gnome3.gnome_desktop: fix sandboxing
This commit is contained in:
parent
129aac73ec
commit
f816fe6fd3
2 changed files with 30 additions and 2 deletions
|
@ -0,0 +1,19 @@
|
|||
--- a/libgnome-desktop/gnome-desktop-thumbnail-script.c
|
||||
+++ b/libgnome-desktop/gnome-desktop-thumbnail-script.c
|
||||
@@ -504,14 +504,10 @@
|
||||
g_return_val_if_fail (script->s_infile != NULL, FALSE);
|
||||
|
||||
add_args (array,
|
||||
- "bwrap",
|
||||
- "--ro-bind", "/usr", "/usr",
|
||||
- "--ro-bind", "/lib", "/lib",
|
||||
- "--ro-bind", "/lib64", "/lib64",
|
||||
+ "@BUBBLEWRAP_BIN@",
|
||||
+ "--ro-bind", "/nix/store", "/nix/store",
|
||||
"--proc", "/proc",
|
||||
"--dev", "/dev",
|
||||
- "--symlink", "usr/bin", "/bin",
|
||||
- "--symlink", "usr/sbin", "/sbin",
|
||||
"--chdir", "/",
|
||||
"--setenv", "GIO_USE_VFS", "local",
|
||||
"--unshare-all",
|
|
@ -1,6 +1,6 @@
|
|||
{ stdenv, fetchurl, pkgconfig, python, libxml2Python, libxslt, which, libX11, gnome3, gtk3, glib
|
||||
, intltool, gnome_doc_utils, libxkbfile, xkeyboard_config, isocodes, itstool, wayland
|
||||
, libseccomp, gobjectIntrospection }:
|
||||
, libseccomp, bubblewrap, gobjectIntrospection }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
inherit (import ./src.nix fetchurl) name src;
|
||||
|
@ -13,12 +13,21 @@ stdenv.mkDerivation rec {
|
|||
nativeBuildInputs = [
|
||||
pkgconfig which itstool intltool libxslt gnome_doc_utils gobjectIntrospection
|
||||
];
|
||||
buildInputs = [ python libxml2Python libX11
|
||||
buildInputs = [ python libxml2Python libX11 bubblewrap
|
||||
xkeyboard_config isocodes wayland
|
||||
gtk3 glib libxkbfile libseccomp ];
|
||||
|
||||
propagatedBuildInputs = [ gnome3.gsettings_desktop_schemas ];
|
||||
|
||||
patches = [
|
||||
./bubblewrap-paths.patch
|
||||
];
|
||||
|
||||
postPatch = ''
|
||||
substituteInPlace libgnome-desktop/gnome-desktop-thumbnail-script.c --subst-var-by \
|
||||
BUBBLEWRAP_BIN "${bubblewrap}/bin/bwrap"
|
||||
'';
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
platforms = platforms.linux;
|
||||
maintainers = gnome3.maintainers;
|
||||
|
|
Loading…
Reference in a new issue