summary refs log tree commit diff
path: root/pkgs/os-specific/linux/firejail/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/os-specific/linux/firejail/default.nix')
-rw-r--r--pkgs/os-specific/linux/firejail/default.nix63
1 files changed, 27 insertions, 36 deletions
diff --git a/pkgs/os-specific/linux/firejail/default.nix b/pkgs/os-specific/linux/firejail/default.nix
index 272b8612d7a..1a9b7e34f5a 100644
--- a/pkgs/os-specific/linux/firejail/default.nix
+++ b/pkgs/os-specific/linux/firejail/default.nix
@@ -1,36 +1,25 @@
-{stdenv, fetchurl, fetchpatch, which, nixosTests}:
-let
-  s = # Generated upstream information
-  rec {
-    baseName="firejail";
-    version="0.9.62";
-    name="${baseName}-${version}";
-    url="mirror://sourceforge/firejail/firejail/firejail-${version}.tar.xz";
-    sha256="1q2silgy882fl61p5qa9f9jqkxcqnwa71jig3c729iahx4f0hs05";
-  };
-  buildInputs = [
-    which
-  ];
-in
-stdenv.mkDerivation {
-  inherit (s) name version;
-  inherit buildInputs;
-  src = fetchurl {
-    inherit (s) url sha256;
-    name = "${s.name}.tar.bz2";
+{ lib, stdenv, fetchFromGitHub, fetchpatch, which, xdg-dbus-proxy, nixosTests }:
+
+stdenv.mkDerivation rec {
+  pname = "firejail";
+  version = "0.9.66";
+
+  src = fetchFromGitHub {
+    owner = "netblue30";
+    repo = "firejail";
+    rev = version;
+    sha256 = "sha256-oKstTiGt0r4wePaZ9u1o78GZ1XWJ27aS0BdLxmfYk9Q=";
   };
 
+  buildInputs = [ which ];
+
   patches = [
-    (fetchpatch {
-      name = "CVE-2020-17367.patch";
-      url = "https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37.patch";
-      sha256 = "1gxz4jxp80gxnn46195qxcpmikwqab9d0ylj9zkm62lycp84ij6n";
-    })
-    (fetchpatch {
-      name = "CVE-2020-17368.patch";
-      url = "https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b.patch";
-      sha256 = "0n4ch3qykxx870201l8lz81f7h84vk93pzz77f5cjbd30cxnbddl";
-    })
+    # Adds the /nix directory when using an overlay.
+    # Required to run any programs under this mode.
+    ./mount-nix-dir-on-overlay.patch
+    # By default fbuilder hardcodes the firejail binary to the install path.
+    # On NixOS the firejail binary is a setuid wrapper available in $PATH.
+    ./fbuilder-call-firejail-on-path.patch
   ];
 
   prePatch = ''
@@ -38,6 +27,10 @@ stdenv.mkDerivation {
     substituteInPlace etc/firejail.config --replace \
       '# follow-symlink-as-user yes' \
       'follow-symlink-as-user no'
+
+    # Fix the path to 'xdg-dbus-proxy' hardcoded in the 'common.h' file
+    substituteInPlace src/include/common.h \
+      --replace '/usr/bin/xdg-dbus-proxy' '${xdg-dbus-proxy}/bin/xdg-dbus-proxy'
   '';
 
   preConfigure = ''
@@ -79,12 +72,10 @@ stdenv.mkDerivation {
   passthru.tests = nixosTests.firejail;
 
   meta = {
-    inherit (s) version;
-    description = ''Namespace-based sandboxing tool for Linux'';
-    license = stdenv.lib.licenses.gpl2Plus ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux;
+    description = "Namespace-based sandboxing tool for Linux";
+    license = lib.licenses.gpl2Plus;
+    maintainers = [ lib.maintainers.raskin ];
+    platforms = lib.platforms.linux;
     homepage = "https://firejail.wordpress.com/";
-    downloadPage = "https://sourceforge.net/projects/firejail/files/firejail/";
   };
 }