1 files changed, 15 insertions, 2 deletions

diff --git a/pkgs/applications/blockchains/ledger-live-desktop/default.nix b/pkgs/applications/blockchains/ledger-live-desktop/default.nix
index 4b3ba00fb9606..fc122f4923e0b 100644
--- a/pkgs/applications/blockchains/ledger-live-desktop/default.nix
+++ b/pkgs/applications/blockchains/ledger-live-desktop/default.nix
@@ -1,4 +1,4 @@
-{ lib, fetchurl, appimageTools, imagemagick }:
+{ lib, fetchurl, appimageTools, imagemagick, systemd }:
 
 let
   pname = "ledger-live-desktop";
@@ -13,9 +13,22 @@ let
   appimageContents = appimageTools.extractType2 {
     inherit name src;
   };
-in appimageTools.wrapType2 rec {
+
+  # Hotplug events from udevd are fired into the kernel, which then re-broadcasts them over a
+  # special socket, to every libudev client listening for hotplug when the kernel does that. It will
+  # try to preserve the uid of the sender but a non-root namespace (like the fhs-env) cant map root
+  # to a uid, for security reasons, so the uid of the sender becomes nobody and libudev actively
+  # rejects such messages. This patch disables that bit of security in libudev.
+  # See: https://github.com/NixOS/nixpkgs/issues/116361
+  systemdPatched = systemd.overrideAttrs ({ patches ? [ ], ... }: {
+    patches = patches ++ [ ./systemd.patch ];
+  });
+in
+appimageTools.wrapType2 rec {
   inherit name src;
 
+  extraPkgs = pkgs: [ systemdPatched ];
+
   extraInstallCommands = ''
     mv $out/bin/${name} $out/bin/${pname}
     install -m 444 -D ${appimageContents}/ledger-live-desktop.desktop $out/share/applications/ledger-live-desktop.desktop