42 lines
1.9 KiB
Nix
42 lines
1.9 KiB
Nix
|
{ pkgs, ... }:
|
||
|
{
|
||
|
sane.programs.bubblewrap = {
|
||
|
packageUnwrapped = pkgs.bubblewrap.overrideAttrs (base: {
|
||
|
# patches = (base.patches or []) ++ [
|
||
|
# (pkgs.fetchpatch {
|
||
|
# url = "https://git.uninsane.org/colin/bubblewrap/commit/9843f9b2b5f086563fd37250658d69350a2939be.patch";
|
||
|
# name = "enable debug logging and add a bunch more tracing";
|
||
|
# hash = "sha256-AlDsqddaBahhqGibZlCjgmChuK7mmxDt0aYHNgY05OI=";
|
||
|
# })
|
||
|
# ];
|
||
|
postPatch = (base.postPatch or "") + ''
|
||
|
# bwrap doesn't like to be invoked with any capabilities, which is troublesome if i
|
||
|
# want to do things like ship CAP_NET_ADMIN,CAP_NET_RAW in the ambient set for tools like Wireshark.
|
||
|
# but this limitation of bwrap is artificial and at first look is just a scenario the author probably
|
||
|
# never expected: patch out the guard check.
|
||
|
#
|
||
|
# see: <https://github.com/containers/bubblewrap/issues/397>
|
||
|
substituteInPlace bubblewrap.c --replace \
|
||
|
'die ("Unexpected capabilities but not setuid, old file caps config?");' \
|
||
|
'// die ("Unexpected capabilities but not setuid, old file caps config?");'
|
||
|
|
||
|
# bwrap bin/foo produces two processes:
|
||
|
# - the parent (occupies the namespace from which it's called)
|
||
|
# - the child (occupies new namespaces, created for it by the parent).
|
||
|
# this patch changes the parent to not drop *all* privs, hoping that this would allow
|
||
|
# privileged sandboxes to do privileged net operations.
|
||
|
# but in actuality, processes within a child namespace can *NEVER* have capabilities within
|
||
|
# their parent namespace.
|
||
|
# substituteInPlace bubblewrap.c --replace \
|
||
|
# 'drop_privs (FALSE, FALSE)' \
|
||
|
# 'drop_privs (TRUE, FALSE)'
|
||
|
|
||
|
# enable debug printing
|
||
|
# substituteInPlace utils.h --replace \
|
||
|
# '#define __debug__(x)' \
|
||
|
# '#define __debug__(x) printf x'
|
||
|
'';
|
||
|
});
|
||
|
};
|
||
|
}
|