3
0
Fork 0
forked from mirrors/nixpkgs

Merge pull request #83515 from snicket2100/firejail-fix

firejail: local profile handling fixed
This commit is contained in:
Michael Raskin 2020-03-28 10:34:39 +00:00 committed by GitHub
commit 7dc2439a1b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -36,10 +36,27 @@ stdenv.mkDerivation {
sed -e "s@/etc/@$out/etc/@g" -e "/chmod u+s/d" -i Makefile
'';
# We need to set the directory for the .local override files to
# /etc/firejail so we can actually override them
# The profile files provided with the firejail distribution include `.local`
# profile files using relative paths. The way firejail works when it comes to
# handling includes is by looking target files up in `~/.config/firejail`
# first, and then trying `SYSCONFDIR`. The latter normally points to
# `/etc/filejail`, but in the case of nixos points to the nix store. This
# makes it effectively impossible to place any profile files in
# `/etc/firejail`.
#
# The workaround applied below is by creating a set of `.local` files which
# only contain respective includes to `/etc/firejail`. This way
# `~/.config/firejail` still takes precedence, but `/etc/firejail` will also
# be searched in second order. This replicates the behaviour from
# non-nixos platforms.
#
# See https://github.com/netblue30/firejail/blob/e4cb6b42743ad18bd11d07fd32b51e8576239318/src/firejail/profile.c#L68-L83
# for the profile file lookup implementation.
postInstall = ''
sed -E -e 's@^include (.*.local)$@include /etc/firejail/\1@g' -i $out/etc/firejail/*.profile
for local in $(grep -Eh '^include.*local$' $out/etc/firejail/*.profile | awk '{print $2}' | sort | uniq)
do
echo "include /etc/firejail/$local" >$out/etc/firejail/$local
done
'';
# At high parallelism, the build sometimes fails with: