firejail: fix -overlay and -build functionality on NixOS

- The `-overlay` flag runs the specified binary inside an OverlayFS, since the /nix store may be in a different mount point than the user home, this patch explicitly bind mounts it so it's available inside the overlay. - profile builder: firejail provides facilities to build a new profiles. To do so, it execute the helper binary `fbuilder`, which in turn will execute firejail back with different options. This patch makes it use the binary available in PATH instead of the one produced at compile time. The compiled firejail binary doesn't have the necessary permissions, so the firejail NixOS module wraps it in a SUID wrapper available on PATH at runtime. Signed-off-by: Roosembert Palacios <roosemberth@posteo.ch>
2020-11-27 22:42:03 +01:00 · 2020-11-27 22:42:03 +01:00 · 831c700c5d
commit 831c700c5d
parent 67d7a67179
3 changed files with 47 additions and 0 deletions
--- a/pkgs/os-specific/linux/firejail/default.nix
+++ b/pkgs/os-specific/linux/firejail/default.nix
@ -20,6 +20,15 @@ stdenv.mkDerivation {
    name = "${s.name}.tar.bz2";
  };

+  patches = [
+    # Adds the /nix directory when using an overlay.
+    # Required to run any programs under this mode.
+    ./mount-nix-dir-on-overlay.patch
+    # By default fbuilder hardcodes the firejail binary to the install path.
+    # On NixOS the firejail binary is a setuid wrapper available in $PATH.
+    ./fbuilder-call-firejail-on-path.patch
+  ];
+
  prePatch = ''
    # Allow whitelisting ~/.nix-profile
    substituteInPlace etc/firejail.config --replace \
--- a/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
+++ b/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
@ -0,0 +1,11 @@
+--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
+@@ -67,7 +67,7 @@
+ 		errExit("asprintf");
+ 
+ 	char *cmdlist[] = {
+-	  BINDIR "/firejail",
+	  "firejail",
+ 	  "--quiet",
+ 	  "--noprofile",
+ 	  "--caps.drop=all",
--- a/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
+++ b/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
@ -0,0 +1,27 @@
+--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
+@@ -1143,6 +1143,16 @@
+ 		errExit("mounting /dev");
+ 	fs_logger("whitelist /dev");
+ 
+	// mount-bind /nix
+	if (arg_debug)
+		printf("Mounting /nix\n");
+	char *nix;
+	if (asprintf(&nix, "%s/nix", oroot) == -1)
+		errExit("asprintf");
+	if (mount("/nix", nix, NULL, MS_BIND|MS_REC, NULL) < 0)
+		errExit("mounting /nix");
+	fs_logger("whitelist /nix");
+
+ 	// mount-bind run directory
+ 	if (arg_debug)
+ 		printf("Mounting /run\n");
+@@ -1201,6 +1211,7 @@
+ 	free(odiff);
+ 	free(owork);
+ 	free(dev);
+	free(nix);
+ 	free(run);
+ 	free(tmp);
+ }