diff options
Diffstat (limited to 'pkgs/os-specific/linux/firejail/default.nix')
-rw-r--r-- | pkgs/os-specific/linux/firejail/default.nix | 63 |
1 files changed, 27 insertions, 36 deletions
diff --git a/pkgs/os-specific/linux/firejail/default.nix b/pkgs/os-specific/linux/firejail/default.nix index 272b8612d7a..1a9b7e34f5a 100644 --- a/pkgs/os-specific/linux/firejail/default.nix +++ b/pkgs/os-specific/linux/firejail/default.nix @@ -1,36 +1,25 @@ -{stdenv, fetchurl, fetchpatch, which, nixosTests}: -let - s = # Generated upstream information - rec { - baseName="firejail"; - version="0.9.62"; - name="${baseName}-${version}"; - url="mirror://sourceforge/firejail/firejail/firejail-${version}.tar.xz"; - sha256="1q2silgy882fl61p5qa9f9jqkxcqnwa71jig3c729iahx4f0hs05"; - }; - buildInputs = [ - which - ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - name = "${s.name}.tar.bz2"; +{ lib, stdenv, fetchFromGitHub, fetchpatch, which, xdg-dbus-proxy, nixosTests }: + +stdenv.mkDerivation rec { + pname = "firejail"; + version = "0.9.66"; + + src = fetchFromGitHub { + owner = "netblue30"; + repo = "firejail"; + rev = version; + sha256 = "sha256-oKstTiGt0r4wePaZ9u1o78GZ1XWJ27aS0BdLxmfYk9Q="; }; + buildInputs = [ which ]; + patches = [ - (fetchpatch { - name = "CVE-2020-17367.patch"; - url = "https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37.patch"; - sha256 = "1gxz4jxp80gxnn46195qxcpmikwqab9d0ylj9zkm62lycp84ij6n"; - }) - (fetchpatch { - name = "CVE-2020-17368.patch"; - url = "https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b.patch"; - sha256 = "0n4ch3qykxx870201l8lz81f7h84vk93pzz77f5cjbd30cxnbddl"; - }) + # Adds the /nix directory when using an overlay. + # Required to run any programs under this mode. + ./mount-nix-dir-on-overlay.patch + # By default fbuilder hardcodes the firejail binary to the install path. + # On NixOS the firejail binary is a setuid wrapper available in $PATH. + ./fbuilder-call-firejail-on-path.patch ]; prePatch = '' @@ -38,6 +27,10 @@ stdenv.mkDerivation { substituteInPlace etc/firejail.config --replace \ '# follow-symlink-as-user yes' \ 'follow-symlink-as-user no' + + # Fix the path to 'xdg-dbus-proxy' hardcoded in the 'common.h' file + substituteInPlace src/include/common.h \ + --replace '/usr/bin/xdg-dbus-proxy' '${xdg-dbus-proxy}/bin/xdg-dbus-proxy' ''; preConfigure = '' @@ -79,12 +72,10 @@ stdenv.mkDerivation { passthru.tests = nixosTests.firejail; meta = { - inherit (s) version; - description = ''Namespace-based sandboxing tool for Linux''; - license = stdenv.lib.licenses.gpl2Plus ; - maintainers = [stdenv.lib.maintainers.raskin]; - platforms = stdenv.lib.platforms.linux; + description = "Namespace-based sandboxing tool for Linux"; + license = lib.licenses.gpl2Plus; + maintainers = [ lib.maintainers.raskin ]; + platforms = lib.platforms.linux; homepage = "https://firejail.wordpress.com/"; - downloadPage = "https://sourceforge.net/projects/firejail/files/firejail/"; }; } |