gnome3.gnome_desktop: fix sandboxing

This commit is contained in:
Jan Tojnar 2017-12-02 06:55:00 +01:00
parent 129aac73ec
commit f816fe6fd3
No known key found for this signature in database
GPG key ID: 7FAB2A15F7A607A4
2 changed files with 30 additions and 2 deletions

View file

@ -0,0 +1,19 @@
--- a/libgnome-desktop/gnome-desktop-thumbnail-script.c
+++ b/libgnome-desktop/gnome-desktop-thumbnail-script.c
@@ -504,14 +504,10 @@
g_return_val_if_fail (script->s_infile != NULL, FALSE);
add_args (array,
- "bwrap",
- "--ro-bind", "/usr", "/usr",
- "--ro-bind", "/lib", "/lib",
- "--ro-bind", "/lib64", "/lib64",
+ "@BUBBLEWRAP_BIN@",
+ "--ro-bind", "/nix/store", "/nix/store",
"--proc", "/proc",
"--dev", "/dev",
- "--symlink", "usr/bin", "/bin",
- "--symlink", "usr/sbin", "/sbin",
"--chdir", "/",
"--setenv", "GIO_USE_VFS", "local",
"--unshare-all",

View file

@ -1,6 +1,6 @@
{ stdenv, fetchurl, pkgconfig, python, libxml2Python, libxslt, which, libX11, gnome3, gtk3, glib
, intltool, gnome_doc_utils, libxkbfile, xkeyboard_config, isocodes, itstool, wayland
, libseccomp, gobjectIntrospection }:
, libseccomp, bubblewrap, gobjectIntrospection }:
stdenv.mkDerivation rec {
inherit (import ./src.nix fetchurl) name src;
@ -13,12 +13,21 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [
pkgconfig which itstool intltool libxslt gnome_doc_utils gobjectIntrospection
];
buildInputs = [ python libxml2Python libX11
buildInputs = [ python libxml2Python libX11 bubblewrap
xkeyboard_config isocodes wayland
gtk3 glib libxkbfile libseccomp ];
propagatedBuildInputs = [ gnome3.gsettings_desktop_schemas ];
patches = [
./bubblewrap-paths.patch
];
postPatch = ''
substituteInPlace libgnome-desktop/gnome-desktop-thumbnail-script.c --subst-var-by \
BUBBLEWRAP_BIN "${bubblewrap}/bin/bwrap"
'';
meta = with stdenv.lib; {
platforms = platforms.linux;
maintainers = gnome3.maintainers;