lib.getBin pkgs.firefox-esr incorrect path

mastrboy · May 3, 2025, 6:48pm

I’m trying to configure opensnitch, but having some issues with firefox-esr where ${lib.getBin pkgs.firefox-esr} returns a different nix store path than where my firefox-esr actually runs from.

lib.getBin works fine for other packages.

Any ideas?

opensnitch Config:

{
  lib,
  config,
  pkgs,
  ...
}:

{
  environment.systemPackages = with pkgs; [
    opensnitch
    opensnitch-ui
  ];

  services.opensnitch = {
    enable = true;
    rules = {
      systemd-timesyncd = {
        name = "systemd-timesyncd";
        enabled = true;
        action = "allow";
        duration = "always";
        operator = {
          type = "simple";
          sensitive = false;
          operand = "process.path";
          data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
        };
      };
      nsncd = {
        name = "nsncd";
        enabled = true;
        action = "allow";
        duration = "always";
        operator = {
          type = "simple";
          sensitive = false;
          operand = "process.path";
          data = "${lib.getBin pkgs.nsncd}/bin/nsncd";
        };
      };
      firefox = {
        name = "firefox-esr";
        enabled = true;
        action = "allow";
        duration = "always";
        operator = {
          type = "list";
          operand = "list";
          list = [
            {
              type = "simple";
              operand = "process.path";
              data = "${lib.getBin pkgs.firefox-esr}/lib/firefox/firefox";
            }
            {
              type = "regexp";
              operand = "dest.port";
              data = "^(53|80|443)$";
            }
          ];
        };
      };
    };
  };

}

rhendric · May 3, 2025, 7:30pm

For wrapped packages like Firefox, you need to find and use their unwrapped counterparts in Opensnitch rules. firefox-esr-unwrapped, in this case.

mastrboy · May 4, 2025, 11:46am

That did not work either…

Returned path by using firefox-esr-unwrapped: "/nix/store/mfhbk1awzzj22fpy64xvma9w2y20vwk6-firefox-unwrapped-128.10.0esr/lib/firefox/firefox"

Firefox is running from: "/nix/store/xz0hzvxs6an2zw34f0ki98lvv1mx23gd-firefox-128.10.0esr/lib/firefox/firefox"

I did find a workaround though, as opensnitch supports regexp for path:

type = "regexp";
operand = "process.path";
data = "^(\/nix\/store\/.*firefox.*esr\/lib\/firefox\/firefox)$";

kereru · July 10, 2025, 2:21am

I think I am running into the exact same issue! I am using LibreWolf instead of Firefox. I configure LibreWolf with Home Manager and what I see is that the store path for LibreWolf in Home Manager is a different store path to what lib.getBin pkgs.librewolf returns so none of my predefined opensnitch rules for LibreWolf work.

I cannot work out how to look up the correct nix store path for LibreWolf. Perhaps it is simple but I haven’t been able to work it out

@mastrboy do you also use Home Manager for configuring Firefox? I wonder if you have the same issue

rhendric · July 10, 2025, 3:16am

It should be just librewolf-unwrapped, if librewolf doesn’t work. What are you trying?

kereru · July 10, 2025, 5:38am

I have figured out that the following fixes the issue

In Home Manager config set

programs.librewolf.package = null;
put pkgs.librewolf in Home Manager list of packages to install

Then “lib.getBin pkgs.librewolf” in opensnitch.nix rules references the same librewolf nix store path.

kereru · July 10, 2025, 5:41am

I tried using librewolf-unwrapped in opensnitch rules but that was a different store path to the one that programs.librewolf produces. I think the default package used by programs.librewolf if you dont set package must be different to pkgs.librewolf or pkgs.librewolf-unwrapped.

I looked at the Home Manager module source code for librewolf: home-manager/modules/programs/librewolf.nix at master · nix-community/home-manager · GitHub but there is no refence to the default package in that file, so perhaps it comes from the inherited firefox module code?

rhendric · July 10, 2025, 2:02pm

Ah, I see what is going on. When you enable a Firefox-derived package via the Home Manager option (as opposed to just chucking it in home.packages, which is what I do), HM adds an additional wrapper on top of what Nixpkgs does. To get at that wrapper package, it seems that you could use config.programs.librewolf.finalPackage.

kereru · July 10, 2025, 11:56pm

Okay, yes that must be it. Thanks for your help!

I have tried config.programs.librewolf.finalPackage in my opensnitch rules but I get the error “error: attribute ‘librewolf’ missing” I use Home Manager via nixos module in my flake based system if that may change the path to refer to the Home Manager version of the package?

mastrboy · July 15, 2025, 9:55am

I’m not using Home Manager for Firefox and never figured out the underlying issue, so I’m still using regex with wildcards for this in my opensnitch config.

kereru · July 15, 2025, 10:14am

Okay, I see - that is frustrating. I have also been unable to work out how to programmatically get the correct store path for my opensnitch rules.

I have had to resort to setting variables in my nix config to hard coded nix store paths and then referencing those variables in my opensnitch rules. But this means any time those store paths change in the future I will need to manually work out what they new paths are and update those variables…

I think the issue comes from the fact that perhaps both pkgs.firefox-esr and pkgs.librewolf get modified by our configs in some way which means they get a different store path to the pkg in nixpkgs. But I don’t know enough about this stuff yet to know if there is a solution. Surely there is!

If I find out I will post here

kereru · July 15, 2025, 10:16am

For instance, I noticed that if I set the language pack for librewolf in my home manager config then the store path is different again. And the store path both prior and after that change are different from what “lib.getBin pkgs.librewolf” returns!

rhendric · July 15, 2025, 1:50pm

From a NixOS module (where config refers to your NixOS configuration instead of your HM configuration), you can reference your user’s Home Manager configuration via config.home-manager.users.[username]. So just sticking .programs.librewolf.finalPackage after that should work.

kereru · July 18, 2025, 10:00am

Okay, good to know! In my attempt to get it working 3 days ago, I tried many variations to guess what the correct path was. Tried to use nix repl on my system flake to then see what the path was but was unable to get that to work!

I have tried as you suggest, and it is indeed the solution:

lib.getBin config.home-manager.users.MY_USER.programs.librewolf.finalPackage

produces the correct nix store path for librewolf which is installed via home manager

Thank you so much @rhendric!! Really appreciate your help on this