diff options
| author | Symphorien Gibol <symphorien+git@xlumurb.eu> | 2020-11-14 12:00:00 +0000 |
|---|---|---|
| committer | Symphorien Gibol <symphorien+git@xlumurb.eu> | 2020-11-14 12:00:00 +0000 |
| commit | 6fa16462681ec457fda481823f09721499645b46 (patch) | |
| tree | 77f09485f95a313f19087c1d8195afbe4fc66dbd /nixos/modules/programs/firejail.nix | |
| parent | a371c1071161104d329f6a85d922fd92b7cbab63 (diff) | |
| download | nixpkgs-6fa16462681ec457fda481823f09721499645b46.tar nixpkgs-6fa16462681ec457fda481823f09721499645b46.tar.gz nixpkgs-6fa16462681ec457fda481823f09721499645b46.tar.bz2 nixpkgs-6fa16462681ec457fda481823f09721499645b46.tar.lz nixpkgs-6fa16462681ec457fda481823f09721499645b46.tar.xz nixpkgs-6fa16462681ec457fda481823f09721499645b46.tar.zst nixpkgs-6fa16462681ec457fda481823f09721499645b46.zip | |
nixos/firejail: allow to pass options to firejail
Diffstat (limited to 'nixos/modules/programs/firejail.nix')
| -rw-r--r-- | nixos/modules/programs/firejail.nix | 46 |
1 files changed, 41 insertions, 5 deletions
diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix index 484f9eb4440..ad4ef1a3945 100644 --- a/nixos/modules/programs/firejail.nix +++ b/nixos/modules/programs/firejail.nix @@ -11,10 +11,20 @@ let } '' mkdir -p $out/bin - ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: binary: '' + ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value: + let + opts = if builtins.isAttrs value + then value + else { executable = value; profile = null; extraArgs = []; }; + args = lib.escapeShellArgs ( + (optional (opts.profile != null) "--profile=${toString opts.profile}") + ++ opts.extraArgs + ); + in + '' cat <<_EOF >$out/bin/${command} #! ${pkgs.runtimeShell} -e - exec /run/wrappers/bin/firejail ${binary} "\$@" + exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@" _EOF chmod 0755 $out/bin/${command} '') cfg.wrappedBinaries)} @@ -25,12 +35,38 @@ in { enable = mkEnableOption "firejail"; wrappedBinaries = mkOption { - type = types.attrsOf types.path; + type = types.attrsOf (types.either types.path (types.submodule { + options = { + executable = mkOption { + type = types.path; + description = "Executable to run sandboxed"; + example = literalExample "''${lib.getBin pkgs.firefox}/bin/firefox"; + }; + profile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Profile to use"; + example = literalExample "''${pkgs.firejail}/etc/firejail/firefox.profile"; + }; + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + description = "Extra arguments to pass to firejail"; + example = [ "--private=~/.firejail_home" ]; + }; + }; + })); default = {}; example = literalExample '' { - firefox = "''${lib.getBin pkgs.firefox}/bin/firefox"; - mpv = "''${lib.getBin pkgs.mpv}/bin/mpv"; + firefox = { + executable = "''${lib.getBin pkgs.firefox}/bin/firefox"; + profile = "''${pkgs.firejail}/etc/firejail/firefox.profile"; + }; + mpv = { + executable = "''${lib.getBin pkgs.mpv}/bin/mpv"; + profile = "''${pkgs.firejail}/etc/firejail/mpv.profile"; + }; } ''; description = '' |