programs: indirect firejail access through sane-sandboxed
This commit is contained in:
parent
2492ed2ca7
commit
a4cb6645b4
|
@ -38,7 +38,7 @@ let
|
||||||
package
|
package
|
||||||
else if sandbox.method == "firejail" then
|
else if sandbox.method == "firejail" then
|
||||||
let
|
let
|
||||||
makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { };
|
makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sane-sandboxed = config.sane.sandboxHelper; };
|
||||||
vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
|
vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
|
||||||
in
|
in
|
||||||
makeSandboxed {
|
makeSandboxed {
|
||||||
|
|
|
@ -2,12 +2,11 @@
|
||||||
, firejail
|
, firejail
|
||||||
, runCommand
|
, runCommand
|
||||||
, runtimeShell
|
, runtimeShell
|
||||||
|
, sane-sandboxed
|
||||||
}:
|
}:
|
||||||
{ pkgName, package, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], binMap ? {} }:
|
{ pkgName, package, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], binMap ? {} }:
|
||||||
let
|
let
|
||||||
# XXX: firejail needs suid bit for some (not all) of its sandboxing methods. hence, rely on the user installing it system-wide and call it by suid path.
|
sane-sandboxed' = sane-sandboxed.meta.mainProgram; #< load by bin name to reduce rebuilds
|
||||||
# firejailBin = "/run/wrappers/bin/firejail";
|
|
||||||
firejailBin = "firejail";
|
|
||||||
|
|
||||||
allowPath = p: [
|
allowPath = p: [
|
||||||
"noblacklist ${p}"
|
"noblacklist ${p}"
|
||||||
|
@ -93,11 +92,11 @@ let
|
||||||
mv "$out/bin/$name" "$out/bin/.$name-firejailed"
|
mv "$out/bin/$name" "$out/bin/.$name-firejailed"
|
||||||
cat <<EOF >> "$out/bin/$name"
|
cat <<EOF >> "$out/bin/$name"
|
||||||
#!${runtimeShell}
|
#!${runtimeShell}
|
||||||
exec ${firejailBin} \
|
exec ${sane-sandboxed'} \
|
||||||
--include="${pkgName}.local" \
|
--sane-sandbox-firejail-arg --include="${pkgName}.local" \
|
||||||
--profile=":$firejailProfileName" \
|
--sane-sandbox-firejail-arg --profile=":$firejailProfileName" \
|
||||||
--join-or-start="$firejailProfileName" \
|
--sane-sandbox-firejail-arg --join-or-start="$firejailProfileName" \
|
||||||
-- "$out/bin/.$name-firejailed" "\$@"
|
"$out/bin/.$name-firejailed" "\$@"
|
||||||
EOF
|
EOF
|
||||||
chmod +x "$out/bin/$name"
|
chmod +x "$out/bin/$name"
|
||||||
}
|
}
|
||||||
|
|
|
@ -29,5 +29,6 @@ stdenv.mkDerivation {
|
||||||
1. to abstract over the particular sandbox implementation (bwrap, firejail, ...).
|
1. to abstract over the particular sandbox implementation (bwrap, firejail, ...).
|
||||||
2. to modify sandbox settings without forcing a rebuild of the sandboxed package.
|
2. to modify sandbox settings without forcing a rebuild of the sandboxed package.
|
||||||
'';
|
'';
|
||||||
|
mainProgram = "sane-sandboxed";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user