pyrox.dev
Merge pull request #158360 from vs49688/firejail
firejail: 0.9.66 -> 0.9.68
+2
-5
pkgs/os-specific/linux/firejail/default.nix
+2
-5
pkgs/os-specific/linux/firejail/default.nix
···
11
11
12
12
stdenv.mkDerivation rec {
13
13
pname = "firejail";
14
-
version = "0.9.66";
14
+
version = "0.9.68";
15
15
16
16
src = fetchFromGitHub {
17
17
owner = "netblue30";
18
18
repo = "firejail";
19
19
rev = version;
20
-
sha256 = "sha256-oKstTiGt0r4wePaZ9u1o78GZ1XWJ27aS0BdLxmfYk9Q=";
20
+
sha256 = "18yy1mykx7h78yj7sz729i3dlsrgi25m17m5x9gbrvsx7f87rw7j";
21
21
};
22
22
23
23
nativeBuildInputs = [
···
40
40
# By default fbuilder hardcodes the firejail binary to the install path.
41
41
# On NixOS the firejail binary is a setuid wrapper available in $PATH.
42
42
./fbuilder-call-firejail-on-path.patch
43
-
# Disable symlink check on /etc/hosts, see
44
-
# https://github.com/netblue30/firejail/issues/2758#issuecomment-805174951
45
-
./remove-link-check.patch
46
43
];
47
44
48
45
prePatch = ''
+9
-9
pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
+9
-9
pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
···
1
1
--- a/src/fbuilder/build_profile.c
2
2
+++ b/src/fbuilder/build_profile.c
3
-
@@ -67,7 +67,7 @@
4
-
errExit("asprintf");
5
-
6
-
char *cmdlist[] = {
7
-
- BINDIR "/firejail",
8
-
+ "firejail",
9
-
"--quiet",
10
-
"--noprofile",
11
-
"--caps.drop=all",
3
+
@@ -48,7 +48,7 @@
4
+
// build command
5
+
char *cmd[len];
6
+
unsigned curr_len = 0;
7
+
- cmd[curr_len++] = BINDIR "/firejail";
8
+
+ cmd[curr_len++] = "firejail";
9
+
cmd[curr_len++] = "--quiet";
10
+
cmd[curr_len++] = "--noprofile";
11
+
cmd[curr_len++] = "--caps.drop=all";
+4
-4
pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
+4
-4
pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
···
1
-
--- a/src/firejail/fs.c
2
-
+++ b/src/firejail/fs.c
3
-
@@ -1143,6 +1143,16 @@
1
+
--- a/src/firejail/fs_overlayfs.c
2
+
+++ b/src/firejail/fs_overlayfs.c
3
+
@@ -327,6 +327,16 @@
4
4
errExit("mounting /dev");
5
5
fs_logger("whitelist /dev");
6
6
···
17
17
// mount-bind run directory
18
18
if (arg_debug)
19
19
printf("Mounting /run\n");
20
-
@@ -1201,6 +1211,7 @@
20
+
@@ -384,6 +394,7 @@
21
21
free(odiff);
22
22
free(owork);
23
23
free(dev);
-48
pkgs/os-specific/linux/firejail/remove-link-check.patch
-48
pkgs/os-specific/linux/firejail/remove-link-check.patch
···
1
-
From ccc726f8ec877d8cda720daa2498e43629b6dd48 Mon Sep 17 00:00:00 2001
2
-
From: Jonas Heinrich <onny@project-insanity.org>
3
-
Date: Sun, 19 Sep 2021 11:48:06 +0200
4
-
Subject: [PATCH 1/2] remove hosts file link check
5
-
6
-
---
7
-
src/firejail/fs_hostname.c | 4 ----
8
-
1 file changed, 4 deletions(-)
9
-
10
-
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
11
-
index 42255070c4..97ce70f9c1 100644
12
-
--- a/src/firejail/fs_hostname.c
13
-
+++ b/src/firejail/fs_hostname.c
14
-
@@ -132,10 +132,6 @@ char *fs_check_hosts_file(const char *fname) {
15
-
invalid_filename(fname);
16
-
char *rv = expand_home(fname, cfg.homedir);
17
-
18
-
- // no a link
19
-
- if (is_link(rv))
20
-
- goto errexit;
21
-
-
22
-
// the user has read access to the file
23
-
if (access(rv, R_OK))
24
-
goto errexit;
25
-
26
-
From c2c51e7ca56075e7388b4f50922b148615d1b125 Mon Sep 17 00:00:00 2001
27
-
From: Jonas Heinrich <onny@project-insanity.org>
28
-
Date: Sun, 19 Sep 2021 11:49:08 +0200
29
-
Subject: [PATCH 2/2] remove hosts file link check
30
-
31
-
---
32
-
src/firejail/fs_hostname.c | 3 ---
33
-
1 file changed, 3 deletions(-)
34
-
35
-
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
36
-
index 97ce70f9c1..b228707131 100644
37
-
--- a/src/firejail/fs_hostname.c
38
-
+++ b/src/firejail/fs_hostname.c
39
-
@@ -154,9 +154,6 @@ void fs_mount_hosts_file(void) {
40
-
struct stat s;
41
-
if (stat("/etc/hosts", &s) == -1)
42
-
goto errexit;
43
-
- // not a link
44
-
- if (is_link("/etc/hosts"))
45
-
- goto errexit;
46
-
// owned by root
47
-
if (s.st_uid != 0)
48
-
goto errexit;