firejail: 0.9.66 -> 0.9.68

Fixes #153430
2022-02-07 00:27:25 +10:00 · 2022-02-07 00:27:25 +10:00 · 36b1dedddd
commit 36b1dedddd
parent 0a6388d7b6
4 changed files with 15 additions and 66 deletions
--- a/pkgs/os-specific/linux/firejail/default.nix
+++ b/pkgs/os-specific/linux/firejail/default.nix
@ -11,13 +11,13 @@
 stdenv.mkDerivation rec {
  pname = "firejail";
-  version = "0.9.66";
+  version = "0.9.68";
  src = fetchFromGitHub {
    owner = "netblue30";
    repo = "firejail";
    rev = version;
-    sha256 = "sha256-oKstTiGt0r4wePaZ9u1o78GZ1XWJ27aS0BdLxmfYk9Q=";
+    sha256 = "18yy1mykx7h78yj7sz729i3dlsrgi25m17m5x9gbrvsx7f87rw7j";
  };
  nativeBuildInputs = [
@ -40,9 +40,6 @@ stdenv.mkDerivation rec {
    # By default fbuilder hardcodes the firejail binary to the install path.
    # On NixOS the firejail binary is a setuid wrapper available in $PATH.
    ./fbuilder-call-firejail-on-path.patch
    # Disable symlink check on /etc/hosts, see
    # https://github.com/netblue30/firejail/issues/2758#issuecomment-805174951
    ./remove-link-check.patch
  ];
  prePatch = ''
--- a/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
+++ b/pkgs/os-specific/linux/firejail/fbuilder-call-firejail-on-path.patch
@ -1,11 +1,11 @@
 --- a/src/fbuilder/build_profile.c
 +++ b/src/fbuilder/build_profile.c
-@@ -67,7 +67,7 @@
+@@ -48,7 +48,7 @@
- 		errExit("asprintf");
+ 	// build command
- 
+ 	char *cmd[len];
- 	char *cmdlist[] = {
+ 	unsigned curr_len = 0;
-	  BINDIR "/firejail",
+-	cmd[curr_len++] = BINDIR "/firejail";
-+	  "firejail",
+	cmd[curr_len++] = "firejail";
- 	  "--quiet",
+ 	cmd[curr_len++] = "--quiet";
- 	  "--noprofile",
+ 	cmd[curr_len++] = "--noprofile";
- 	  "--caps.drop=all",
+ 	cmd[curr_len++] = "--caps.drop=all";
--- a/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
+++ b/pkgs/os-specific/linux/firejail/mount-nix-dir-on-overlay.patch
@ -1,6 +1,6 @@
--- a/src/firejail/fs.c
+--- a/src/firejail/fs_overlayfs.c
-+++ b/src/firejail/fs.c
+++ b/src/firejail/fs_overlayfs.c
-@@ -1143,6 +1143,16 @@
+@@ -327,6 +327,16 @@
 		errExit("mounting /dev");
 	fs_logger("whitelist /dev");
@ -17,7 +17,7 @@
 	// mount-bind run directory
 	if (arg_debug)
 		printf("Mounting /run\n");
-@@ -1201,6 +1211,7 @@
+@@ -384,6 +394,7 @@
 	free(odiff);
 	free(owork);
 	free(dev);
--- a/pkgs/os-specific/linux/firejail/remove-link-check.patch
+++ b/pkgs/os-specific/linux/firejail/remove-link-check.patch
@ -1,48 +0,0 @@
 From ccc726f8ec877d8cda720daa2498e43629b6dd48 Mon Sep 17 00:00:00 2001
 From: Jonas Heinrich <onny@project-insanity.org>
 Date: Sun, 19 Sep 2021 11:48:06 +0200
 Subject: [PATCH 1/2] remove hosts file link check
 ---
 src/firejail/fs_hostname.c | 4 ----
 1 file changed, 4 deletions(-)
 diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
 index 42255070c4..97ce70f9c1 100644
 --- a/src/firejail/fs_hostname.c
 +++ b/src/firejail/fs_hostname.c
@@ -132,10 +132,6 @@ char *fs_check_hosts_file(const char *fname) {
 	invalid_filename(fname);
 	char *rv = expand_home(fname, cfg.homedir);
 -	// no a link
 -	if (is_link(rv))
 -		goto errexit;
 -
 	// the user has read access to the file
 	if (access(rv, R_OK))
 		goto errexit;
 From c2c51e7ca56075e7388b4f50922b148615d1b125 Mon Sep 17 00:00:00 2001
 From: Jonas Heinrich <onny@project-insanity.org>
 Date: Sun, 19 Sep 2021 11:49:08 +0200
 Subject: [PATCH 2/2] remove hosts file link check
 ---
 src/firejail/fs_hostname.c | 3 ---
 1 file changed, 3 deletions(-)
 diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
 index 97ce70f9c1..b228707131 100644
 --- a/src/firejail/fs_hostname.c
 +++ b/src/firejail/fs_hostname.c
@@ -154,9 +154,6 @@ void fs_mount_hosts_file(void) {
 	struct stat s;
 	if (stat("/etc/hosts", &s) == -1)
 		goto errexit;
 -	// not a link
 -	if (is_link("/etc/hosts"))
 -		goto errexit;
 	// owned by root
 	if (s.st_uid != 0)
 		goto errexit;