diff options
Diffstat (limited to 'nixos/modules/security/permissions-wrappers/default.nix')
-rw-r--r-- | nixos/modules/security/permissions-wrappers/default.nix | 48 |
1 files changed, 27 insertions, 21 deletions
diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix index 5d4634daf78b..6b0570faa402 100644 --- a/nixos/modules/security/permissions-wrappers/default.nix +++ b/nixos/modules/security/permissions-wrappers/default.nix @@ -3,10 +3,17 @@ let inherit (config.security) permissionsWrapperDir; + isNotNull = v: if v != null then true else false; + cfg = config.security.permissionsWrappers; - setcapWrappers = import ./setcap-wrapper-drv.nix { }; - setuidWrappers = import ./setuid-wrapper-drv.nix { }; + setcapWrappers = import ./setcap-wrapper-drv.nix { + inherit config lib pkgs; + }; + + setuidWrappers = import ./setuid-wrapper-drv.nix { + inherit config lib pkgs; + }; ###### Activation script for the setcap wrappers configureSetcapWrapper = @@ -16,8 +23,7 @@ let , owner ? "nobody" , group ? "nogroup" , setcap ? false - }: - '' + }: '' cp ${setcapWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program} # Prevent races @@ -43,22 +49,22 @@ let ''; ###### Activation script for the setuid wrappers - makeSetuidWrapper = + configureSetuidWrapper = { program , source ? null , owner ? "nobody" + # Legacy code I can't find :( + , user ? null , group ? "nogroup" , setuid ? false , setgid ? false , permissions ? "u+rx,g+x,o+x" - }: - - '' + }: '' cp ${setuidWrappers}/bin/${program}.wrapper ${permissionsWrapperDir}/${program} # Prevent races chmod 0000 ${permissionsWrapperDir}/${program} - chown ${owner}.${group} ${permissionsWrapperDir}/${program} + chown ${if user != null then user else owner}.${group} ${permissionsWrapperDir}/${program} chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${permissionsWrapperDir}/${program} ''; @@ -68,12 +74,12 @@ in ###### interface options = { - security.permissionsWrappers.setcap = mkOption { - type = types.listOf types.attrs; + security.permissionsWrappers.setcap = lib.mkOption { + type = lib.types.listOf lib.types.attrs; default = []; example = [ { program = "ping"; - source = "${pkgs.iputils.out}/bin/ping" + source = "${pkgs.iputils.out}/bin/ping"; owner = "nobody"; group = "nogroup"; setcap = true; @@ -106,12 +112,12 @@ in ''; }; - security.permissionsWrappers.setuid = mkOption { - type = types.listOf types.attrs; + security.permissionsWrappers.setuid = lib.mkOption { + type = lib.types.listOf lib.types.attrs; default = []; example = [ { program = "sendmail"; - source = "${pkgs.sendmail.bin}/bin/sendmail"; + source = "/nix/store/.../bin/sendmail"; owner = "nobody"; group = "postdrop"; setuid = false; @@ -126,8 +132,8 @@ in ''; }; - security.permissionsWrapperDir = mkOption { - type = types.path; + security.permissionsWrapperDir = lib.mkOption { + type = lib.types.path; default = "/var/permissions-wrappers"; internal = true; description = '' @@ -152,7 +158,7 @@ in ###### setcap activation script system.activationScripts.setcap = - stringAfter [ "users" ] + lib.stringAfter [ "users" ] '' # Look in the system path and in the default profile for # programs to be wrapped. @@ -168,12 +174,12 @@ in # Concatenate the generated shell slices to configure # wrappers for each program needing specialized capabilities. - ${concatMapStrings configureSetcapWrapper cfg.setcap} + ${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)} ''; ###### setuid activation script system.activationScripts.setuid = - stringAfter [ "users" ] + lib.stringAfter [ "users" ] '' # Look in the system path and in the default profile for # programs to be wrapped. @@ -189,7 +195,7 @@ in # Concatenate the generated shell slices to configure # wrappers for each program needing specialized capabilities. - ${concatMapStrings configureSetuidWrapper cfg.setuid} + ${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)} ''; }; |