colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

firejail: fix so /run/wrappers are available inside a jail

Browse Source
This commit is contained in:
Colin 2024-01-22 07:18:50 +00:00
parent cfe6e9c20a
commit dd35136ac0
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
modules/programs.nix
View File

@ -60,11 +60,15 @@ let
firejailFlags = [
# "--quiet" #< TODO: enable
# "--tracelog" # logs blacklist violations to syslog (but default firejail disallows this)
] ++ allowPath "/run/current-system" #< for basics like `ls`, and all this program's `suggestedPrograms`
# ++ allowPath "/bin/sh" #< to allow `firejail --join=...` (doesn't work)
++ allowPath "/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here
++ allowPaths [ "/run/opengl-driver" "/run/opengl-driver-32" ] #< symlinks to /nix/store; needed by e.g. mpv
++ fsFlags
] ++ allowPaths [
"/run/current-system" #< for basics like `ls`, and all this program's `suggestedPrograms` (/run/current-system/sw/bin)
"/run/wrappers" #< SUID wrappers, in this case so that firejail can be re-entrant
# "/bin/sh" #< to allow `firejail --join=...` (doesn't work)
"/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here
# /run/opengl-driver is a symlink into /nix/store; needed by e.g. mpv
"/run/opengl-driver"
"/run/opengl-driver-32"
] ++ fsFlags
++ persistFlags
++ lib.optionals (net == "vpn") vpnFlags;