|
|
|
|
@ -36,10 +36,27 @@ stdenv.mkDerivation { |
|
|
|
|
sed -e "s@/etc/@$out/etc/@g" -e "/chmod u+s/d" -i Makefile |
|
|
|
|
''; |
|
|
|
|
|
|
|
|
|
# We need to set the directory for the .local override files to |
|
|
|
|
# /etc/firejail so we can actually override them |
|
|
|
|
# The profile files provided with the firejail distribution include `.local` |
|
|
|
|
# profile files using relative paths. The way firejail works when it comes to |
|
|
|
|
# handling includes is by looking target files up in `~/.config/firejail` |
|
|
|
|
# first, and then trying `SYSCONFDIR`. The latter normally points to |
|
|
|
|
# `/etc/filejail`, but in the case of nixos points to the nix store. This |
|
|
|
|
# makes it effectively impossible to place any profile files in |
|
|
|
|
# `/etc/firejail`. |
|
|
|
|
# |
|
|
|
|
# The workaround applied below is by creating a set of `.local` files which |
|
|
|
|
# only contain respective includes to `/etc/firejail`. This way |
|
|
|
|
# `~/.config/firejail` still takes precedence, but `/etc/firejail` will also |
|
|
|
|
# be searched in second order. This replicates the behaviour from |
|
|
|
|
# non-nixos platforms. |
|
|
|
|
# |
|
|
|
|
# See https://github.com/netblue30/firejail/blob/e4cb6b42743ad18bd11d07fd32b51e8576239318/src/firejail/profile.c#L68-L83 |
|
|
|
|
# for the profile file lookup implementation. |
|
|
|
|
postInstall = '' |
|
|
|
|
sed -E -e 's@^include (.*.local)$@include /etc/firejail/\1@g' -i $out/etc/firejail/*.profile |
|
|
|
|
for local in $(grep -Eh '^include.*local$' $out/etc/firejail/*.profile | awk '{print $2}' | sort | uniq) |
|
|
|
|
do |
|
|
|
|
echo "include /etc/firejail/$local" >$out/etc/firejail/$local |
|
|
|
|
done |
|
|
|
|
''; |
|
|
|
|
|
|
|
|
|
# At high parallelism, the build sometimes fails with: |
|
|
|
|
|
snicket2100
4 years ago