diff options
author | Peter Hoeg <peter@hoeg.com> | 2018-07-14 21:04:11 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-07-14 21:04:11 +0800 |
commit | 6e3ee65b44b78a3de3a71419371682304e52d91c (patch) | |
tree | 1abddc608abad7d639d19f3f32b8cc9ef70b8972 /nixos | |
parent | 6d0578934fb076050b3dcc1b924a90b275f3b27c (diff) | |
parent | 65eb3a590d8d5657e3bf8534ddccc827aefc1862 (diff) | |
download | nixlib-6e3ee65b44b78a3de3a71419371682304e52d91c.tar nixlib-6e3ee65b44b78a3de3a71419371682304e52d91c.tar.gz nixlib-6e3ee65b44b78a3de3a71419371682304e52d91c.tar.bz2 nixlib-6e3ee65b44b78a3de3a71419371682304e52d91c.tar.lz nixlib-6e3ee65b44b78a3de3a71419371682304e52d91c.tar.xz nixlib-6e3ee65b44b78a3de3a71419371682304e52d91c.tar.zst nixlib-6e3ee65b44b78a3de3a71419371682304e52d91c.zip |
Merge pull request #43511 from peterhoeg/m/firejail
firejail: add nixos module
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1809.xml | 21 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/programs/firejail.nix | 48 |
3 files changed, 70 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml index 13b244e12f8c..7fd6483bca1a 100644 --- a/nixos/doc/manual/release-notes/rl-1809.xml +++ b/nixos/doc/manual/release-notes/rl-1809.xml @@ -19,6 +19,27 @@ <itemizedlist> <listitem> + <para> + Support for wrapping binaries using <literal>firejail</literal> has been + added through <varname>programs.firejail.wrappedBinaries</varname>. + </para> + <para> + For example + </para> +<programlisting> +programs.firejail = { + enable = true; + wrappedBinaries = { + firefox = "${lib.getBin pkgs.firefox}/bin/firefox"; + mpv = "${lib.getBin pkgs.mpv}/bin/mpv"; + }; +}; +</programlisting> + <para> + This will place <literal>firefox</literal> and <literal>mpv</literal> binaries in the global path wrapped by firejail. + </para> + </listitem> + <listitem> <para> User channels are now in the default <literal>NIX_PATH</literal>, allowing users to use their personal <command>nix-channel</command> defined diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 231c8474c99e..988693d924bf 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -86,6 +86,7 @@ ./programs/dconf.nix ./programs/digitalbitbox/default.nix ./programs/environment.nix + ./programs/firejail.nix ./programs/fish.nix ./programs/freetds.nix ./programs/gnupg.nix diff --git a/nixos/modules/programs/firejail.nix b/nixos/modules/programs/firejail.nix new file mode 100644 index 000000000000..46ee4bc0f7a0 --- /dev/null +++ b/nixos/modules/programs/firejail.nix @@ -0,0 +1,48 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.programs.firejail; + + wrappedBins = pkgs.stdenv.mkDerivation rec { + name = "firejail-wrapped-binaries"; + nativeBuildInputs = with pkgs; [ makeWrapper ]; + buildCommand = '' + mkdir -p $out/bin + ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: binary: '' + cat <<_EOF >$out/bin/${command} + #!${pkgs.stdenv.shell} -e + /run/wrappers/bin/firejail ${binary} "\$@" + _EOF + chmod 0755 $out/bin/${command} + '') cfg.wrappedBinaries)} + ''; + }; + +in { + options.programs.firejail = { + enable = mkEnableOption "firejail"; + + wrappedBinaries = mkOption { + type = types.attrs; + default = {}; + description = '' + Wrap the binaries in firejail and place them in the global path. + </para> + <para> + You will get file collisions if you put the actual application binary in + the global environment and applications started via .desktop files are + not wrapped if they specify the absolute path to the binary. + ''; + }; + }; + + config = mkIf cfg.enable { + security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail"; + + environment.systemPackages = [ wrappedBins ]; + }; + + meta.maintainers = with maintainers; [ peterhoeg ]; +} |