public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixpkgs/nixos/modules/programs/firejail.nix
Symphorien Gibol 6fa1646268 nixos/firejail: allow to pass options to firejail
2020-11-14 12:00:00 +00:00

91 lines
2.8 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.firejail;
wrappedBins = pkgs.runCommand "firejail-wrapped-binaries"
{ preferLocalBuild = true;
allowSubstitutes = false;
}
''
mkdir -p $out/bin
${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: value:
let
opts = if builtins.isAttrs value
then value
else { executable = value; profile = null; extraArgs = []; };
args = lib.escapeShellArgs (
(optional (opts.profile != null) "--profile=${toString opts.profile}")
++ opts.extraArgs
);
in
''
cat <<_EOF >$out/bin/${command}
#! ${pkgs.runtimeShell} -e
exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@"
_EOF
chmod 0755 $out/bin/${command}
'') cfg.wrappedBinaries)}
'';
in {
options.programs.firejail = {
enable = mkEnableOption "firejail";
wrappedBinaries = mkOption {
type = types.attrsOf (types.either types.path (types.submodule {
options = {
executable = mkOption {
type = types.path;
description = "Executable to run sandboxed";
example = literalExample "''${lib.getBin pkgs.firefox}/bin/firefox";
};
profile = mkOption {
type = types.nullOr types.path;
default = null;
description = "Profile to use";
example = literalExample "''${pkgs.firejail}/etc/firejail/firefox.profile";
};
extraArgs = mkOption {
type = types.listOf types.str;
default = [];
description = "Extra arguments to pass to firejail";
example = [ "--private=~/.firejail_home" ];
};
};
}));
default = {};
example = literalExample ''
{
firefox = {
executable = "''${lib.getBin pkgs.firefox}/bin/firefox";
profile = "''${pkgs.firejail}/etc/firejail/firefox.profile";
};
mpv = {
executable = "''${lib.getBin pkgs.mpv}/bin/mpv";
profile = "''${pkgs.firejail}/etc/firejail/mpv.profile";
};
}
'';
description = ''
Wrap the binaries in firejail and place them in the global path.
</para>
<para>
You will get file collisions if you put the actual application binary in
the global environment and applications started via .desktop files are
not wrapped if they specify the absolute path to the binary.
'';
};
};
config = mkIf cfg.enable {
security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail";
environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ];
};
meta.maintainers = with maintainers; [ peterhoeg ];
}
Reference in New Issue View Git Blame Copy Permalink