5 packageName ? package.meta.mainProgram or (pkgs.lib.getName package),
6 paths ? [ "bin/${packageName}" ],
7 name ? package.name + "-firejailed",
9 firejail ? "/run/wrappers/bin/firejail",
11 pkgs.lib.makeOverridable (
12 # CompatibilityNote: if .override(overrideArgs) is used
13 # on the wrapping package (eg. if used on programs.firefox.package),
14 # overrideArgs is passed to the wrapped package.
16 # DesignExplanation: using symlinkJoin instead of package.overrideAttrs
17 # enables to get the wrapped package from the cache as usual.
18 # The main drawback is that the user may have to inherit more attributes.
19 # eg. programs.neovim.package = pkgs.firejailWrap { … } // { inherit (pkgs.neovim-unwrapped) lua; };
22 meta = package.meta or { };
23 passthru = package.passthru or { };
24 paths = [ (package.override overrideArgs) ];
25 nativeBuildInputs = [ pkgs.makeShellWrapper ];
27 # ExplanationNote: /run/wrappers/ is not yet available
28 # hence disable that check in makeShellWrapper.
29 assertExecutable () { true; }
30 for path in ${pkgs.lib.escapeShellArgs paths}; do
32 # CorrectnessNote: in case the wrapping package is called
33 # when building a derivation (eg. in neovim: Generating remote plugin manifest)
34 # /run/wrappers/ does not exist, hence just bypass firejail using a --run.
38 --run "[ -x ${firejail} ] || exec \"${package}/$path\" \"\$@\"" \
39 --add-flags "\''${FIREJAIL_FLAGS:-}" \
40 --add-flags "\''${FIREJAIL_FLAGS_${packageName}:-}" \
41 --add-flags "${pkgs.lib.escapeShellArgs args}" \
42 --add-flags "${package}/$path" \
sourcephile / git / julm / julm-nix.git / blob