aboutsummaryrefslogtreecommitdiff
path: root/nixpkgs/pkgs/os-specific/linux/firejail/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/pkgs/os-specific/linux/firejail/default.nix')
-rw-r--r--nixpkgs/pkgs/os-specific/linux/firejail/default.nix17
1 files changed, 16 insertions, 1 deletions
diff --git a/nixpkgs/pkgs/os-specific/linux/firejail/default.nix b/nixpkgs/pkgs/os-specific/linux/firejail/default.nix
index 8c7a109cb76..272b8612d7a 100644
--- a/nixpkgs/pkgs/os-specific/linux/firejail/default.nix
+++ b/nixpkgs/pkgs/os-specific/linux/firejail/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, which}:
+{stdenv, fetchurl, fetchpatch, which, nixosTests}:
let
s = # Generated upstream information
rec {
@@ -20,6 +20,19 @@ stdenv.mkDerivation {
name = "${s.name}.tar.bz2";
};
+ patches = [
+ (fetchpatch {
+ name = "CVE-2020-17367.patch";
+ url = "https://github.com/netblue30/firejail/commit/2c734d6350ad321fccbefc5ef0382199ac331b37.patch";
+ sha256 = "1gxz4jxp80gxnn46195qxcpmikwqab9d0ylj9zkm62lycp84ij6n";
+ })
+ (fetchpatch {
+ name = "CVE-2020-17368.patch";
+ url = "https://github.com/netblue30/firejail/commit/34193604fed04cad2b7b6b0f1a3a0428afd9ed5b.patch";
+ sha256 = "0n4ch3qykxx870201l8lz81f7h84vk93pzz77f5cjbd30cxnbddl";
+ })
+ ];
+
prePatch = ''
# Allow whitelisting ~/.nix-profile
substituteInPlace etc/firejail.config --replace \
@@ -63,6 +76,8 @@ stdenv.mkDerivation {
# bash: src/fsec-optimize/fsec-optimize: No such file or directory
enableParallelBuilding = false;
+ passthru.tests = nixosTests.firejail;
+
meta = {
inherit (s) version;
description = ''Namespace-based sandboxing tool for Linux'';
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-28 11:12:27 +0000