Security(neovim): use firejail

[julm/julm-nix.git] / nixpkgs / overlays / firejail.nix

pkgs: _previousPkgs: {
  firejailWrap =
    {
      package,
      paths ? [ "bin/${package.meta.mainProgram or (pkgs.lib.getName package)}" ],
      name ? package.name + "-firejailed",
      firejail ? "/run/wrappers/bin/firejail",
      args ? [ ],
    }:
    pkgs.symlinkJoin {
      inherit name;
      # DevelopmentNode: you may have to inherit more attributes.
      inherit (package) meta passthru;
      paths = [ package ];
      nativeBuildInputs = [ pkgs.makeShellWrapper ];
      postBuild = ''
        # ExplanationNote: /run/wrappers/ is not yet available
        # hence disable that check in makeShellWrapper.
        assertExecutable () { true; }
        for path in ${pkgs.lib.escapeShellArgs paths}; do
          rm "$out/$path"
          # CorrectnessNote: in case the resulting package is called
          # when building a derivation (eg. in neovim: Generating remote plugin manifest)
          # /run/wrappers/ does not exist, hence just bypass firejail using a --run.
          makeShellWrapper \
            ${firejail} \
            "$out/$path" \
            --run "[ -x ${firejail} ] || exec \"${package}/$path\" \"\$@\"" \
            --add-flags "${pkgs.lib.escapeShellArgs args}" \
            --add-flags "${package}/$path" \
            --inherit-argv0
        done
      '';
    };
}