forked from NixOS/nixpkgs
/
firejail.nix
84 lines (70 loc) · 2.05 KB
/
firejail.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.firejail;
fj = pkgs.firejail;
wrapPkgs = ''
_oldDir=$PWD
echo $_oldDir
mkdir -p $_oldDir
for bin in $out/{,s}bin
do
cd $bin
for c in *
do
readlink $c | read original
profile="${fj}/etc/firejail/$c.profile"
if [[ -e "$profile" ]];then
outc=$out/$bin/$c
cat <<_EOF >$outc
#!${pkgs.stdenv.shell} -e
exec -a "$0" /run/wrappers/bin/firejail "--profile=$profile" "$original" "\$@"
_EOF
chmod 0755 $outc
fi
done
done
cd $_oldDir
'';
wrappedBins = pkgs.stdenv.mkDerivation rec {
name = "firejail-wrapped-binaries";
nativeBuildInputs = with pkgs; [ makeWrapper ];
buildCommand = ''
mkdir -p $out/bin
${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: binary: ''
cat <<_EOF >$out/bin/${command}
#!${pkgs.stdenv.shell} -e
exec -a "$0" /run/wrappers/bin/firejail ${binary} "\$@"
_EOF
chmod 0755 $out/bin/${command}
'') cfg.wrappedBinaries)}
'';
};
in {
options.programs.firejail = {
enable = mkEnableOption "firejail";
firecfg =
mkEnableOption "automatic setup of links and desktop files via firecfg"
// {
default = true;
};
wrappedBinaries = mkOption {
type = types.attrs;
default = { };
description = ''
Wrap the binaries in firejail and place them in the global path.
</para>
<para>
You will get file collisions if you put the actual application binary in
the global environment and applications started via .desktop files are
not wrapped if they specify the absolute path to the binary.
'';
};
};
config = mkIf cfg.enable {
security.wrappers.firejail.source = "${lib.getBin fj}/bin/firejail";
environment.systemPackages = [ wrappedBins ];
environment.extraSetup = optionalString cfg.firecfg wrapPkgs;
};
meta.maintainers = with maintainers; [ peterhoeg ];
}