forked from mirrors/nixpkgs
Merge pull request #83515 from snicket2100/firejail-fix
firejail: local profile handling fixed
This commit is contained in:
commit
7dc2439a1b
|
@ -36,10 +36,27 @@ stdenv.mkDerivation {
|
|||
sed -e "s@/etc/@$out/etc/@g" -e "/chmod u+s/d" -i Makefile
|
||||
'';
|
||||
|
||||
# We need to set the directory for the .local override files to
|
||||
# /etc/firejail so we can actually override them
|
||||
# The profile files provided with the firejail distribution include `.local`
|
||||
# profile files using relative paths. The way firejail works when it comes to
|
||||
# handling includes is by looking target files up in `~/.config/firejail`
|
||||
# first, and then trying `SYSCONFDIR`. The latter normally points to
|
||||
# `/etc/filejail`, but in the case of nixos points to the nix store. This
|
||||
# makes it effectively impossible to place any profile files in
|
||||
# `/etc/firejail`.
|
||||
#
|
||||
# The workaround applied below is by creating a set of `.local` files which
|
||||
# only contain respective includes to `/etc/firejail`. This way
|
||||
# `~/.config/firejail` still takes precedence, but `/etc/firejail` will also
|
||||
# be searched in second order. This replicates the behaviour from
|
||||
# non-nixos platforms.
|
||||
#
|
||||
# See https://github.com/netblue30/firejail/blob/e4cb6b42743ad18bd11d07fd32b51e8576239318/src/firejail/profile.c#L68-L83
|
||||
# for the profile file lookup implementation.
|
||||
postInstall = ''
|
||||
sed -E -e 's@^include (.*.local)$@include /etc/firejail/\1@g' -i $out/etc/firejail/*.profile
|
||||
for local in $(grep -Eh '^include.*local$' $out/etc/firejail/*.profile | awk '{print $2}' | sort | uniq)
|
||||
do
|
||||
echo "include /etc/firejail/$local" >$out/etc/firejail/$local
|
||||
done
|
||||
'';
|
||||
|
||||
# At high parallelism, the build sometimes fails with:
|
||||
|
|
Loading…
Reference in a new issue