|
90 | 90 | pkg, |
91 | 91 | exe, |
92 | 92 | dir, |
93 | | - cfg ? "", |
| 93 | + net ? false, |
94 | 94 | }: { |
95 | 95 | "${pkg}" = { |
96 | 96 | executable = exe; |
97 | | - profile = pkgs.writeText "${pkg}.local" ( |
98 | | - '' |
99 | | - include default.profile |
| 97 | + profile = mkFirejailProfile {inherit pkg dir net;}; |
| 98 | + }; |
| 99 | + }; |
| 100 | + mkFirejailProfile = { |
| 101 | + pkg, |
| 102 | + dir, |
| 103 | + net ? false, |
| 104 | + }: |
| 105 | + pkgs.writeText "${pkg}.local" '' |
| 106 | + include default.profile |
100 | 107 |
|
101 | | - include disable-X11.inc |
102 | | - include disable-common.inc |
103 | | - include disable-devel.inc |
104 | | - include disable-exec.inc |
105 | | - include disable-interpreters.inc |
106 | | - include disable-proc.inc |
107 | | - include disable-programs.inc |
108 | | - include disable-shell.inc |
109 | | - include disable-write-mnt.inc |
110 | | - include disable-xdg.inc |
| 108 | + include disable-X11.inc |
| 109 | + include disable-common.inc |
| 110 | + include disable-devel.inc |
| 111 | + include disable-exec.inc |
| 112 | + include disable-interpreters.inc |
| 113 | + include disable-proc.inc |
| 114 | + include disable-programs.inc |
| 115 | + include disable-shell.inc |
| 116 | + include disable-write-mnt.inc |
| 117 | + include disable-xdg.inc |
111 | 118 |
|
112 | | - # no3d |
113 | | - # nosound |
114 | | - apparmor |
115 | | - caps.drop all |
116 | | - machine-id |
117 | | - net none |
118 | | - netfilter |
119 | | - nodvd |
120 | | - nogroups |
121 | | - noinput |
122 | | - nonewprivs |
123 | | - noprinters |
124 | | - noroot |
125 | | - notv |
126 | | - nou2f |
127 | | - novideo |
128 | | - shell none |
| 119 | + # no3d |
| 120 | + # nosound |
| 121 | + apparmor |
| 122 | + caps.drop all |
| 123 | + machine-id |
| 124 | + ${ |
| 125 | + if net |
| 126 | + then "" |
| 127 | + else "net none" |
| 128 | + } |
| 129 | + netfilter |
| 130 | + nodvd |
| 131 | + nogroups |
| 132 | + noinput |
| 133 | + nonewprivs |
| 134 | + noprinters |
| 135 | + noroot |
| 136 | + notv |
| 137 | + nou2f |
| 138 | + novideo |
| 139 | + shell none |
129 | 140 |
|
130 | | - disable-mnt |
131 | | - private ''${HOME}/.firejail/${dir} |
132 | | - private-bin none |
133 | | - private-cache |
134 | | - private-cwd |
135 | | - private-dev |
136 | | - private-etc none |
137 | | - private-lib none |
138 | | - private-opt none |
139 | | - private-srv none |
140 | | - private-tmp |
141 | | - seccomp |
142 | | - x11 none |
| 141 | + disable-mnt |
| 142 | + private ''${HOME}/.firejail/${dir} |
| 143 | + private-bin none |
| 144 | + private-cache |
| 145 | + private-cwd |
| 146 | + private-dev |
| 147 | + ${ |
| 148 | + if net |
| 149 | + then "" |
| 150 | + else "private-etc none" |
| 151 | + } |
| 152 | + private-lib none |
| 153 | + private-opt none |
| 154 | + private-srv none |
| 155 | + private-tmp |
| 156 | + seccomp |
| 157 | + ${ |
| 158 | + if net |
| 159 | + then "" |
| 160 | + else "x11 none" |
| 161 | + } |
143 | 162 |
|
144 | | - dbus-system none |
145 | | - dbus-user none |
| 163 | + dbus-system none |
| 164 | + dbus-user none |
146 | 165 |
|
147 | | - restrict-namespaces |
| 166 | + restrict-namespaces |
| 167 | + ''; |
| 168 | + mkFirejailWrapper = { |
| 169 | + pkgs, |
| 170 | + pkg, |
| 171 | + executable, |
| 172 | + desktop ? null, |
| 173 | + profile ? null, |
| 174 | + extraArgs ? [], |
| 175 | + }: |
| 176 | + pkgs.runCommand "firejail-wrap" |
| 177 | + { |
| 178 | + preferLocalBuild = true; |
| 179 | + allowSubstitutes = false; |
| 180 | + meta.priority = -1; # take precedence over non-firejailed versions |
| 181 | + } |
| 182 | + ( |
| 183 | + let |
| 184 | + firejailArgs = pkgs.lib.concatStringsSep " " ( |
| 185 | + extraArgs |
| 186 | + ++ ( |
| 187 | + pkgs.lib.optional (profile != null) "--profile=${toString profile}" |
| 188 | + ) |
| 189 | + ); |
| 190 | + in |
148 | 191 | '' |
149 | | - + cfg |
150 | | - ); |
151 | | - }; |
152 | | - }; |
| 192 | + command_path="$out/bin/${pkg}" |
| 193 | + mkdir -p $out/bin |
| 194 | + mkdir -p $out/share/applications |
| 195 | + cat <<'_EOF' >"$command_path" |
| 196 | + #! ${pkgs.runtimeShell} -e |
| 197 | + exec /run/wrappers/bin/firejail ${firejailArgs} -- ${ |
| 198 | + toString executable |
| 199 | + } "$@" |
| 200 | + _EOF |
| 201 | + chmod 0755 "$command_path" |
| 202 | + '' |
| 203 | + + pkgs.lib.optionalString (desktop != null) '' |
| 204 | + substitute ${desktop} $out/share/applications/$(basename ${desktop}) \ |
| 205 | + --replace ${executable} "$command_path" |
| 206 | + '' |
| 207 | + ); |
153 | 208 | mkKbd = cfg: dev: { |
154 | 209 | config = cfg; |
155 | 210 | device = dev; |
@@ -909,6 +964,16 @@ in { |
909 | 964 | simple-scan |
910 | 965 | system-config-printer |
911 | 966 | pulsemixer |
| 967 | + (mkFirejailWrapper { |
| 968 | + inherit pkgs; |
| 969 | + pkg = "firefox-firejail"; |
| 970 | + executable = "${firefox-esr}/bin/firefox-esr"; |
| 971 | + profile = mkFirejailProfile { |
| 972 | + pkg = "tabby"; |
| 973 | + dir = "tabby"; |
| 974 | + net = true; |
| 975 | + }; |
| 976 | + }) |
912 | 977 | ]; |
913 | 978 | programs.git = { |
914 | 979 | enable = true; |
|
0 commit comments