diff options
| author | Maximilian Bosch <maximilian@mbosch.me> | 2023-08-09 13:06:10 +0200 |
|---|---|---|
| committer | Maximilian Bosch <maximilian@mbosch.me> | 2023-08-10 14:06:38 +0200 |
| commit | 183be440fd08476354ef35a1203cf0fcd511d2f2 (patch) | |
| tree | 8299bbac0331939f3fa9dfc2bfd793d220ed2ead /nixos/modules/programs | |
| parent | a14013769370b021e23200e7199d8cfaeb97098a (diff) | |
| download | nixlib-183be440fd08476354ef35a1203cf0fcd511d2f2.tar nixlib-183be440fd08476354ef35a1203cf0fcd511d2f2.tar.gz nixlib-183be440fd08476354ef35a1203cf0fcd511d2f2.tar.bz2 nixlib-183be440fd08476354ef35a1203cf0fcd511d2f2.tar.lz nixlib-183be440fd08476354ef35a1203cf0fcd511d2f2.tar.xz nixlib-183be440fd08476354ef35a1203cf0fcd511d2f2.tar.zst nixlib-183be440fd08476354ef35a1203cf0fcd511d2f2.zip | |
nixos/captive-browser: drop setcap wrapper for captive-browser
Since Linux 5.7 it's possible to set `SO_BINDTODEVICE` via `setsockopt(2)`
as unprivileged user if this operation doesn't imply escaping a VRF
interface[1].
Dropping the wrapper is actually desirable because `captive-browser`
itself doesn't drop capabilities and as a result, the capabilities are
passed on to `chromium` itself[2].
For older kernels, this is still necessary, hence the wrapper will only
be added nowadays if the kernel is older than 5.7.
[1] https://github.com/torvalds/linux/commit/c427bfec18f2190b8f4718785ee8ed2db4f84ee6
[2] https://github.com/FiloSottile/captive-browser/blob/08450562e58bf9564ee98ad64ef7b2800e53338f/bind_device_linux.go#L11-L14
and because our setcap wrapper makes all capabilities
inheritable.
Diffstat (limited to 'nixos/modules/programs')
| -rw-r--r-- | nixos/modules/programs/captive-browser.nix | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/nixos/modules/programs/captive-browser.nix b/nixos/modules/programs/captive-browser.nix index 36ceb1a69610..032c0e71f1f4 100644 --- a/nixos/modules/programs/captive-browser.nix +++ b/nixos/modules/programs/captive-browser.nix @@ -7,6 +7,8 @@ let concatStringsSep escapeShellArgs optionalString literalExpression mkEnableOption mkIf mkOption mkOptionDefault types; + requiresSetcapWrapper = config.boot.kernelPackages.kernelOlder "5.7" && cfg.bindInterface; + browserDefault = chromium: concatStringsSep " " [ ''env XDG_CONFIG_HOME="$PREV_CONFIG_HOME"'' ''${chromium}/bin/chromium'' @@ -23,11 +25,23 @@ let desktopItem = pkgs.makeDesktopItem { name = "captive-browser"; desktopName = "Captive Portal Browser"; - exec = "/run/wrappers/bin/captive-browser"; + exec = "captive-browser"; icon = "nix-snowflake"; categories = [ "Network" ]; }; + captive-browser-configured = pkgs.writeShellScriptBin "captive-browser" '' + export PREV_CONFIG_HOME="$XDG_CONFIG_HOME" + export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" '' + browser = """${cfg.browser}""" + dhcp-dns = """${cfg.dhcp-dns}""" + socks5-addr = """${cfg.socks5-addr}""" + ${optionalString cfg.bindInterface '' + bind-device = """${cfg.interface}""" + ''} + ''} + exec ${cfg.package}/bin/captive-browser + ''; in { ###### interface @@ -101,6 +115,7 @@ in (pkgs.runCommand "captive-browser-desktop-item" { } '' install -Dm444 -t $out/share/applications ${desktopItem}/share/applications/*.desktop '') + captive-browser-configured ]; programs.captive-browser.dhcp-dns = @@ -131,22 +146,11 @@ in source = "${pkgs.busybox}/bin/udhcpc"; }; - security.wrappers.captive-browser = { + security.wrappers.captive-browser = mkIf requiresSetcapWrapper { owner = "root"; group = "root"; capabilities = "cap_net_raw+p"; - source = pkgs.writeShellScript "captive-browser" '' - export PREV_CONFIG_HOME="$XDG_CONFIG_HOME" - export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" '' - browser = """${cfg.browser}""" - dhcp-dns = """${cfg.dhcp-dns}""" - socks5-addr = """${cfg.socks5-addr}""" - ${optionalString cfg.bindInterface '' - bind-device = """${cfg.interface}""" - ''} - ''} - exec ${cfg.package}/bin/captive-browser - ''; + source = "${captive-browser-configured}/bin/captive-browser"; }; }; } |