diff options
author | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-01-26 00:32:59 -0800 |
---|---|---|
committer | Parnell Springmeyer <parnell@digitalmentat.com> | 2017-01-26 00:32:59 -0800 |
commit | a20e65724bad6472bbf40080955ecc5d0bb351e6 (patch) | |
tree | 9cca2db712a74eca59e59e0dbe74d28812cb813f /nixos/modules/security | |
parent | 025555d7f1a0fc39ea152b03e942002e1bff1721 (diff) | |
download | nixlib-a20e65724bad6472bbf40080955ecc5d0bb351e6.tar nixlib-a20e65724bad6472bbf40080955ecc5d0bb351e6.tar.gz nixlib-a20e65724bad6472bbf40080955ecc5d0bb351e6.tar.bz2 nixlib-a20e65724bad6472bbf40080955ecc5d0bb351e6.tar.lz nixlib-a20e65724bad6472bbf40080955ecc5d0bb351e6.tar.xz nixlib-a20e65724bad6472bbf40080955ecc5d0bb351e6.tar.zst nixlib-a20e65724bad6472bbf40080955ecc5d0bb351e6.zip |
Fixing
Diffstat (limited to 'nixos/modules/security')
3 files changed, 46 insertions, 49 deletions
diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix index 2f60d54fd770..2ec1e91cee9f 100644 --- a/nixos/modules/security/permissions-wrappers/default.nix +++ b/nixos/modules/security/permissions-wrappers/default.nix @@ -66,6 +66,39 @@ let chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${permissionsWrapperDir}/${program} ''; + + mkActivationScript = programsToWrap: + lib.stringAfter [ "users" ] + '' + # Look in the system path and in the default profile for + # programs to be wrapped. + PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin + + mkdir -p /run/permissions-wrapper-dirs + permissionsWrapperDir=$(mktemp --directory --tmpdir=/run/permissions-wrapper-dirs permissions-wrappers.XXXXXXXXXX) + chmod a+rx $permissionsWrapperDir + + ${programsToWrap} + + if [ -L ${permissionsWrapperDir} ]; then + # Atomically replace the symlink + # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ + old=$(readlink ${permissionsWrapperDir}) + ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp + mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir} + rm --force --recursive $old + elif [ -d ${permissionsWrapperDir} ]; then + # Compatibility with old state, just remove the folder and symlink + rm -f ${permissionsWrapperDir}/* + # if it happens to be a tmpfs + ${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true + rm -d ${permissionsWrapperDir} + ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir} + else + # For initial setup + ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir} + fi + ''; in { @@ -160,45 +193,10 @@ in ###### setcap activation script system.activationScripts.setcap = - lib.stringAfter [ "users" ] - '' - # Look in the system path and in the default profile for - # programs to be wrapped. - PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin - - # When a program is removed from the security.permissionsWrappers.setcap - # list we have to remove all of the previous program wrappers - # and re-build them minus the wrapper for the program removed, - # hence the rm here in the activation script. - - rm -f ${permissionsWrapperDir}/* - - # Concatenate the generated shell slices to configure - # wrappers for each program needing specialized capabilities. - - ${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)} - ''; + mkActivationScript (lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)); ###### setuid activation script system.activationScripts.setuid = - lib.stringAfter [ "users" ] - '' - # Look in the system path and in the default profile for - # programs to be wrapped. - PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin - - # When a program is removed from the security.permissionsWrappers.setcap - # list we have to remove all of the previous program wrappers - # and re-build them minus the wrapper for the program removed, - # hence the rm here in the activation script. - - rm -f ${permissionsWrapperDir}/* - - # Concatenate the generated shell slices to configure - # wrappers for each program needing specialized capabilities. - - ${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)} - ''; - + mkActivationScript (lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)); }; } diff --git a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c index effdaa930963..3cb5bb4f5603 100644 --- a/nixos/modules/security/permissions-wrappers/permissions-wrapper.c +++ b/nixos/modules/security/permissions-wrappers/permissions-wrapper.c @@ -211,7 +211,7 @@ int main(int argc, char * * argv) // Read the capabilities set on the file and raise them in to the // Ambient set so the program we're wrapping receives the // capabilities too! - assert(!make_caps_ambient(selfPath)); + if (strcmp(wrapperType, "setcap") == 0) assert(!make_caps_ambient(selfPath)); execve(sourceProg, argv, environ); diff --git a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix index 273aaf2a88a3..3bf3effb801a 100644 --- a/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix +++ b/nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix @@ -5,18 +5,17 @@ let # Produce a shell-code splice intended to be stitched into one of # the build or install phases within the derivation. - mkSetuidWrapper = { program, source ? null, ...}: - '' - if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then - # If we can't find the program, fall back to the - # system profile. - source=/nix/var/nix/profiles/default/bin/${program} - fi + mkSetuidWrapper = { program, source ? null, ...}: '' + if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then + # If we can't find the program, fall back to the + # system profile. + source=/nix/var/nix/profiles/default/bin/${program} + fi - gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \ - -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ - -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include - ''; + gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \ + -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ + -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include + ''; in # This is only useful for Linux platforms and a kernel version of |