From 18652c75802c893f97fc82af4eec5f27552097a5 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Sat, 12 Mar 2022 16:42:06 +0100
Subject: [PATCH] bwrap-helper: Always bind /etc/ssl/certs

The bwrap fhs userenv uses readlink -f to resolve symlinks. It is called
in the argument list of bwrap like this:

  --ro-bind-try $(readlink -f /etc/ssl/certs) /etc/ssl/certs

Normally, readlink -f returns the passed path if there is no file at the
path. However, this only works, if the parent directory of the file
exists. Thus if /etc/ssl does not exist, readlink -f /etc/ssl/certs will
return nothing. This causes the argument list of bwrap to be wrong (it
has only one argument to --ro-bind-try when it expected two), which
causes it to fail with hard to track down errors.
---
 pkgs/bwrap-helper/bwrap-helper.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/bwrap-helper/bwrap-helper.py b/pkgs/bwrap-helper/bwrap-helper.py
index 6954f84..1b9396b 100755
--- a/pkgs/bwrap-helper/bwrap-helper.py
+++ b/pkgs/bwrap-helper/bwrap-helper.py
@@ -87,6 +87,7 @@ argument_groups = {
             "--dir",
             f"/run/user/{uid}",
             *ro_bind("/etc/localtime"),
+            *ro_bind("/etc/ssl/certs"),
             "--unshare-all",
             "--die-with-parent",
         ],
@@ -174,7 +175,6 @@ argument_groups = {
                 ro_bind,
                 [
                     "/etc/resolv.conf",
-                    "/etc/ssl/certs",
                 ],
             ),
         ],