diff options
| author | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-01-29 01:27:11 -0600 |
|---|---|---|
| committer | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-01-29 01:27:11 -0600 |
| commit | 5077699605fae8840afe1a066a37412e7ea9206f (patch) | |
| tree | 050729cd6afb3bb9cb4bf2a054f994d1950ab8ad /nixos/modules/security/wrappers | |
| parent | 0707a3eaa2ce33e8f490fff474c168a33dc1b5f5 (diff) | |
| download | nixlib-5077699605fae8840afe1a066a37412e7ea9206f.tar nixlib-5077699605fae8840afe1a066a37412e7ea9206f.tar.gz nixlib-5077699605fae8840afe1a066a37412e7ea9206f.tar.bz2 nixlib-5077699605fae8840afe1a066a37412e7ea9206f.tar.lz nixlib-5077699605fae8840afe1a066a37412e7ea9206f.tar.xz nixlib-5077699605fae8840afe1a066a37412e7ea9206f.tar.zst nixlib-5077699605fae8840afe1a066a37412e7ea9206f.zip | |
Derp derp
Diffstat (limited to 'nixos/modules/security/wrappers')
| -rw-r--r-- | nixos/modules/security/wrappers/default.nix | 46 |
1 files changed, 22 insertions, 24 deletions
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index b71e3d219855..a93db916fad8 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -1,9 +1,15 @@ { config, lib, pkgs, ... }: let - inherit (config.security) wrapperDir; + inherit (config.security) wrapperDir wrappers setuidPrograms; + + programs = + (map (x: { program = x; owner = "root"; group = "root"; setuid = true; }) + setuidPrograms) + ++ lib.mapAttrsToList + (n: v: (if v ? "program" then v else v // {program=n;})) + wrappers; - wrappers = config.security.wrappers; mkWrapper = { program, source ? null, ...}: '' if ! source=${if source != null then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then # If we can't find the program, fall back to the @@ -21,7 +27,7 @@ let unpackPhase = "true"; installPhase = '' mkdir -p $out/bin - ${lib.concatMapStrings mkWrapper wrappers} + ${lib.concatMapStrings (builtins.map mkWrapper programs)} ''; }; @@ -70,6 +76,18 @@ let chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program} ''; + + mkWrappedPrograms = + builtins.map + (s: if (s ? "capabilities") + then mkSetcapProgram s + else if + (s ? "setuid" && s.setuid == true) || + (s ? "setguid" && s.setguid == true) || + (s ? "permissions") + then mkSetuidProgram s + else "" + ) programs; in { @@ -157,27 +175,7 @@ in ###### setcap activation script system.activationScripts.wrappers = - let - programs = - (map (x: { program = x; owner = "root"; group = "root"; setuid = true; }) - config.security.setuidPrograms) - ++ lib.mapAttrsToList - (n: v: (if v ? "program" then v else v // {program=n;})) - wrappers; - - mkWrappedPrograms = - builtins.map - (s: if (s ? "capabilities") - then mkSetcapProgram s - else if - (s ? "setuid" && s.setuid == true) || - (s ? "setguid" && s.setguid == true) || - (s ? "permissions") - then mkSetuidProgram s - else "" - ) programs; - - in lib.stringAfter [ "users" ] + lib.stringAfter [ "users" ] '' # Look in the system path and in the default profile for # programs to be wrapped. |