sane.programs: firejail: support wrapping "runCommand" packages

2024-01-22 09:16:25 +00:00
parent 3d763a0021
commit 60547204a8
2 changed files with 12 additions and 2 deletions
--- a/hosts/common/programs/firefox.nix
+++ b/hosts/common/programs/firefox.nix
@@ -114,7 +114,7 @@ let
      ${pkgs.buildPackages.gnused}/bin/sed -i s'/devtools-commandkey-inspector = C/devtools-commandkey-inspector = VK_F12/' omni/localization/en-US/devtools/startup/key-shortcuts.ftl
      pushd omni; ${pkgs.buildPackages.zip}/bin/zip $out/lib/${cfg.browser.libName}/browser/omni.ja -r ./*; popd

-      # runHook postFixup to allow sandbox wrappers to wrap the binaries
+      # runHook postFixup to allow sane.programs sandbox wrappers to wrap the binaries
      runHook postFixup
    '';
  });
--- a/modules/programs.nix
+++ b/modules/programs.nix
@@ -86,7 +86,17 @@ let
        # no.1 may bloat rebuild times.
        #
        # ultimately, no.1 is probably more reliable, but i expect i'll factor out a switch to allow either approach -- particularly when debugging package buld failures.
-        packageWrapped = package.overrideAttrs (unwrapped: {
+        package' = if package.override.__functionArgs ? runCommand then
+          package.override {
+            runCommand = name: env: cmd: pkgs.runCommand name env (cmd + lib.optionalString (name == package.name) ''
+              # if the package is a runCommand (common for wrappers), then patch it to call our `postFixup` hook, first
+              runHook postFixup
+            '');
+          }
+        else
+          package
+        ;
+        packageWrapped = package'.overrideAttrs (unwrapped: {
          postFixup = (unwrapped.postFixup or "") + ''
            tryFirejailProfile() {
              _maybeProfile="${pkgs.firejail}/etc/firejail/$1.profile"