commit 36b1dedddd1b63d83129856ea52f0208f99c672c

pyrox.dev / nixpkgs

lol

fork atom

firejail: 0.9.66 -> 0.9.68

Fixes #153430

Zane van Iperen 4 years ago 36b1dedd 0a6388d7

+15 -66

4 changed files

expand all

unified split

pkgs

os-specific

linux

firejail

default.nix

fbuilder-call-firejail-on-path.patch

mount-nix-dir-on-overlay.patch

remove-link-check.patch

+2 -5

pkgs/os-specific/linux/firejail/default.nix

··· 11 12 stdenv.mkDerivation rec { 13 pname = "firejail"; 14 - version = "0.9.66"; 15 16 src = fetchFromGitHub { 17 owner = "netblue30"; 18 repo = "firejail"; 19 rev = version; 20 - sha256 = "sha256-oKstTiGt0r4wePaZ9u1o78GZ1XWJ27aS0BdLxmfYk9Q="; 21 }; 22 23 nativeBuildInputs = [ ··· 40 # By default fbuilder hardcodes the firejail binary to the install path. 41 # On NixOS the firejail binary is a setuid wrapper available in $PATH. 42 ./fbuilder-call-firejail-on-path.patch 43 - # Disable symlink check on /etc/hosts, see 44 - # https://github.com/netblue30/firejail/issues/2758#issuecomment-805174951 45 - ./remove-link-check.patch 46 ]; 47 48 prePatch = ''

··· 11 12 stdenv.mkDerivation rec { 13 pname = "firejail"; 14 + version = "0.9.68"; 15 16 src = fetchFromGitHub { 17 owner = "netblue30"; 18 repo = "firejail"; 19 rev = version; 20 + sha256 = "18yy1mykx7h78yj7sz729i3dlsrgi25m17m5x9gbrvsx7f87rw7j"; 21 }; 22 23 nativeBuildInputs = [ ··· 40 # By default fbuilder hardcodes the firejail binary to the install path. 41 # On NixOS the firejail binary is a setuid wrapper available in $PATH. 42 ./fbuilder-call-firejail-on-path.patch 43 ]; 44 45 prePatch = ''

+9 -9

pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch

··· 1 --- a/src/fbuilder/build_profile.c 2 +++ b/src/fbuilder/build_profile.c 3 - @@ -67,7 +67,7 @@ 4 - errExit("asprintf"); 5 - 6 - char *cmdlist[] = { 7 - - BINDIR "/firejail", 8 - + "firejail", 9 - "--quiet", 10 - "--noprofile", 11 - "--caps.drop=all",

··· 1 --- a/src/fbuilder/build_profile.c 2 +++ b/src/fbuilder/build_profile.c 3 + @@ -48,7 +48,7 @@ 4 + // build command 5 + char *cmd[len]; 6 + unsigned curr_len = 0; 7 + - cmd[curr_len++] = BINDIR "/firejail"; 8 + + cmd[curr_len++] = "firejail"; 9 + cmd[curr_len++] = "--quiet"; 10 + cmd[curr_len++] = "--noprofile"; 11 + cmd[curr_len++] = "--caps.drop=all";

+4 -4

pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch

··· 1 - --- a/src/firejail/fs.c 2 - +++ b/src/firejail/fs.c 3 - @@ -1143,6 +1143,16 @@ 4 errExit("mounting /dev"); 5 fs_logger("whitelist /dev"); 6 ··· 17 // mount-bind run directory 18 if (arg_debug) 19 printf("Mounting /run\n"); 20 - @@ -1201,6 +1211,7 @@ 21 free(odiff); 22 free(owork); 23 free(dev);

··· 1 + --- a/src/firejail/fs_overlayfs.c 2 + +++ b/src/firejail/fs_overlayfs.c 3 + @@ -327,6 +327,16 @@ 4 errExit("mounting /dev"); 5 fs_logger("whitelist /dev"); 6 ··· 17 // mount-bind run directory 18 if (arg_debug) 19 printf("Mounting /run\n"); 20 + @@ -384,6 +394,7 @@ 21 free(odiff); 22 free(owork); 23 free(dev);

-48

pkgs/os-specific/linux/firejail/remove-link-check.patch

··· 1 - From ccc726f8ec877d8cda720daa2498e43629b6dd48 Mon Sep 17 00:00:00 2001 2 - From: Jonas Heinrich <onny@project-insanity.org> 3 - Date: Sun, 19 Sep 2021 11:48:06 +0200 4 - Subject: [PATCH 1/2] remove hosts file link check 5 - 6 - --- 7 - src/firejail/fs_hostname.c | 4 ---- 8 - 1 file changed, 4 deletions(-) 9 - 10 - diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c 11 - index 42255070c4..97ce70f9c1 100644 12 - --- a/src/firejail/fs_hostname.c 13 - +++ b/src/firejail/fs_hostname.c 14 - @@ -132,10 +132,6 @@ char *fs_check_hosts_file(const char *fname) { 15 - invalid_filename(fname); 16 - char *rv = expand_home(fname, cfg.homedir); 17 - 18 - - // no a link 19 - - if (is_link(rv)) 20 - - goto errexit; 21 - - 22 - // the user has read access to the file 23 - if (access(rv, R_OK)) 24 - goto errexit; 25 - 26 - From c2c51e7ca56075e7388b4f50922b148615d1b125 Mon Sep 17 00:00:00 2001 27 - From: Jonas Heinrich <onny@project-insanity.org> 28 - Date: Sun, 19 Sep 2021 11:49:08 +0200 29 - Subject: [PATCH 2/2] remove hosts file link check 30 - 31 - --- 32 - src/firejail/fs_hostname.c | 3 --- 33 - 1 file changed, 3 deletions(-) 34 - 35 - diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c 36 - index 97ce70f9c1..b228707131 100644 37 - --- a/src/firejail/fs_hostname.c 38 - +++ b/src/firejail/fs_hostname.c 39 - @@ -154,9 +154,6 @@ void fs_mount_hosts_file(void) { 40 - struct stat s; 41 - if (stat("/etc/hosts", &s) == -1) 42 - goto errexit; 43 - - // not a link 44 - - if (is_link("/etc/hosts")) 45 - - goto errexit; 46 - // owned by root 47 - if (s.st_uid != 0) 48 - goto errexit;

···