diff options
Diffstat (limited to 'infra/libkookie/nixpkgs/pkgs/os-specific/linux/firejail/default.nix')
| -rw-r--r-- | infra/libkookie/nixpkgs/pkgs/os-specific/linux/firejail/default.nix | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/infra/libkookie/nixpkgs/pkgs/os-specific/linux/firejail/default.nix b/infra/libkookie/nixpkgs/pkgs/os-specific/linux/firejail/default.nix index 272b8612d7a7..a3be5484a047 100644 --- a/infra/libkookie/nixpkgs/pkgs/os-specific/linux/firejail/default.nix +++ b/infra/libkookie/nixpkgs/pkgs/os-specific/linux/firejail/default.nix @@ -1,12 +1,12 @@ -{stdenv, fetchurl, fetchpatch, which, nixosTests}: +{stdenv, fetchurl, fetchpatch, which, xdg-dbus-proxy, nixosTests}: let s = # Generated upstream information rec { baseName="firejail"; - version="0.9.62"; + version="0.9.64"; name="${baseName}-${version}"; url="mirror://sourceforge/firejail/firejail/firejail-${version}.tar.xz"; - sha256="1q2silgy882fl61p5qa9f9jqkxcqnwa71jig3c729iahx4f0hs05"; + sha256="1zgjwy2k57nx0r63fzr15gijah098ig0bll66jd615vc9q3snfz5"; }; buildInputs = [ which @@ -21,16 +21,12 @@ stdenv.mkDerivation { }; patches = [ - (fetchpatch { - name = "CVE-2020-17367.patch"; - url = "https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37.patch"; - sha256 = "1gxz4jxp80gxnn46195qxcpmikwqab9d0ylj9zkm62lycp84ij6n"; - }) - (fetchpatch { - name = "CVE-2020-17368.patch"; - url = "https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b.patch"; - sha256 = "0n4ch3qykxx870201l8lz81f7h84vk93pzz77f5cjbd30cxnbddl"; - }) + # Adds the /nix directory when using an overlay. + # Required to run any programs under this mode. + ./mount-nix-dir-on-overlay.patch + # By default fbuilder hardcodes the firejail binary to the install path. + # On NixOS the firejail binary is a setuid wrapper available in $PATH. + ./fbuilder-call-firejail-on-path.patch ]; prePatch = '' @@ -38,6 +34,10 @@ stdenv.mkDerivation { substituteInPlace etc/firejail.config --replace \ '# follow-symlink-as-user yes' \ 'follow-symlink-as-user no' + + # Fix the path to 'xdg-dbus-proxy' hardcoded in the 'common.h' file + substituteInPlace src/include/common.h \ + --replace '/usr/bin/xdg-dbus-proxy' '${xdg-dbus-proxy}/bin/xdg-dbus-proxy' ''; preConfigure = '' |