Merge commit '1a57d96edd156958b12782e8c8b6a374142a7248'

author: Alyssa Ross <hi@alyssa.is> 2021-01-15 10:30:44 +0000
committer: Alyssa Ross <hi@alyssa.is> 2021-01-15 10:30:44 +0000
commit: e0794be8a0d11e90461e5a9c85012a36b93ec976 (patch)
tree: efd9cbc55ea3322867bf601c4d536758a3dd5fcc /nixpkgs/pkgs/os-specific/linux/firejail
parent: 3538874082ded7647b1ccec0343c7c1e882cfef3 (diff)
parent: 1a57d96edd156958b12782e8c8b6a374142a7248 (diff)
download: nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar
nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.gz
nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.bz2
nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.lz
nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.xz
nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.zst
nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.zip
3 files changed, 51 insertions, 13 deletions
diff --git a/nixpkgs/pkgs/os-specific/linux/firejail/default.nix b/nixpkgs/pkgs/os-specific/linux/firejail/default.nix
index 272b8612d7a7..a3be5484a047 100644
--- a/nixpkgs/pkgs/os-specific/linux/firejail/default.nix
+++ b/nixpkgs/pkgs/os-specific/linux/firejail/default.nix
@@ -1,12 +1,12 @@
-{stdenv, fetchurl, fetchpatch, which, nixosTests}:
+{stdenv, fetchurl, fetchpatch, which, xdg-dbus-proxy, nixosTests}:
 let
   s = # Generated upstream information
   rec {
     baseName="firejail";
-    version="0.9.62";
+    version="0.9.64";
     name="${baseName}-${version}";
     url="mirror://sourceforge/firejail/firejail/firejail-${version}.tar.xz";
-    sha256="1q2silgy882fl61p5qa9f9jqkxcqnwa71jig3c729iahx4f0hs05";
+    sha256="1zgjwy2k57nx0r63fzr15gijah098ig0bll66jd615vc9q3snfz5";
   };
   buildInputs = [
     which
@@ -21,16 +21,12 @@ stdenv.mkDerivation {
   };
 
   patches = [
-    (fetchpatch {
-      name = "CVE-2020-17367.patch";
-      url = "https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37.patch";
-      sha256 = "1gxz4jxp80gxnn46195qxcpmikwqab9d0ylj9zkm62lycp84ij6n";
-    })
-    (fetchpatch {
-      name = "CVE-2020-17368.patch";
-      url = "https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b.patch";
-      sha256 = "0n4ch3qykxx870201l8lz81f7h84vk93pzz77f5cjbd30cxnbddl";
-    })
+    # Adds the /nix directory when using an overlay.
+    # Required to run any programs under this mode.
+    ./mount-nix-dir-on-overlay.patch
+    # By default fbuilder hardcodes the firejail binary to the install path.
+    # On NixOS the firejail binary is a setuid wrapper available in $PATH.
+    ./fbuilder-call-firejail-on-path.patch
   ];
 
   prePatch = ''
@@ -38,6 +34,10 @@ stdenv.mkDerivation {
     substituteInPlace etc/firejail.config --replace \
       '# follow-symlink-as-user yes' \
       'follow-symlink-as-user no'
+
+    # Fix the path to 'xdg-dbus-proxy' hardcoded in the 'common.h' file
+    substituteInPlace src/include/common.h \
+      --replace '/usr/bin/xdg-dbus-proxy' '${xdg-dbus-proxy}/bin/xdg-dbus-proxy'
   '';
 
   preConfigure = ''
diff --git a/nixpkgs/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch b/nixpkgs/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
new file mode 100644
index 000000000000..6016891655b1
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
@@ -0,0 +1,11 @@
+--- a/src/fbuilder/build_profile.c
++++ b/src/fbuilder/build_profile.c
+@@ -67,7 +67,7 @@
+ 		errExit("asprintf");
+ 
+ 	char *cmdlist[] = {
+-	  BINDIR "/firejail",
++	  "firejail",
+ 	  "--quiet",
+ 	  "--noprofile",
+ 	  "--caps.drop=all",
diff --git a/nixpkgs/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch b/nixpkgs/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
new file mode 100644
index 000000000000..685314f90758
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
@@ -0,0 +1,27 @@
+--- a/src/firejail/fs.c
++++ b/src/firejail/fs.c
+@@ -1143,6 +1143,16 @@
+ 		errExit("mounting /dev");
+ 	fs_logger("whitelist /dev");
+ 
++	// mount-bind /nix
++	if (arg_debug)
++		printf("Mounting /nix\n");
++	char *nix;
++	if (asprintf(&nix, "%s/nix", oroot) == -1)
++		errExit("asprintf");
++	if (mount("/nix", nix, NULL, MS_BIND|MS_REC, NULL) < 0)
++		errExit("mounting /nix");
++	fs_logger("whitelist /nix");
++
+ 	// mount-bind run directory
+ 	if (arg_debug)
+ 		printf("Mounting /run\n");
+@@ -1201,6 +1211,7 @@
+ 	free(odiff);
+ 	free(owork);
+ 	free(dev);
++	free(nix);
+ 	free(run);
+ 	free(tmp);
+ }
author	Alyssa Ross <hi@alyssa.is>	2021-01-15 10:30:44 +0000
committer	Alyssa Ross <hi@alyssa.is>	2021-01-15 10:30:44 +0000
commit	e0794be8a0d11e90461e5a9c85012a36b93ec976 (patch)
tree	efd9cbc55ea3322867bf601c4d536758a3dd5fcc /nixpkgs/pkgs/os-specific/linux/firejail
parent	3538874082ded7647b1ccec0343c7c1e882cfef3 (diff)
parent	1a57d96edd156958b12782e8c8b6a374142a7248 (diff)
download	nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.gz nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.bz2 nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.lz nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.xz nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.tar.zst nixlib-e0794be8a0d11e90461e5a9c85012a36b93ec976.zip