diff options
| author | Jan Tojnar <jtojnar@gmail.com> | 2017-12-02 06:55:00 +0100 |
|---|---|---|
| committer | Jan Tojnar <jtojnar@gmail.com> | 2017-12-02 20:34:30 +0100 |
| commit | f816fe6fd3ff9121862eb849107f3e9dd5e0b42b (patch) | |
| tree | d87407ed2220df66fb1f8551b8483e8746786c6e /pkgs/desktops | |
| parent | 129aac73ec45a27dc2de1231a6a8eab88d541246 (diff) | |
| download | nixlib-f816fe6fd3ff9121862eb849107f3e9dd5e0b42b.tar nixlib-f816fe6fd3ff9121862eb849107f3e9dd5e0b42b.tar.gz nixlib-f816fe6fd3ff9121862eb849107f3e9dd5e0b42b.tar.bz2 nixlib-f816fe6fd3ff9121862eb849107f3e9dd5e0b42b.tar.lz nixlib-f816fe6fd3ff9121862eb849107f3e9dd5e0b42b.tar.xz nixlib-f816fe6fd3ff9121862eb849107f3e9dd5e0b42b.tar.zst nixlib-f816fe6fd3ff9121862eb849107f3e9dd5e0b42b.zip | |
gnome3.gnome_desktop: fix sandboxing
Diffstat (limited to 'pkgs/desktops')
| -rw-r--r-- | pkgs/desktops/gnome-3/core/gnome-desktop/bubblewrap-paths.patch | 19 | ||||
| -rw-r--r-- | pkgs/desktops/gnome-3/core/gnome-desktop/default.nix | 13 |
2 files changed, 30 insertions, 2 deletions
diff --git a/pkgs/desktops/gnome-3/core/gnome-desktop/bubblewrap-paths.patch b/pkgs/desktops/gnome-3/core/gnome-desktop/bubblewrap-paths.patch new file mode 100644 index 000000000000..ee9b012b6e45 --- /dev/null +++ b/pkgs/desktops/gnome-3/core/gnome-desktop/bubblewrap-paths.patch @@ -0,0 +1,19 @@ +--- a/libgnome-desktop/gnome-desktop-thumbnail-script.c ++++ b/libgnome-desktop/gnome-desktop-thumbnail-script.c +@@ -504,14 +504,10 @@ + g_return_val_if_fail (script->s_infile != NULL, FALSE); + + add_args (array, +- "bwrap", +- "--ro-bind", "/usr", "/usr", +- "--ro-bind", "/lib", "/lib", +- "--ro-bind", "/lib64", "/lib64", ++ "@BUBBLEWRAP_BIN@", ++ "--ro-bind", "/nix/store", "/nix/store", + "--proc", "/proc", + "--dev", "/dev", +- "--symlink", "usr/bin", "/bin", +- "--symlink", "usr/sbin", "/sbin", + "--chdir", "/", + "--setenv", "GIO_USE_VFS", "local", + "--unshare-all", diff --git a/pkgs/desktops/gnome-3/core/gnome-desktop/default.nix b/pkgs/desktops/gnome-3/core/gnome-desktop/default.nix index 27b6413e16e4..68ec28e93b6e 100644 --- a/pkgs/desktops/gnome-3/core/gnome-desktop/default.nix +++ b/pkgs/desktops/gnome-3/core/gnome-desktop/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchurl, pkgconfig, python, libxml2Python, libxslt, which, libX11, gnome3, gtk3, glib , intltool, gnome_doc_utils, libxkbfile, xkeyboard_config, isocodes, itstool, wayland -, libseccomp, gobjectIntrospection }: +, libseccomp, bubblewrap, gobjectIntrospection }: stdenv.mkDerivation rec { inherit (import ./src.nix fetchurl) name src; @@ -13,12 +13,21 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkgconfig which itstool intltool libxslt gnome_doc_utils gobjectIntrospection ]; - buildInputs = [ python libxml2Python libX11 + buildInputs = [ python libxml2Python libX11 bubblewrap xkeyboard_config isocodes wayland gtk3 glib libxkbfile libseccomp ]; propagatedBuildInputs = [ gnome3.gsettings_desktop_schemas ]; + patches = [ + ./bubblewrap-paths.patch + ]; + + postPatch = '' + substituteInPlace libgnome-desktop/gnome-desktop-thumbnail-script.c --subst-var-by \ + BUBBLEWRAP_BIN "${bubblewrap}/bin/bwrap" + ''; + meta = with stdenv.lib; { platforms = platforms.linux; maintainers = gnome3.maintainers; |