New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/firejail: add wrappedPackages option #45469
Conversation
0fc54a0
to
1b9e616
Compare
This is a reminder for myself: I should try to do this using |
nixos/modules/programs/firejail.nix
Outdated
name = "firejail-" + pkg.name; | ||
buildCommand = '' | ||
mkdir -p $out | ||
ln -s ${pkg}/* $out |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should quote variables like ${pkg}
and $out
as they may contain spaces (in case of a store path with spaces) and confuse bash.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Be careful not to include the glob in the quote though, so "${pkg}"/*
nixos/modules/programs/firejail.nix
Outdated
buildCommand = '' | ||
mkdir -p $out | ||
ln -s ${pkg}/* $out | ||
rm $out/bin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if the package doesn't have a bin
directory? Doesn't make much sense in combination with firejail, but might happen. In that case there should probably be a useful error message.
nixos/modules/programs/firejail.nix
Outdated
ln -s ${pkg}/* $out | ||
rm $out/bin | ||
mkdir $out/bin | ||
for bin in ${pkg}/bin/*; do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the variable name bin
is confusing here. Maybe dir
instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are actual extecutables.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh nevermind, I don't know why I thought they were subdirectories.
nixos/modules/programs/firejail.nix
Outdated
rm $out/bin | ||
mkdir $out/bin | ||
for bin in ${pkg}/bin/*; do | ||
newbin="$out/bin/$(basename $bin)" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$bin
should also be quoted. $()
allows nested quotes, so
newbin="$out/bin/$( basename "$bin")"
Although why is basename
even needed here?
nixos/modules/programs/firejail.nix
Outdated
mkdir $out/bin | ||
for bin in ${pkg}/bin/*; do | ||
newbin="$out/bin/$(basename $bin)" | ||
cat <<_EOF >$newbin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why the underscore? $newbin
needs to be quoted as well.
nixos/modules/programs/firejail.nix
Outdated
newbin="$out/bin/$(basename $bin)" | ||
cat <<_EOF >$newbin | ||
#!${pkgs.stdenv.shell} -e | ||
/run/wrappers/bin/firejail $bin "\$@" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
quote
nixos/modules/programs/firejail.nix
Outdated
#!${pkgs.stdenv.shell} -e | ||
/run/wrappers/bin/firejail $bin "\$@" | ||
_EOF | ||
chmod 0755 $newbin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
quote
Using this, not only the wrapped binaries but also all other directories from the derivations are put into /run/current-system/sw. This is useful if you need desktop entries, icons, etc.
1b9e616
to
a85e19b
Compare
pkgs.symlinkJoin { | ||
name = "firejail-" + pkg.name; | ||
paths = [ pkg ]; | ||
buildInputs = with pkgs; [ tree ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this should be needed as a build input. All of the below commands are included in stdenv.
buildInputs = with pkgs; [ tree ]; | ||
postBuild = '' | ||
for bin in $(find "$out/bin" -type l); do | ||
oldbin="$(readlink "$bin")" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be indented here.
@@ -20,13 +19,37 @@ let | |||
''; | |||
}; | |||
|
|||
wrappedPkgs = map (pkg: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think naming here is a little confusing. wrappedPkgs vs wrappedPackages seems like they should be the same thing (although I suppose it's not any worse than wrappedBins vs wrappedBinaries).
for bin in $(find "$out/bin" -type l); do | ||
oldbin="$(readlink "$bin")" | ||
rm "$bin" | ||
cat <<_EOF >"$bin" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of manually creating shell scripts (they are admittedly basic), just use makeWrapper.
makeWrapper $bin /run/wrappers/bin/firejail \
--argv0 $bin \
--add-flags $oldbin
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried this before analyzing it and it failed with mkdir: cannot create directory '/run': Permission denied
because the second argument to makeWrapper is the destination it tries to create. I don't see how makeWrapper could be made to work here.
Any updates on this pull request, please? |
Thank you for your contributions.
|
still important to me |
@xfix Feel free to finish this based on my work. I think we should mention in the docs that desktop files stating an absolute path will start non-wrapped binaries. Maybe we could implement some check & warning for that. |
Or how about a wrapper for use by .desktop files which could then be used for firejail, bubblewrap, systemd-run, etc?
|
Replaced by #108204 |
Motivation for this change
Using this, not only the wrapped binaries but also all other directories from the derivations are put into
/run/current-system/sw
. This is useful if you need desktop entries, icons, etc.My
buildCommand
is certainly far from perfect because I'm not good at programming bash. I'm open for suggestions.Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)cc @peterhoeg @adisbladis