11 stdenv.mkDerivation rec {
15 src = fetchFromGitHub {
19 sha256 = "sha256-XAlb6SSyY2S1iWDaulIlghQ16OGvT/wBCog95/nxkog=";
36 # Adds the /nix directory when using an overlay.
37 # Required to run any programs under this mode.
38 ./mount-nix-dir-on-overlay.patch
40 # By default fbuilder hardcodes the firejail binary to the install path.
41 # On NixOS the firejail binary is a setuid wrapper available in $PATH.
42 ./fbuilder-call-firejail-on-path.patch
46 # Fix the path to 'xdg-dbus-proxy' hardcoded in the 'common.h' file
47 substituteInPlace src/include/common.h \
48 --replace '/usr/bin/xdg-dbus-proxy' '${xdg-dbus-proxy}/bin/xdg-dbus-proxy'
50 # Workaround for regression introduced in 0.9.72 preventing usage of
51 # end-of-options indicator "--"
52 # See https://github.com/netblue30/firejail/issues/5659
53 substituteInPlace src/firejail/sandbox.c \
54 --replace " && !arg_doubledash" ""
58 sed -e 's@/bin/bash@${stdenv.shell}@g' -i $( grep -lr /bin/bash .)
59 sed -e "s@/bin/cp@$(which cp)@g" -i $( grep -lr /bin/cp .)
63 sed -e "s@/etc/@$out/etc/@g" -e "/chmod u+s/d" -i Makefile
66 # The profile files provided with the firejail distribution include `.local`
67 # profile files using relative paths. The way firejail works when it comes to
68 # handling includes is by looking target files up in `~/.config/firejail`
69 # first, and then trying `SYSCONFDIR`. The latter normally points to
70 # `/etc/filejail`, but in the case of nixos points to the nix store. This
71 # makes it effectively impossible to place any profile files in
74 # The workaround applied below is by creating a set of `.local` files which
75 # only contain respective includes to `/etc/firejail`. This way
76 # `~/.config/firejail` still takes precedence, but `/etc/firejail` will also
77 # be searched in second order. This replicates the behaviour from
78 # non-nixos platforms.
80 # See https://github.com/netblue30/firejail/blob/e4cb6b42743ad18bd11d07fd32b51e8576239318/src/firejail/profile.c#L68-L83
81 # for the profile file lookup implementation.
83 for local in $(grep -Eh '^include.*local$' $out/etc/firejail/*{.inc,.profile} | awk '{print $2}' | sort | uniq)
85 echo "include /etc/firejail/$local" >$out/etc/firejail/$local
89 # At high parallelism, the build sometimes fails with:
90 # bash: src/fsec-optimize/fsec-optimize: No such file or directory
91 enableParallelBuilding = false;
93 passthru.tests = nixosTests.firejail;
96 description = "Namespace-based sandboxing tool for Linux";
97 license = lib.licenses.gpl2Plus;
98 maintainers = [ lib.maintainers.raskin ];
99 platforms = lib.platforms.linux;
100 homepage = "https://firejail.wordpress.com/";