diff options
author | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-01-26 00:05:40 -0800 |
---|---|---|
committer | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-01-26 00:05:40 -0800 |
commit | 025555d7f1a0fc39ea152b03e942002e1bff1721 (patch) | |
tree | 82f3d014c8848ecc9f6f26958c9f99f83da0bc65 /nixos/modules/security | |
parent | bae00e8aa8f3faff90e28e19cd5074b8c26d0d0e (diff) | |
download | nixlib-025555d7f1a0fc39ea152b03e942002e1bff1721.tar nixlib-025555d7f1a0fc39ea152b03e942002e1bff1721.tar.gz nixlib-025555d7f1a0fc39ea152b03e942002e1bff1721.tar.bz2 nixlib-025555d7f1a0fc39ea152b03e942002e1bff1721.tar.lz nixlib-025555d7f1a0fc39ea152b03e942002e1bff1721.tar.xz nixlib-025555d7f1a0fc39ea152b03e942002e1bff1721.tar.zst nixlib-025555d7f1a0fc39ea152b03e942002e1bff1721.zip |
More fixes and improvements
Diffstat (limited to 'nixos/modules/security')
3 files changed, 18 insertions, 13 deletions
diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix index 76a22b4f6038..2f60d54fd770 100644 --- a/nixos/modules/security/permissions-wrappers/default.nix +++ b/nixos/modules/security/permissions-wrappers/default.nix @@ -154,6 +154,10 @@ in export PATH="${config.security.permissionsWrapperDir}:$PATH" ''; + system.activationScripts.wrapper-dir = '' + mkdir -p "${config.security.permissionsWrapperDir}" + ''; + ###### setcap activation script system.activationScripts.setcap = lib.stringAfter [ "users" ] diff --git a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix index adae9009fbe2..04cae3c84931 100644 --- a/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix +++ b/nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix @@ -5,17 +5,17 @@ let # Produce a shell-code splice intended to be stitched into one of # the build or install phases within the derivation. - mkSetcapWrapper = { program, source ? null, ...}: - '' - if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then - # If we can't find the program, fall back to the - # system profile. - source=/nix/var/nix/profiles/default/bin/${program} - fi + mkSetcapWrapper = { program, source ? null, ...}: '' + if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then + # If we can't find the program, fall back to the + # system profile. + source=/nix/var/nix/profiles/default/bin/${program} + fi - gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \ - -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper - ''; + gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \ + -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ + -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include + ''; in # This is only useful for Linux platforms and a kernel version of @@ -26,7 +26,7 @@ assert lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4. pkgs.stdenv.mkDerivation { name = "setcap-wrapper"; unpackPhase = "true"; - buildInputs = [ pkgs.linuxHeaders pkgs.libcap pkgs.libcap_ng ]; + buildInputs = [ pkgs.linuxHeaders ]; installPhase = '' mkdir -p $out/bin diff --git a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix index e244364aa45b..273aaf2a88a3 100644 --- a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix +++ b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix @@ -13,8 +13,9 @@ let source=/nix/var/nix/profiles/default/bin/${program} fi - gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \ - -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper + gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \ + -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ + -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include ''; in |