diff options
Diffstat (limited to 'nixpkgs/pkgs/os-specific/linux/firejail')
4 files changed, 38 insertions, 74 deletions
diff --git a/nixpkgs/pkgs/os-specific/linux/firejail/default.nix b/nixpkgs/pkgs/os-specific/linux/firejail/default.nix index 47fce3df5332..c3dc819b5bcf 100644 --- a/nixpkgs/pkgs/os-specific/linux/firejail/default.nix +++ b/nixpkgs/pkgs/os-specific/linux/firejail/default.nix @@ -1,17 +1,37 @@ -{ lib, stdenv, fetchFromGitHub, fetchpatch, which, xdg-dbus-proxy, nixosTests }: +{ lib +, stdenv +, fetchFromGitHub +, fetchpatch +, pkg-config +, libapparmor +, which +, xdg-dbus-proxy +, nixosTests +}: stdenv.mkDerivation rec { pname = "firejail"; - version = "0.9.66"; + version = "0.9.68"; src = fetchFromGitHub { owner = "netblue30"; repo = "firejail"; rev = version; - sha256 = "sha256-oKstTiGt0r4wePaZ9u1o78GZ1XWJ27aS0BdLxmfYk9Q="; + sha256 = "18yy1mykx7h78yj7sz729i3dlsrgi25m17m5x9gbrvsx7f87rw7j"; }; - buildInputs = [ which ]; + nativeBuildInputs = [ + pkg-config + ]; + + buildInputs = [ + libapparmor + which + ]; + + configureFlags = [ + "--enable-apparmor" + ]; patches = [ # Adds the /nix directory when using an overlay. @@ -20,17 +40,9 @@ stdenv.mkDerivation rec { # By default fbuilder hardcodes the firejail binary to the install path. # On NixOS the firejail binary is a setuid wrapper available in $PATH. ./fbuilder-call-firejail-on-path.patch - # Disable symlink check on /etc/hosts, see - # https://github.com/netblue30/firejail/issues/2758#issuecomment-805174951 - ./remove-link-check.patch ]; prePatch = '' - # Allow whitelisting ~/.nix-profile - substituteInPlace etc/firejail.config --replace \ - '# follow-symlink-as-user yes' \ - 'follow-symlink-as-user no' - # Fix the path to 'xdg-dbus-proxy' hardcoded in the 'common.h' file substituteInPlace src/include/common.h \ --replace '/usr/bin/xdg-dbus-proxy' '${xdg-dbus-proxy}/bin/xdg-dbus-proxy' @@ -62,7 +74,7 @@ stdenv.mkDerivation rec { # See https://github.com/netblue30/firejail/blob/e4cb6b42743ad18bd11d07fd32b51e8576239318/src/firejail/profile.c#L68-L83 # for the profile file lookup implementation. postInstall = '' - for local in $(grep -Eh '^include.*local$' $out/etc/firejail/*.profile | awk '{print $2}' | sort | uniq) + for local in $(grep -Eh '^include.*local$' $out/etc/firejail/*{.inc,.profile} | awk '{print $2}' | sort | uniq) do echo "include /etc/firejail/$local" >$out/etc/firejail/$local done diff --git a/nixpkgs/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch b/nixpkgs/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch index 6016891655b1..548bb80e7bf7 100644 --- a/nixpkgs/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch +++ b/nixpkgs/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch @@ -1,11 +1,11 @@ --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c -@@ -67,7 +67,7 @@ - errExit("asprintf"); - - char *cmdlist[] = { -- BINDIR "/firejail", -+ "firejail", - "--quiet", - "--noprofile", - "--caps.drop=all", +@@ -48,7 +48,7 @@ + // build command + char *cmd[len]; + unsigned curr_len = 0; +- cmd[curr_len++] = BINDIR "/firejail"; ++ cmd[curr_len++] = "firejail"; + cmd[curr_len++] = "--quiet"; + cmd[curr_len++] = "--noprofile"; + cmd[curr_len++] = "--caps.drop=all"; diff --git a/nixpkgs/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch b/nixpkgs/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch index 685314f90758..6493eb4fdf26 100644 --- a/nixpkgs/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch +++ b/nixpkgs/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch @@ -1,6 +1,6 @@ ---- a/src/firejail/fs.c -+++ b/src/firejail/fs.c -@@ -1143,6 +1143,16 @@ +--- a/src/firejail/fs_overlayfs.c ++++ b/src/firejail/fs_overlayfs.c +@@ -327,6 +327,16 @@ errExit("mounting /dev"); fs_logger("whitelist /dev"); @@ -17,7 +17,7 @@ // mount-bind run directory if (arg_debug) printf("Mounting /run\n"); -@@ -1201,6 +1211,7 @@ +@@ -384,6 +394,7 @@ free(odiff); free(owork); free(dev); diff --git a/nixpkgs/pkgs/os-specific/linux/firejail/remove-link-check.patch b/nixpkgs/pkgs/os-specific/linux/firejail/remove-link-check.patch deleted file mode 100644 index 477df57a2411..000000000000 --- a/nixpkgs/pkgs/os-specific/linux/firejail/remove-link-check.patch +++ /dev/null @@ -1,48 +0,0 @@ -From ccc726f8ec877d8cda720daa2498e43629b6dd48 Mon Sep 17 00:00:00 2001 -From: Jonas Heinrich <onny@project-insanity.org> -Date: Sun, 19 Sep 2021 11:48:06 +0200 -Subject: [PATCH 1/2] remove hosts file link check - ---- - src/firejail/fs_hostname.c | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c -index 42255070c4..97ce70f9c1 100644 ---- a/src/firejail/fs_hostname.c -+++ b/src/firejail/fs_hostname.c -@@ -132,10 +132,6 @@ char *fs_check_hosts_file(const char *fname) { - invalid_filename(fname); - char *rv = expand_home(fname, cfg.homedir); - -- // no a link -- if (is_link(rv)) -- goto errexit; -- - // the user has read access to the file - if (access(rv, R_OK)) - goto errexit; - -From c2c51e7ca56075e7388b4f50922b148615d1b125 Mon Sep 17 00:00:00 2001 -From: Jonas Heinrich <onny@project-insanity.org> -Date: Sun, 19 Sep 2021 11:49:08 +0200 -Subject: [PATCH 2/2] remove hosts file link check - ---- - src/firejail/fs_hostname.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c -index 97ce70f9c1..b228707131 100644 ---- a/src/firejail/fs_hostname.c -+++ b/src/firejail/fs_hostname.c -@@ -154,9 +154,6 @@ void fs_mount_hosts_file(void) { - struct stat s; - if (stat("/etc/hosts", &s) == -1) - goto errexit; -- // not a link -- if (is_link("/etc/hosts")) -- goto errexit; - // owned by root - if (s.st_uid != 0) - goto errexit; |