nixos/firejail: add wrappedPackages option #45469
Conversation
dotlambda
force-pushed
the
firejail-wrapped-packages
branch
from
0fc54a0
to
1b9e616
Compare
|
This is a reminder for myself: I should try to do this using |
nixos/modules/programs/firejail.nix
Outdated
| name = "firejail-" + pkg.name; | ||
| buildCommand = '' | ||
| mkdir -p $out | ||
| ln -s ${pkg}/* $out |
There was a problem hiding this comment.
You should quote variables like ${pkg} and $out as they may contain spaces (in case of a store path with spaces) and confuse bash.
There was a problem hiding this comment.
Be careful not to include the glob in the quote though, so "${pkg}"/*
nixos/modules/programs/firejail.nix
Outdated
| buildCommand = '' | ||
| mkdir -p $out | ||
| ln -s ${pkg}/* $out | ||
| rm $out/bin |
There was a problem hiding this comment.
What if the package doesn't have a bin directory? Doesn't make much sense in combination with firejail, but might happen. In that case there should probably be a useful error message.
nixos/modules/programs/firejail.nix
Outdated
| ln -s ${pkg}/* $out | ||
| rm $out/bin | ||
| mkdir $out/bin | ||
| for bin in ${pkg}/bin/*; do |
There was a problem hiding this comment.
I think the variable name bin is confusing here. Maybe dir instead?
There was a problem hiding this comment.
These are actual extecutables.
There was a problem hiding this comment.
Oh nevermind, I don't know why I thought they were subdirectories.
nixos/modules/programs/firejail.nix
Outdated
| rm $out/bin | ||
| mkdir $out/bin | ||
| for bin in ${pkg}/bin/*; do | ||
| newbin="$out/bin/$(basename $bin)" |
There was a problem hiding this comment.
$bin should also be quoted. $() allows nested quotes, so
newbin="$out/bin/$( basename "$bin")"
Although why is basename even needed here?
nixos/modules/programs/firejail.nix
Outdated
| mkdir $out/bin | ||
| for bin in ${pkg}/bin/*; do | ||
| newbin="$out/bin/$(basename $bin)" | ||
| cat <<_EOF >$newbin |
There was a problem hiding this comment.
Why the underscore? $newbin needs to be quoted as well.
nixos/modules/programs/firejail.nix
Outdated
| newbin="$out/bin/$(basename $bin)" | ||
| cat <<_EOF >$newbin | ||
| #!${pkgs.stdenv.shell} -e | ||
| /run/wrappers/bin/firejail $bin "\$@" |
nixos/modules/programs/firejail.nix
Outdated
| #!${pkgs.stdenv.shell} -e | ||
| /run/wrappers/bin/firejail $bin "\$@" | ||
| _EOF | ||
| chmod 0755 $newbin |
Using this, not only the wrapped binaries but also all other directories from the derivations are put into /run/current-system/sw. This is useful if you need desktop entries, icons, etc.
dotlambda
force-pushed
the
firejail-wrapped-packages
branch
from
1b9e616
to
a85e19b
Compare
| pkgs.symlinkJoin { | ||
| name = "firejail-" + pkg.name; | ||
| paths = [ pkg ]; | ||
| buildInputs = with pkgs; [ tree ]; |
There was a problem hiding this comment.
I don't think this should be needed as a build input. All of the below commands are included in stdenv.
| buildInputs = with pkgs; [ tree ]; | ||
| postBuild = '' | ||
| for bin in $(find "$out/bin" -type l); do | ||
| oldbin="$(readlink "$bin")" |
| @@ -20,13 +19,37 @@ let | |||
| ''; | |||
| }; | |||
|
|
|||
| wrappedPkgs = map (pkg: | |||
There was a problem hiding this comment.
I think naming here is a little confusing. wrappedPkgs vs wrappedPackages seems like they should be the same thing (although I suppose it's not any worse than wrappedBins vs wrappedBinaries).
| for bin in $(find "$out/bin" -type l); do | ||
| oldbin="$(readlink "$bin")" | ||
| rm "$bin" | ||
| cat <<_EOF >"$bin" |
There was a problem hiding this comment.
Instead of manually creating shell scripts (they are admittedly basic), just use makeWrapper.
makeWrapper $bin /run/wrappers/bin/firejail \
--argv0 $bin \
--add-flags $oldbin
There was a problem hiding this comment.
I tried this before analyzing it and it failed with mkdir: cannot create directory '/run': Permission denied because the second argument to makeWrapper is the destination it tries to create. I don't see how makeWrapper could be made to work here.
|
Any updates on this pull request, please? |
|
Thank you for your contributions.
|
stale
bot
added
the
2.status: stale
|
still important to me |
stale
bot
removed
the
2.status: stale
|
@xfix Feel free to finish this based on my work. I think we should mention in the docs that desktop files stating an absolute path will start non-wrapped binaries. Maybe we could implement some check & warning for that. |
|
Or how about a wrapper for use by .desktop files which could then be used for firejail, bubblewrap, systemd-run, etc?
|
|
Replaced by #108204 |
Motivation for this change
Using this, not only the wrapped binaries but also all other directories from the derivations are put into
/run/current-system/sw. This is useful if you need desktop entries, icons, etc.My
buildCommandis certainly far from perfect because I'm not good at programming bash. I'm open for suggestions.Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)cc @peterhoeg @adisbladis