From f816fe6fd3ff9121862eb849107f3e9dd5e0b42b Mon Sep 17 00:00:00 2001
From: Jan Tojnar <jtojnar@gmail.com>
Date: Sat, 2 Dec 2017 06:55:00 +0100
Subject: gnome3.gnome_desktop: fix sandboxing

---
 .../gnome-3/core/gnome-desktop/bubblewrap-paths.patch | 19 +++++++++++++++++++
 pkgs/desktops/gnome-3/core/gnome-desktop/default.nix  | 13 +++++++++++--
 2 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 pkgs/desktops/gnome-3/core/gnome-desktop/bubblewrap-paths.patch

(limited to 'pkgs/desktops')

diff --git a/pkgs/desktops/gnome-3/core/gnome-desktop/bubblewrap-paths.patch b/pkgs/desktops/gnome-3/core/gnome-desktop/bubblewrap-paths.patch
new file mode 100644
index 000000000000..ee9b012b6e45
--- /dev/null
+++ b/pkgs/desktops/gnome-3/core/gnome-desktop/bubblewrap-paths.patch
@@ -0,0 +1,19 @@
+--- a/libgnome-desktop/gnome-desktop-thumbnail-script.c
++++ b/libgnome-desktop/gnome-desktop-thumbnail-script.c
+@@ -504,14 +504,10 @@
+   g_return_val_if_fail (script->s_infile != NULL, FALSE);
+ 
+   add_args (array,
+-	    "bwrap",
+-	    "--ro-bind", "/usr", "/usr",
+-	    "--ro-bind", "/lib", "/lib",
+-	    "--ro-bind", "/lib64", "/lib64",
++	    "@BUBBLEWRAP_BIN@",
++      "--ro-bind", "/nix/store", "/nix/store",
+ 	    "--proc", "/proc",
+ 	    "--dev", "/dev",
+-	    "--symlink", "usr/bin", "/bin",
+-	    "--symlink", "usr/sbin", "/sbin",
+ 	    "--chdir", "/",
+ 	    "--setenv", "GIO_USE_VFS", "local",
+ 	    "--unshare-all",
diff --git a/pkgs/desktops/gnome-3/core/gnome-desktop/default.nix b/pkgs/desktops/gnome-3/core/gnome-desktop/default.nix
index 27b6413e16e4..68ec28e93b6e 100644
--- a/pkgs/desktops/gnome-3/core/gnome-desktop/default.nix
+++ b/pkgs/desktops/gnome-3/core/gnome-desktop/default.nix
@@ -1,6 +1,6 @@
 { stdenv, fetchurl, pkgconfig, python, libxml2Python, libxslt, which, libX11, gnome3, gtk3, glib
 , intltool, gnome_doc_utils, libxkbfile, xkeyboard_config, isocodes, itstool, wayland
-, libseccomp, gobjectIntrospection }:
+, libseccomp, bubblewrap, gobjectIntrospection }:
 
 stdenv.mkDerivation rec {
   inherit (import ./src.nix fetchurl) name src;
@@ -13,12 +13,21 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [
     pkgconfig which itstool intltool libxslt gnome_doc_utils gobjectIntrospection
   ];
-  buildInputs = [ python libxml2Python libX11
+  buildInputs = [ python libxml2Python libX11 bubblewrap
                   xkeyboard_config isocodes wayland
                   gtk3 glib libxkbfile libseccomp ];
 
   propagatedBuildInputs = [ gnome3.gsettings_desktop_schemas ];
 
+  patches = [
+    ./bubblewrap-paths.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace libgnome-desktop/gnome-desktop-thumbnail-script.c --subst-var-by \
+      BUBBLEWRAP_BIN "${bubblewrap}/bin/bwrap"
+  '';
+
   meta = with stdenv.lib; {
     platforms = platforms.linux;
     maintainers = gnome3.maintainers;
-- 
cgit 1.4.1