diff options
author | Alyssa Ross <hi@alyssa.is> | 2021-08-04 10:43:07 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2021-08-04 10:43:07 +0000 |
commit | 62614cbef7da005c1eda8c9400160f6bcd6546b8 (patch) | |
tree | c2630f69080637987b68acb1ee8676d2681fe304 /nixos/modules/programs/firejail.nix | |
parent | d9c82ed3044c72cecf01c6ea042489d30914577c (diff) | |
parent | e24069138dfec3ef94f211f1da005bb5395adc11 (diff) | |
download | nixpkgs-62614cbef7da005c1eda8c9400160f6bcd6546b8.tar nixpkgs-62614cbef7da005c1eda8c9400160f6bcd6546b8.tar.gz nixpkgs-62614cbef7da005c1eda8c9400160f6bcd6546b8.tar.bz2 nixpkgs-62614cbef7da005c1eda8c9400160f6bcd6546b8.tar.lz nixpkgs-62614cbef7da005c1eda8c9400160f6bcd6546b8.tar.xz nixpkgs-62614cbef7da005c1eda8c9400160f6bcd6546b8.tar.zst nixpkgs-62614cbef7da005c1eda8c9400160f6bcd6546b8.zip |
Merge branch 'nixpkgs-update' into master
Diffstat (limited to 'nixos/modules/programs/firejail.nix')
-rw-r--r-- | nixos/modules/programs/firejail.nix | 46 |
1 files changed, 41 insertions, 5 deletions
diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix index 484f9eb4440..ad4ef1a3945 100644 --- a/nixos/modules/programs/firejail.nix +++ b/nixos/modules/programs/firejail.nix @@ -11,10 +11,20 @@ let } '' mkdir -p $out/bin - ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: binary: '' + ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value: + let + opts = if builtins.isAttrs value + then value + else { executable = value; profile = null; extraArgs = []; }; + args = lib.escapeShellArgs ( + (optional (opts.profile != null) "--profile=${toString opts.profile}") + ++ opts.extraArgs + ); + in + '' cat <<_EOF >$out/bin/${command} #! ${pkgs.runtimeShell} -e - exec /run/wrappers/bin/firejail ${binary} "\$@" + exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@" _EOF chmod 0755 $out/bin/${command} '') cfg.wrappedBinaries)} @@ -25,12 +35,38 @@ in { enable = mkEnableOption "firejail"; wrappedBinaries = mkOption { - type = types.attrsOf types.path; + type = types.attrsOf (types.either types.path (types.submodule { + options = { + executable = mkOption { + type = types.path; + description = "Executable to run sandboxed"; + example = literalExample "''${lib.getBin pkgs.firefox}/bin/firefox"; + }; + profile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Profile to use"; + example = literalExample "''${pkgs.firejail}/etc/firejail/firefox.profile"; + }; + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + description = "Extra arguments to pass to firejail"; + example = [ "--private=~/.firejail_home" ]; + }; + }; + })); default = {}; example = literalExample '' { - firefox = "''${lib.getBin pkgs.firefox}/bin/firefox"; - mpv = "''${lib.getBin pkgs.mpv}/bin/mpv"; + firefox = { + executable = "''${lib.getBin pkgs.firefox}/bin/firefox"; + profile = "''${pkgs.firejail}/etc/firejail/firefox.profile"; + }; + mpv = { + executable = "''${lib.getBin pkgs.mpv}/bin/mpv"; + profile = "''${pkgs.firejail}/etc/firejail/mpv.profile"; + }; } ''; description = '' |