diff options
Diffstat (limited to 'pkgs/os-specific/linux/firejail')
4 files changed, 65 insertions, 39 deletions
diff --git a/pkgs/os-specific/linux/firejail/default.nix b/pkgs/os-specific/linux/firejail/default.nix index 272b8612d7a..1a9b7e34f5a 100644 --- a/pkgs/os-specific/linux/firejail/default.nix +++ b/pkgs/os-specific/linux/firejail/default.nix @@ -1,36 +1,25 @@ -{stdenv, fetchurl, fetchpatch, which, nixosTests}: -let - s = # Generated upstream information - rec { - baseName="firejail"; - version="0.9.62"; - name="${baseName}-${version}"; - url="mirror://sourceforge/firejail/firejail/firejail-${version}.tar.xz"; - sha256="1q2silgy882fl61p5qa9f9jqkxcqnwa71jig3c729iahx4f0hs05"; - }; - buildInputs = [ - which - ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - name = "${s.name}.tar.bz2"; +{ lib, stdenv, fetchFromGitHub, fetchpatch, which, xdg-dbus-proxy, nixosTests }: + +stdenv.mkDerivation rec { + pname = "firejail"; + version = "0.9.66"; + + src = fetchFromGitHub { + owner = "netblue30"; + repo = "firejail"; + rev = version; + sha256 = "sha256-oKstTiGt0r4wePaZ9u1o78GZ1XWJ27aS0BdLxmfYk9Q="; }; + buildInputs = [ which ]; + patches = [ - (fetchpatch { - name = "CVE-2020-17367.patch"; - url = "https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37.patch"; - sha256 = "1gxz4jxp80gxnn46195qxcpmikwqab9d0ylj9zkm62lycp84ij6n"; - }) - (fetchpatch { - name = "CVE-2020-17368.patch"; - url = "https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b.patch"; - sha256 = "0n4ch3qykxx870201l8lz81f7h84vk93pzz77f5cjbd30cxnbddl"; - }) + # Adds the /nix directory when using an overlay. + # Required to run any programs under this mode. + ./mount-nix-dir-on-overlay.patch + # By default fbuilder hardcodes the firejail binary to the install path. + # On NixOS the firejail binary is a setuid wrapper available in $PATH. + ./fbuilder-call-firejail-on-path.patch ]; prePatch = '' @@ -38,6 +27,10 @@ stdenv.mkDerivation { substituteInPlace etc/firejail.config --replace \ '# follow-symlink-as-user yes' \ 'follow-symlink-as-user no' + + # Fix the path to 'xdg-dbus-proxy' hardcoded in the 'common.h' file + substituteInPlace src/include/common.h \ + --replace '/usr/bin/xdg-dbus-proxy' '${xdg-dbus-proxy}/bin/xdg-dbus-proxy' ''; preConfigure = '' @@ -79,12 +72,10 @@ stdenv.mkDerivation { passthru.tests = nixosTests.firejail; meta = { - inherit (s) version; - description = ''Namespace-based sandboxing tool for Linux''; - license = stdenv.lib.licenses.gpl2Plus ; - maintainers = [stdenv.lib.maintainers.raskin]; - platforms = stdenv.lib.platforms.linux; + description = "Namespace-based sandboxing tool for Linux"; + license = lib.licenses.gpl2Plus; + maintainers = [ lib.maintainers.raskin ]; + platforms = lib.platforms.linux; homepage = "https://firejail.wordpress.com/"; - downloadPage = "https://sourceforge.net/projects/firejail/files/firejail/"; }; } diff --git a/pkgs/os-specific/linux/firejail/default.upstream b/pkgs/os-specific/linux/firejail/default.upstream deleted file mode 100644 index 0e6576c44a8..00000000000 --- a/pkgs/os-specific/linux/firejail/default.upstream +++ /dev/null @@ -1,3 +0,0 @@ -url https://sourceforge.net/projects/firejail/files/firejail/ -version_link '[-][0-9.]+[.]tar[.][a-z0-9]+/download$' -SF_redirect diff --git a/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch b/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch new file mode 100644 index 00000000000..6016891655b --- /dev/null +++ b/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch @@ -0,0 +1,11 @@ +--- a/src/fbuilder/build_profile.c ++++ b/src/fbuilder/build_profile.c +@@ -67,7 +67,7 @@ + errExit("asprintf"); + + char *cmdlist[] = { +- BINDIR "/firejail", ++ "firejail", + "--quiet", + "--noprofile", + "--caps.drop=all", diff --git a/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch b/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch new file mode 100644 index 00000000000..685314f9075 --- /dev/null +++ b/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch @@ -0,0 +1,27 @@ +--- a/src/firejail/fs.c ++++ b/src/firejail/fs.c +@@ -1143,6 +1143,16 @@ + errExit("mounting /dev"); + fs_logger("whitelist /dev"); + ++ // mount-bind /nix ++ if (arg_debug) ++ printf("Mounting /nix\n"); ++ char *nix; ++ if (asprintf(&nix, "%s/nix", oroot) == -1) ++ errExit("asprintf"); ++ if (mount("/nix", nix, NULL, MS_BIND|MS_REC, NULL) < 0) ++ errExit("mounting /nix"); ++ fs_logger("whitelist /nix"); ++ + // mount-bind run directory + if (arg_debug) + printf("Mounting /run\n"); +@@ -1201,6 +1211,7 @@ + free(odiff); + free(owork); + free(dev); ++ free(nix); + free(run); + free(tmp); + } |