firejail: fix so /run/wrappers are available inside a jail
This commit is contained in:
parent
cfe6e9c20a
commit
dd35136ac0
|
@ -60,11 +60,15 @@ let
|
||||||
firejailFlags = [
|
firejailFlags = [
|
||||||
# "--quiet" #< TODO: enable
|
# "--quiet" #< TODO: enable
|
||||||
# "--tracelog" # logs blacklist violations to syslog (but default firejail disallows this)
|
# "--tracelog" # logs blacklist violations to syslog (but default firejail disallows this)
|
||||||
] ++ allowPath "/run/current-system" #< for basics like `ls`, and all this program's `suggestedPrograms`
|
] ++ allowPaths [
|
||||||
# ++ allowPath "/bin/sh" #< to allow `firejail --join=...` (doesn't work)
|
"/run/current-system" #< for basics like `ls`, and all this program's `suggestedPrograms` (/run/current-system/sw/bin)
|
||||||
++ allowPath "/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here
|
"/run/wrappers" #< SUID wrappers, in this case so that firejail can be re-entrant
|
||||||
++ allowPaths [ "/run/opengl-driver" "/run/opengl-driver-32" ] #< symlinks to /nix/store; needed by e.g. mpv
|
# "/bin/sh" #< to allow `firejail --join=...` (doesn't work)
|
||||||
++ fsFlags
|
"/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here
|
||||||
|
# /run/opengl-driver is a symlink into /nix/store; needed by e.g. mpv
|
||||||
|
"/run/opengl-driver"
|
||||||
|
"/run/opengl-driver-32"
|
||||||
|
] ++ fsFlags
|
||||||
++ persistFlags
|
++ persistFlags
|
||||||
++ lib.optionals (net == "vpn") vpnFlags;
|
++ lib.optionals (net == "vpn") vpnFlags;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user