commit 65eb3a590d8d5657e3bf8534ddccc827aefc1862

pyrox.dev / nixpkgs

lol

fork atom

firejail: add nixos module

Also add support for wrapping binaries with firejail.

Peter Hoeg 7 years ago 65eb3a59 dae9cf61

+70

3 changed files

expand all

unified split

nixos

doc

manual

release-notes

rl-1809.xml

modules

module-list.nix

programs

firejail.nix

+21

nixos/doc/manual/release-notes/rl-1809.xml

··· 19 20 <itemizedlist> 21 <listitem> 22 <para> 23 User channels are now in the default <literal>NIX_PATH</literal>, allowing 24 users to use their personal <command>nix-channel</command> defined

··· 19 20 <itemizedlist> 21 <listitem> 22 + <para> 23 + Support for wrapping binaries using <literal>firejail</literal> has been 24 + added through <varname>programs.firejail.wrappedBinaries</varname>. 25 + </para> 26 + <para> 27 + For example 28 + </para> 29 + <programlisting> 30 + programs.firejail = { 31 + enable = true; 32 + wrappedBinaries = { 33 + firefox = "${lib.getBin pkgs.firefox}/bin/firefox"; 34 + mpv = "${lib.getBin pkgs.mpv}/bin/mpv"; 35 + }; 36 + }; 37 + </programlisting> 38 + <para> 39 + This will place <literal>firefox</literal> and <literal>mpv</literal> binaries in the global path wrapped by firejail. 40 + </para> 41 + </listitem> 42 + <listitem> 43 <para> 44 User channels are now in the default <literal>NIX_PATH</literal>, allowing 45 users to use their personal <command>nix-channel</command> defined

nixos/modules/module-list.nix

··· 86 ./programs/dconf.nix 87 ./programs/digitalbitbox/default.nix 88 ./programs/environment.nix 89 ./programs/fish.nix 90 ./programs/freetds.nix 91 ./programs/gnupg.nix

··· 86 ./programs/dconf.nix 87 ./programs/digitalbitbox/default.nix 88 ./programs/environment.nix 89 + ./programs/firejail.nix 90 ./programs/fish.nix 91 ./programs/freetds.nix 92 ./programs/gnupg.nix

+48

nixos/modules/programs/firejail.nix

···

··· 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; 4 + 5 + let 6 + cfg = config.programs.firejail; 7 + 8 + wrappedBins = pkgs.stdenv.mkDerivation rec { 9 + name = "firejail-wrapped-binaries"; 10 + nativeBuildInputs = with pkgs; [ makeWrapper ]; 11 + buildCommand = '' 12 + mkdir -p $out/bin 13 + ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: binary: '' 14 + cat <<_EOF >$out/bin/${command} 15 + #!${pkgs.stdenv.shell} -e 16 + /run/wrappers/bin/firejail ${binary} "\$@" 17 + _EOF 18 + chmod 0755 $out/bin/${command} 19 + '') cfg.wrappedBinaries)} 20 + ''; 21 + }; 22 + 23 + in { 24 + options.programs.firejail = { 25 + enable = mkEnableOption "firejail"; 26 + 27 + wrappedBinaries = mkOption { 28 + type = types.attrs; 29 + default = {}; 30 + description = '' 31 + Wrap the binaries in firejail and place them in the global path. 32 + </para> 33 + <para> 34 + You will get file collisions if you put the actual application binary in 35 + the global environment and applications started via .desktop files are 36 + not wrapped if they specify the absolute path to the binary. 37 + ''; 38 + }; 39 + }; 40 + 41 + config = mkIf cfg.enable { 42 + security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail"; 43 + 44 + environment.systemPackages = [ wrappedBins ]; 45 + }; 46 + 47 + meta.maintainers = with maintainers; [ peterhoeg ]; 48 + }