mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-20 04:19:00 +02:00
Merge pull request #43511 from peterhoeg/m/firejail
firejail: add nixos module
This commit is contained in:
Peter Hoeg
GitHub
commit
6e3ee65b44
|
|
@ -18,6 +18,27 @@
|
|||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
Support for wrapping binaries using <literal>firejail</literal> has been
|
||||
added through <varname>programs.firejail.wrappedBinaries</varname>.
|
||||
</para>
|
||||
<para>
|
||||
For example
|
||||
</para>
|
||||
<programlisting>
|
||||
programs.firejail = {
|
||||
enable = true;
|
||||
wrappedBinaries = {
|
||||
firefox = "${lib.getBin pkgs.firefox}/bin/firefox";
|
||||
mpv = "${lib.getBin pkgs.mpv}/bin/mpv";
|
||||
};
|
||||
};
|
||||
</programlisting>
|
||||
<para>
|
||||
This will place <literal>firefox</literal> and <literal>mpv</literal> binaries in the global path wrapped by firejail.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
User channels are now in the default <literal>NIX_PATH</literal>, allowing
|
||||
|
|
|
|||
|
|
@ -86,6 +86,7 @@
|
|||
./programs/dconf.nix
|
||||
./programs/digitalbitbox/default.nix
|
||||
./programs/environment.nix
|
||||
./programs/firejail.nix
|
||||
./programs/fish.nix
|
||||
./programs/freetds.nix
|
||||
./programs/gnupg.nix
|
||||
|
|
|
|||
48
nixos/modules/programs/firejail.nix
Normal file
48
nixos/modules/programs/firejail.nix
Normal file
|
|
@ -0,0 +1,48 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.programs.firejail;
|
||||
|
||||
wrappedBins = pkgs.stdenv.mkDerivation rec {
|
||||
name = "firejail-wrapped-binaries";
|
||||
nativeBuildInputs = with pkgs; [ makeWrapper ];
|
||||
buildCommand = ''
|
||||
mkdir -p $out/bin
|
||||
${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: binary: ''
|
||||
cat <<_EOF >$out/bin/${command}
|
||||
#!${pkgs.stdenv.shell} -e
|
||||
/run/wrappers/bin/firejail ${binary} "\$@"
|
||||
_EOF
|
||||
chmod 0755 $out/bin/${command}
|
||||
'') cfg.wrappedBinaries)}
|
||||
'';
|
||||
};
|
||||
|
||||
in {
|
||||
options.programs.firejail = {
|
||||
enable = mkEnableOption "firejail";
|
||||
|
||||
wrappedBinaries = mkOption {
|
||||
type = types.attrs;
|
||||
default = {};
|
||||
description = ''
|
||||
Wrap the binaries in firejail and place them in the global path.
|
||||
</para>
|
||||
<para>
|
||||
You will get file collisions if you put the actual application binary in
|
||||
the global environment and applications started via .desktop files are
|
||||
not wrapped if they specify the absolute path to the binary.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail";
|
||||
|
||||
environment.systemPackages = [ wrappedBins ];
|
||||
};
|
||||
|
||||
meta.maintainers = with maintainers; [ peterhoeg ];
|
||||
}
|
||||
Loading…
Reference in a new issue