steam: use setuid bubblewrap

Jovian-Experiments · Oct 11, 2023 · 7dd743d · 7dd743d
1 parent 73ce8be
commit 7dd743d
Show file tree

Hide file tree

Showing 6 changed files with 6 additions and 34 deletions.
diff --git a/modules/steam/steam.nix b/modules/steam/steam.nix
@@ -58,6 +58,11 @@ in
           }
         });
       '';
+
+      # Steam will run some helper tools with pkexec, which needs setuid,
+      # which means bubblewrap itself also needs to be setuid.
+      # Requires https://github.com/NixOS/nixpkgs/pull/260404.
+      security.bubblewrap.allowSetuid = true;
     }
   ]);
 }
diff --git a/pkgs/jovian-stubs/default.nix b/pkgs/jovian-stubs/default.nix
@@ -3,13 +3,9 @@ stdenv.mkDerivation {
   name = "jovian-stubs";
 
   buildCommand = ''
-    install -D -m 755 ${./jupiter-biosupdate} $out/bin/jupiter-biosupdate
     install -D -m 755 ${./steamos-factory-reset-config} $out/bin/steamos-factory-reset-config
     install -D -m 755 ${./steamos-reboot} $out/bin/steamos-reboot
     install -D -m 755 ${./steamos-select-branch} $out/bin/steamos-select-branch
     install -D -m 755 ${./steamos-update} $out/bin/steamos-update
-
-    install -D -m 755 ${./pkexec} $out/bin/pkexec
-    install -D -m 755 ${./sudo} $out/bin/sudo
   '';
 }
diff --git a/pkgs/jovian-stubs/jupiter-biosupdate b/pkgs/jovian-stubs/jupiter-biosupdate
diff --git a/pkgs/jovian-stubs/pkexec b/pkgs/jovian-stubs/pkexec
diff --git a/pkgs/jovian-stubs/sudo b/pkgs/jovian-stubs/sudo
diff --git a/pkgs/steam-jupiter/fhsenv.nix b/pkgs/steam-jupiter/fhsenv.nix
@@ -50,9 +50,7 @@ let
       dmidecode
       jovian-stubs
       sessionSwitcher
-
-      # FIXME: figure out how to fix pkexec (needs SUID in fhsenv, see https://github.com/NixOS/nixpkgs/issues/69338) 
-      # and readd steamos-polkit-helpers
+      steamos-polkit-helpers
     ];
     extraProfile = (args.extraProfile or "") + ''
       export PATH=${jovian-stubs}/bin:$PATH