nixpkgs/overlays/firejail.nix

   1 pkgs: _previousPkgs: {
   2   firejailWrap =
   3     {
   4       package,
   5       packageName ? package.meta.mainProgram or (pkgs.lib.getName package),
   6       paths ? [ "bin/${packageName}" ],
   7       name ? package.name + "-firejailed",
   8       args ? [ ],
   9       firejail ? "/run/wrappers/bin/firejail",
  10     }:
  11     let
  12       # Explanation(flexibility): in order to enable
  13       # tweaking the jail in a direnv or without a system rebuild
  14       # this wrapper allows changing firejail flags at runtime from envvars:
  15       # - overriding flags with: FIREJAIL_FLAGS_${packageNameEscaped}
  16       # - add extra flags with: FIREJAIL_EXTRAFLAGS_${packageNameEscaped}
  17       # When using --profile=foo, it's also possible to override
  18       # firejail's builtin profile in ~/.config/firejail/foo.profile
  19       # or modify it with ~/.config/firejail/foo.local
  20       packageNameEscaped = pkgs.lib.concatMapStrings (s: if builtins.isList s then "_" else s) (
  21         builtins.split "[^a-zA-Z0-9_]+" packageName
  22       );
  23     in
  24     pkgs.lib.makeOverridable (
  25       # Explanation(compat): if .override(overrideArgs) is used
  26       # on the wrapping package (eg. if used on programs.firefox.package),
  27       # overrideArgs is passed to the wrapped package.
  28       overrideArgs:
  29       # Explanation(perf/resource): using symlinkJoin instead of package.overrideAttrs
  30       # enables to get the wrapped package from the cache as usual.
  31       # The main drawback is that the user may have to inherit more attributes.
  32       # eg. programs.neovim.package = pkgs.firejailWrap { … } // { inherit (pkgs.neovim-unwrapped) lua; };
  33       pkgs.symlinkJoin {
  34         inherit name;
  35         meta = package.meta or { };
  36         passthru = package.passthru or { };
  37         paths = [ (package.override overrideArgs) ];
  38         nativeBuildInputs = [ pkgs.makeShellWrapper ];
  39         postBuild = pkgs.lib.concatStringsSep "\n" [
  40           # Explanation(compat): /run/wrappers/ is not yet available
  41           # hence disable that check in makeShellWrapper.
  42           ''
  43             assertExecutable () { true; }
  44           ''
  45           # Explanation(functional/correctness):
  46           # in case the wrapping package is called when building a derivation
  47           # (eg. in neovim: Generating remote plugin manifest)
  48           # /run/wrappers/ does not exist, hence just bypass firejail using a --run.
  49           #
  50           # Note that setting --argv0 would have no lasting effect because
  51           # nixos/modules/security/wrappers/wrapper.c forces argv[0] = SOURCE_PROG
  52           # Tip(tmux): #{pane_current_command} is thus always "firejail" in tmux,
  53           # but this can be worked around with something like:
  54           # set -g pane-border-format " #P: #{?#{==:#{pane_current_command},firejail},#{pane_title},#{pane_current_command}} "
  55           ''
  56             for path in ${pkgs.lib.escapeShellArgs paths}; do
  57               rm "$out/$path"
  58               makeShellWrapper \
  59                 ${firejail} \
  60                 "$out/$path" \
  61                 --run "[ -x ${firejail} ] || exec "${package}/$path" \"\$@\"" \
  62                 --add-flags "--name=${pkgs.lib.escapeShellArg packageName}" \
  63                 --add-flags "\''${FIREJAIL_FLAGS_${packageNameEscaped}-${pkgs.lib.escapeShellArgs args}}" \
  64                 --add-flags "\''${FIREJAIL_EXTRAFLAGS_${packageNameEscaped}:-}" \
  65                 --add-flags "${package}/$path"
  66             done
  67           ''
  68         ];
  69       }
  70     ) { };
  71 }