diff options
author | Alyssa Ross <hi@alyssa.is> | 2020-04-27 21:04:56 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2020-04-27 21:04:56 +0000 |
commit | a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e (patch) | |
tree | 47950e79183035018882419c4eff5047d1537b99 /nixpkgs/pkgs/os-specific/linux/firejail/default.nix | |
parent | 5b00523fb58512232b819a301c4309f579c7f09c (diff) | |
parent | 22a3bf9fb9edad917fb6cd1066d58b5e426ee975 (diff) | |
download | nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar.gz nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar.bz2 nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar.lz nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar.xz nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.tar.zst nixlib-a4e6c7d26af697f4346cacb7ab18dcd7fcfc056e.zip |
Merge commit '22a3bf9fb9edad917fb6cd1066d58b5e426ee975'
Diffstat (limited to 'nixpkgs/pkgs/os-specific/linux/firejail/default.nix')
-rw-r--r-- | nixpkgs/pkgs/os-specific/linux/firejail/default.nix | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/nixpkgs/pkgs/os-specific/linux/firejail/default.nix b/nixpkgs/pkgs/os-specific/linux/firejail/default.nix index 678592c03791..8c7a109cb76b 100644 --- a/nixpkgs/pkgs/os-specific/linux/firejail/default.nix +++ b/nixpkgs/pkgs/os-specific/linux/firejail/default.nix @@ -36,10 +36,27 @@ stdenv.mkDerivation { sed -e "s@/etc/@$out/etc/@g" -e "/chmod u+s/d" -i Makefile ''; - # We need to set the directory for the .local override files to - # /etc/firejail so we can actually override them + # The profile files provided with the firejail distribution include `.local` + # profile files using relative paths. The way firejail works when it comes to + # handling includes is by looking target files up in `~/.config/firejail` + # first, and then trying `SYSCONFDIR`. The latter normally points to + # `/etc/filejail`, but in the case of nixos points to the nix store. This + # makes it effectively impossible to place any profile files in + # `/etc/firejail`. + # + # The workaround applied below is by creating a set of `.local` files which + # only contain respective includes to `/etc/firejail`. This way + # `~/.config/firejail` still takes precedence, but `/etc/firejail` will also + # be searched in second order. This replicates the behaviour from + # non-nixos platforms. + # + # See https://github.com/netblue30/firejail/blob/e4cb6b42743ad18bd11d07fd32b51e8576239318/src/firejail/profile.c#L68-L83 + # for the profile file lookup implementation. postInstall = '' - sed -E -e 's@^include (.*.local)$@include /etc/firejail/\1@g' -i $out/etc/firejail/*.profile + for local in $(grep -Eh '^include.*local$' $out/etc/firejail/*.profile | awk '{print $2}' | sort | uniq) + do + echo "include /etc/firejail/$local" >$out/etc/firejail/$local + done ''; # At high parallelism, the build sometimes fails with: @@ -52,7 +69,7 @@ stdenv.mkDerivation { license = stdenv.lib.licenses.gpl2Plus ; maintainers = [stdenv.lib.maintainers.raskin]; platforms = stdenv.lib.platforms.linux; - homepage = https://firejail.wordpress.com/; + homepage = "https://firejail.wordpress.com/"; downloadPage = "https://sourceforge.net/projects/firejail/files/firejail/"; }; } |