colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

firejail: fix so /run/wrappers are available inside a jail

Browse Source
This commit is contained in:
Colin 2024-01-22 07:18:50 +00:00
parent cfe6e9c20a
commit dd35136ac0
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
modules/programs.nix
View File

@ -60,11 +60,15 @@ let
firejailFlags = [ firejailFlags = [
# "--quiet" #< TODO: enable # "--quiet" #< TODO: enable
# "--tracelog" # logs blacklist violations to syslog (but default firejail disallows this) # "--tracelog" # logs blacklist violations to syslog (but default firejail disallows this)
] ++ allowPath "/run/current-system" #< for basics like `ls`, and all this program's `suggestedPrograms` ] ++ allowPaths [
# ++ allowPath "/bin/sh" #< to allow `firejail --join=...` (doesn't work) "/run/current-system" #< for basics like `ls`, and all this program's `suggestedPrograms` (/run/current-system/sw/bin)
++ allowPath "/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here "/run/wrappers" #< SUID wrappers, in this case so that firejail can be re-entrant
++ allowPaths [ "/run/opengl-driver" "/run/opengl-driver-32" ] #< symlinks to /nix/store; needed by e.g. mpv # "/bin/sh" #< to allow `firejail --join=...` (doesn't work)
++ fsFlags "/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here
# /run/opengl-driver is a symlink into /nix/store; needed by e.g. mpv
"/run/opengl-driver"
"/run/opengl-driver-32"
] ++ fsFlags
++ persistFlags ++ persistFlags
++ lib.optionals (net == "vpn") vpnFlags; ++ lib.optionals (net == "vpn") vpnFlags;