nixos/firejail: remove the need for qualifications

2024-11-01 23:22:37 +00:00 · 2022-11-30 12:45:16 -05:00 · 2022-11-30 12:45:16 -05:00 · 67d671d5b7
commit 67d671d5b7
parent e4902f2eb0
1 changed files with 16 additions and 8 deletions
--- a/nixos/modules/programs/firejail.nix
+++ b/nixos/modules/programs/firejail.nix
@ -8,18 +8,21 @@ let
  wrappedBins = pkgs.runCommand "firejail-wrapped-binaries"
    { preferLocalBuild = true;
      allowSubstitutes = false;
+      # take precedence over non-firejailed versions
+      meta.priority = -1;
    }
    ''
      mkdir -p $out/bin
+      mkdir -p $out/share/applications
      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value:
      let
        opts = if builtins.isAttrs value
        then value
-        else { executable = value; profile = null; extraArgs = []; };
+        else { executable = value; desktop = null; profile = null; extraArgs = []; };
        args = lib.escapeShellArgs (
          opts.extraArgs
          ++ (optional (opts.profile != null) "--profile=${toString opts.profile}")
-          );
+        );
      in
      ''
        cat <<_EOF >$out/bin/${command}
@ -27,6 +30,11 @@ let
        exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@"
        _EOF
        chmod 0755 $out/bin/${command}
+
+        ${lib.optionalString (opts.desktop != null) ''
+          substitute ${opts.desktop} $out/share/applications/$(basename ${opts.desktop}) \
+            --replace ${opts.executable} $out/bin/${command}
+        ''}
      '') cfg.wrappedBinaries)}
    '';

@ -42,6 +50,12 @@ in {
            description = lib.mdDoc "Executable to run sandboxed";
            example = literalExpression ''"''${lib.getBin pkgs.firefox}/bin/firefox"'';
          };
+          desktop = mkOption {
+            type = types.nullOr types.path;
+            default = null;
+            description = lib.mkDoc ".desktop file to modify. Only necessary if it uses the absolute path to the executable.";
+            example = literalExpression ''"''${pkgs.firefox}/share/applications/firefox.desktop"'';
+          };
          profile = mkOption {
            type = types.nullOr types.path;
            default = null;
@ -71,12 +85,6 @@ in {
      '';
      description = lib.mdDoc ''
        Wrap the binaries in firejail and place them in the global path.
-
-        You will get file collisions if you put the actual application binary in
-        the global environment (such as by adding the application package to
-        `environment.systemPackages`), and applications started via
-        .desktop files are not wrapped if they specify the absolute path to the
-        binary.
      '';
    };
  };