q s3cret")
 
+    # Test extraArgs
+    machine.succeed("sudo -u alice mkdir /home/alice/firejail-home")
+    machine.succeed("sudo -u alice bash-jailed2 -c 'echo test > /home/alice/foo'")
+    machine.fail("sudo -u alice cat /home/alice/foo")
+    machine.succeed("sudo -u alice cat /home/alice/firejail-home/foo | grep test")
 
     # Test path acl with firejail executable
     machine.succeed("sudo -u alice firejail -- bash -c 'cat ~/public' | grep -q publ1c")