lib.getBin pkgs.firefox-esr incorrect path

mastrboy · May 3, 2025, 6:48pm

I’m trying to configure opensnitch, but having some issues with firefox-esr where ${lib.getBin pkgs.firefox-esr} returns a different nix store path than where my firefox-esr actually runs from.

lib.getBin works fine for other packages.

Any ideas?

opensnitch Config:

{
  lib,
  config,
  pkgs,
  ...
}:

{
  environment.systemPackages = with pkgs; [
    opensnitch
    opensnitch-ui
  ];

  services.opensnitch = {
    enable = true;
    rules = {
      systemd-timesyncd = {
        name = "systemd-timesyncd";
        enabled = true;
        action = "allow";
        duration = "always";
        operator = {
          type = "simple";
          sensitive = false;
          operand = "process.path";
          data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
        };
      };
      nsncd = {
        name = "nsncd";
        enabled = true;
        action = "allow";
        duration = "always";
        operator = {
          type = "simple";
          sensitive = false;
          operand = "process.path";
          data = "${lib.getBin pkgs.nsncd}/bin/nsncd";
        };
      };
      firefox = {
        name = "firefox-esr";
        enabled = true;
        action = "allow";
        duration = "always";
        operator = {
          type = "list";
          operand = "list";
          list = [
            {
              type = "simple";
              operand = "process.path";
              data = "${lib.getBin pkgs.firefox-esr}/lib/firefox/firefox";
            }
            {
              type = "regexp";
              operand = "dest.port";
              data = "^(53|80|443)$";
            }
          ];
        };
      };
    };
  };

}

rhendric · May 3, 2025, 7:30pm

For wrapped packages like Firefox, you need to find and use their unwrapped counterparts in Opensnitch rules. firefox-esr-unwrapped, in this case.

mastrboy · May 4, 2025, 11:46am

That did not work either…

Returned path by using firefox-esr-unwrapped: "/nix/store/mfhbk1awzzj22fpy64xvma9w2y20vwk6-firefox-unwrapped-128.10.0esr/lib/firefox/firefox"

Firefox is running from: "/nix/store/xz0hzvxs6an2zw34f0ki98lvv1mx23gd-firefox-128.10.0esr/lib/firefox/firefox"

I did find a workaround though, as opensnitch supports regexp for path:

type = "regexp";
operand = "process.path";
data = "^(\/nix\/store\/.*firefox.*esr\/lib\/firefox\/firefox)$";