Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP]nixos/firejail:added program.firejail.firecfg option #64448

Closed
wants to merge 3 commits into from
Closed

[WIP]nixos/firejail:added program.firejail.firecfg option #64448

wants to merge 3 commits into from

Conversation

pasqui23
Copy link
Contributor

@pasqui23 pasqui23 commented Jul 8, 2019
edited

Motivation for this change

The firecfg program already knows how to wrap the correct comands and desktop files

Things done

Still work in progress

nixos-rebuild build -I nixpkgs=.                                            
building Nix...
building the system configuration...
these derivations will be built:
  /nix/store/j69786fjsxpgv8lbfcck72ar2lgppar1-system-path.drv
  /nix/store/c0496dynbfbjnhwvg8gnk1v5565s7spp-dbus-1.drv
  /nix/store/q6nk3hx6jilcyrqfzkxlirw9x5y8r433-unit-dbus.service.drv
  /nix/store/j86vgqzw8vlr7cqg2j79shczprxl2w68-user-units.drv
  /nix/store/9saqvr99mcbg2s1z8ppcjzfa53b7827z-unit-dbus.service.drv
  /nix/store/d9s25xipg5cszpm2dqzmm44n72ybjnvp-unit-polkit.service.drv
  /nix/store/v1dhqmyk7vpjwf96pwzzg2bc98kckgfr-unit-systemd-fsck-.service.drv
  /nix/store/n7i2b9bgbr50ns9g31dn746wjlsl5qh6-system-units.drv
  /nix/store/v5pl243kw0by169dd0cslgq56p6wy2w8-etc.drv
  /nix/store/561i4mbfabqrlr3ylc813zpz0pqnnd95-nixos-system-nixos-19.09.git.9cc8f88.drv
building '/nix/store/j69786fjsxpgv8lbfcck72ar2lgppar1-system-path.drv'...
created 6818 symlinks in user environment
cp: -r not specified; omitting directory '/nix/store/9p6z02r5bmkzqz87fkbh0llj3iwdynrr-system-path'
builder for '/nix/store/j69786fjsxpgv8lbfcck72ar2lgppar1-system-path.drv' failed with exit code 1
cannot build derivation '/nix/store/c0496dynbfbjnhwvg8gnk1v5565s7spp-dbus-1.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/d9s25xipg5cszpm2dqzmm44n72ybjnvp-unit-polkit.service.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/v1dhqmyk7vpjwf96pwzzg2bc98kckgfr-unit-systemd-fsck-.service.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/9saqvr99mcbg2s1z8ppcjzfa53b7827z-unit-dbus.service.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/q6nk3hx6jilcyrqfzkxlirw9x5y8r433-unit-dbus.service.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/n7i2b9bgbr50ns9g31dn746wjlsl5qh6-system-units.drv': 3 dependencies couldn't be built
cannot build derivation '/nix/store/j86vgqzw8vlr7cqg2j79shczprxl2w68-user-units.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/v5pl243kw0by169dd0cslgq56p6wy2w8-etc.drv': 4 dependencies couldn't be built
cannot build derivation '/nix/store/561i4mbfabqrlr3ylc813zpz0pqnnd95-nixos-system-nixos-19.09.git.9cc8f88.drv': 2 dependencies couldn't be built
error: build of '/nix/store/561i4mbfabqrlr3ylc813zpz0pqnnd95-nixos-system-nixos-19.09.git.9cc8f88.drv' failed
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@nixos-discourse
Copy link

This pull request has been mentioned on Nix community. There might be relevant details there:

https://discourse.nixos.org/t/how-to-chroot-in-builder/3408/1

matthewbauer
matthewbauer reviewed Jul 8, 2019
View reviewed changes
nixos/modules/programs/firejail.nix Outdated
environment.extraSetup = optionalString cfg.firecfg ''
mkdir tmp
cp -r $out tmp
chroot tmp firecfg
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think chroot could ever work in a Nix builder as it requires root. You might be able to use unshare, however: http://man7.org/linux/man-pages/man1/unshare.1.html

In this cast though, I think it might be best to patch firecfg to support a --prefix option that it can look in instead of /usr.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes,it does have a --bindir option that does exactly that.
However,now it expects a username(see https://github.com/netblue30/firejail/blob/5e09cfb4f901d944c0418fcb041d4e96448028a2/src/firecfg/main.c#L286 )
How do I get the name of the current builder?

@stale
Copy link

stale bot commented Jun 1, 2020

Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the
    related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse. 3. Ask on the #nixos channel on
    irc.freenode.net.

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 1, 2020
@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Oct 3, 2020
@stale
Copy link

stale bot commented Jun 5, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 5, 2021
@pasqui23 pasqui23 closed this Jun 5, 2021
@pasqui23 pasqui23 deleted the fj2 branch June 5, 2021 09:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthewbauer matthewbauer matthewbauer left review comments

Assignees
No one assigned
Labels
2.status: merge conflict 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 2.status: work-in-progress 6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@pasqui23 @nixos-discourse @matthewbauer @ryantm @samueldr