doas: add NixOS binary dirs to safe PATH

I recently tried to give myself passwordless `doas` for `virsh` commands
(starting, stopping, and editing VMs), but `doas` was complaining that
it didn't know what `virsh` was.

This patch adds `/run/current-system/sw/{s,}bin` and `/run/wrappers/bin`
to the safe path, allowing system binaries to be discovered and executed
properly.

2 files changed, 30 insertions, 0 deletions

diff --git a/pkgs/tools/security/doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patch b/pkgs/tools/security/doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patch
new file mode 100644
index 00000000000..d1a1997ba1f
--- /dev/null
+++ b/pkgs/tools/security/doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patch
@@ -0,0 +1,24 @@
+From 9218347b8f833ab05d016dfba5617dcdeb59eb7b Mon Sep 17 00:00:00 2001
+From: Cole Helbling <cole.e.helbling@outlook.com>
+Date: Wed, 27 May 2020 08:02:57 -0700
+Subject: [PATCH] add NixOS-specific dirs to safe PATH
+
+---
+ doas.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/doas.c b/doas.c
+index e253905..2fdb20f 100644
+--- a/doas.c
++++ b/doas.c
+@@ -234,6 +234,7 @@ int
+ main(int argc, char **argv)
+ {
+ 	const char *safepath = "/bin:/sbin:/usr/bin:/usr/sbin:"
++	    "/run/current-system/sw/bin:/run/current-system/sw/sbin:/run/wrappers/bin:"
+ 	    "/usr/local/bin:/usr/local/sbin";
+ 	const char *confpath = NULL;
+ 	char *shargv[] = { NULL, NULL };
+-- 
+2.26.2
+
diff --git a/pkgs/tools/security/doas/default.nix b/pkgs/tools/security/doas/default.nix
index 8cc9017a8fe..baa2fc301a8 100644
--- a/pkgs/tools/security/doas/default.nix
+++ b/pkgs/tools/security/doas/default.nix
@@ -26,6 +26,12 @@ stdenv.mkDerivation rec {
     "--pamdir=${placeholder "out"}/etc/pam.d"
   ];
 
+  patches = [
+    # Allow doas to discover binaries in /run/current-system/sw/{s,}bin and
+    # /run/wrappers/bin
+    ./0001-add-NixOS-specific-dirs-to-safe-PATH.patch
+  ];
+
   postPatch = ''
     sed -i '/\(chown\|chmod\)/d' bsd.prog.mk
   '';