diff options
| author | Nikolay Amiantov <ab@fmap.me> | 2017-02-18 20:06:09 +0300 |
|---|---|---|
| committer | Nikolay Amiantov <ab@fmap.me> | 2017-02-21 12:13:35 +0300 |
| commit | 2cc4703a2d73155fe3cacb776d13468f0b9898bf (patch) | |
| tree | 01a19f04f1e8bd7f18651694fbcdb7e8caaf2985 /nixos/modules/security/wrappers | |
| parent | 8e5b630b49b4f76cfc096b6911dbe7cb91b653a0 (diff) | |
| download | nixlib-2cc4703a2d73155fe3cacb776d13468f0b9898bf.tar nixlib-2cc4703a2d73155fe3cacb776d13468f0b9898bf.tar.gz nixlib-2cc4703a2d73155fe3cacb776d13468f0b9898bf.tar.bz2 nixlib-2cc4703a2d73155fe3cacb776d13468f0b9898bf.tar.lz nixlib-2cc4703a2d73155fe3cacb776d13468f0b9898bf.tar.xz nixlib-2cc4703a2d73155fe3cacb776d13468f0b9898bf.tar.zst nixlib-2cc4703a2d73155fe3cacb776d13468f0b9898bf.zip | |
wrappers service: make /run/wrappers a mountpoint
Also remove some compatibility code because the directory in question would be shadowed by a mountpoint anyway.
Diffstat (limited to 'nixos/modules/security/wrappers')
| -rw-r--r-- | nixos/modules/security/wrappers/default.nix | 27 |
1 files changed, 11 insertions, 16 deletions
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 52f251876605..65d875c3a375 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -3,6 +3,8 @@ let inherit (config.security) wrapperDir wrappers; + parentWrapperDir = dirOf wrapperDir; + programs = (lib.mapAttrsToList (n: v: (if v ? "program" then v else v // {program=n;})) @@ -15,8 +17,7 @@ let hardeningEnable = [ "pie" ]; installPhase = '' mkdir -p $out/bin - parentWrapperDir=$(dirname ${wrapperDir}) - gcc -Wall -O2 -DWRAPPER_DIR=\"$parentWrapperDir\" \ + gcc -Wall -O2 -DWRAPPER_DIR=\"${parentWrapperDir}\" \ -lcap-ng -lcap ${./wrapper.c} -o $out/bin/security-wrapper ''; }; @@ -156,6 +157,11 @@ in security.wrappers.fusermount.source = "${pkgs.fuse}/bin/fusermount"; + boot.specialFileSystems.${parentWrapperDir} = { + fsType = "tmpfs"; + options = [ "nodev" ]; + }; + # Make sure our wrapperDir exports to the PATH env variable when # initializing the shell environment.extraInit = '' @@ -183,19 +189,15 @@ in # Remove the old /run/setuid-wrappers-dir path from the # system as well... # - # TDOO: this is only necessary for ugprades 16.09 => 17.x; + # TODO: this is only necessary for ugprades 16.09 => 17.x; # this conditional removal block needs to be removed after # the release. if [ -d /run/setuid-wrapper-dirs ]; then rm -rf /run/setuid-wrapper-dirs fi - # Get the "/run/wrappers" path, we want to place the tmpdirs - # for the wrappers there - parentWrapperDir="$(dirname ${wrapperDir})" - - mkdir -p "$parentWrapperDir" - wrapperDir=$(mktemp --directory --tmpdir="$parentWrapperDir" wrappers.XXXXXXXXXX) + # We want to place the tmpdirs for the wrappers to the parent dir. + wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) chmod a+rx $wrapperDir ${lib.concatStringsSep "\n" mkWrappedPrograms} @@ -207,13 +209,6 @@ in ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir} rm --force --recursive $old - elif [ -d ${wrapperDir} ]; then - # Compatibility with old state, just remove the folder and symlink - rm -f ${wrapperDir}/* - # if it happens to be a tmpfs - ${pkgs.utillinux}/bin/umount ${wrapperDir} || true - rm -d ${wrapperDir} - ln -d --symbolic $wrapperDir ${wrapperDir} else # For initial setup ln --symbolic $wrapperDir ${wrapperDir} |