Automatic Firejail of Home Manager's Librewolf does not work

I am on NixOS unstable, using a flake-based configuration and running Sway.

I am trying to install the Wayland version of Librewolf (a Firefox fork) and always run it in a Firejail sandbox.

Home Manager supports customizing about:config options by adding entries in the attrset home-manager.users.<username>.programs.librewolf.settings which is very cool. I also want to unconditionally run Librewolf in a Firejail sandbox, meaning that every time librewolf is called in a terminal, firejail librewolf actually runs instead. Launching through Librewolf’s desktop file should have the same behavior.

Configuration attempt

My configuration for (attempting) to set this up looks like:

home-manager.users.my-cool-username.librewolf = {
  enable = true;
  package = pkgs.librewolf-wayland;
  settings = {
    "webgl.disable" = true;
    "middlemouse.paste" = false;
    # ... other configuration options ...
  };
};

programs.firejail = {
  enable = true;
  wrappedBinaries.librewolf = {
    executable = "${lib.getBin pkgs.librewolf-wayland}/bin/librewolf";
  };
};

With this configuration, I expect running librewolf in a terminal to launch Librewolf in a Firejail sandbox, but unsandboxed Librewolf launches instead. Directly running firejail librewolf works as expected.

After some digging, this problem appears similar to this post. However, the workaround as described in that thread (namely, do not include the package in environment.systemPackages) does not apply because I am not (directly) installing Librewolf through environment.systemPackages.

Issues

I see two independent issues that need to be solved or worked-around:

  1. Including an entry for Librewolf in programs.firejail.wrappedBinaries creates a symlink at /run/current-system/sw/bin/librewolf, and Home Manager’s Librewolf module places its symlink at /etc/profiles/per-user/my-cool-username/bin/librewolf. This is problematic because, in PATH, /etc/profiles/per-user/my-cool-username is before /run/current-system/sw/bin and this explains why the terminal command librewolf does not involve Firejail at all.

  2. The symlink that the Firejail module creates looks like:

exec /run/wrappers/bin/firejail -- /nix/store/<hash>-librewolf-105.0-1/bin/librewolf "$@"

This is not good because the Librewolf binary is directly run, ignoring Home Manager’s Librewolf wrapper (there is quite a lot of lines in that wrapper).

So far, (2) does not seem to cause any real problems for my machine specifically. Launching Librewolf without its wrapper has just one issue: Librewolf does not launch in Wayland mode because environment variable MOZ_ENABLE_WAYLAND=1 is set via the wrapper. This is easy to workaround by just setting the environment variable in the terminal emulator’s config, but fixing the config of one module by changing the config of another barely-related module is not very clean. I don’t know what the other parts of the Librewolf wrapper do.

Possible solutions and workarounds

  1. firejail librewolf works, and this is the workaround I am using now, but I want Librewolf to always launch in a Firejail sandbox. This workaround does not work when launching through the desktop file.

  2. Create a new wrapper that simply runs firejail /etc/profiles/per-user/my-cool-username/bin/librewolf and somehow make running the command librewolf launch the new wrapper instead. I have no idea how to do this in NixOS though.

  3. Directly modify the Librewolf wrapper. The only change is prefixing the correct string with “firejail”. Preferably, this can be done with an overlay or override that affects where the wrapper is defined, but as far as I can tell the wrapper is created with a Bash build script that is not easy to override. There is a note about making xdg-open overridable at runtime but I have no idea what this really means and how this can help.