firejail: local profile handling fixed

made it possible to place local profiles in `~/.config/firejail`,
as well as in `/etc/firejail`.

1 files changed, 20 insertions, 3 deletions

diff --git a/pkgs/os-specific/linux/firejail/default.nix b/pkgs/os-specific/linux/firejail/default.nix
index 678592c0379..4d263194a49 100644
--- a/pkgs/os-specific/linux/firejail/default.nix
+++ b/pkgs/os-specific/linux/firejail/default.nix
@@ -36,10 +36,27 @@ stdenv.mkDerivation {
     sed -e "s@/etc/@$out/etc/@g" -e "/chmod u+s/d" -i Makefile
   '';
 
-  # We need to set the directory for the .local override files to
-  # /etc/firejail so we can actually override them
+  # The profile files provided with the firejail distribution include `.local`
+  # profile files using relative paths. The way firejail works when it comes to
+  # handling includes is by looking target files up in `~/.config/firejail`
+  # first, and then trying `SYSCONFDIR`. The latter normally points to
+  # `/etc/filejail`, but in the case of nixos points to the nix store. This
+  # makes it effectively impossible to place any profile files in
+  # `/etc/firejail`.
+  #
+  # The workaround applied below is by creating a set of `.local` files which
+  # only contain respective includes to `/etc/firejail`. This way
+  # `~/.config/firejail` still takes precedence, but `/etc/firejail` will also
+  # be searched in second order. This replicates the behaviour from
+  # non-nixos platforms.
+  #
+  # See https://github.com/netblue30/firejail/blob/e4cb6b42743ad18bd11d07fd32b51e8576239318/src/firejail/profile.c#L68-L83
+  # for the profile file lookup implementation.
   postInstall = ''
-    sed -E -e 's@^include (.*.local)$@include /etc/firejail/\1@g' -i $out/etc/firejail/*.profile
+    for local in $(grep -Eh '^include.*local$' $out/etc/firejail/*.profile | awk '{print $2}' | sort | uniq)
+    do
+      echo "include /etc/firejail/$local" >$out/etc/firejail/$local
+    done
   '';
 
   # At high parallelism, the build sometimes fails with: