programs: unl0kr: sandbox

2024-02-20 13:29:06 +00:00 · 2024-02-20 13:29:06 +00:00 · 58db553c84
commit 58db553c84
parent 2ea3776d84
1 changed files with 28 additions and 0 deletions
--- a/hosts/common/programs/unl0kr/default.nix
+++ b/hosts/common/programs/unl0kr/default.nix
@ -10,6 +10,7 @@ let
  launcher = pkgs.writeShellApplication {
    name = "unl0kr-login";
    runtimeInputs = [
+      # TODO: since this invokes `login`, adding these deps to PATH is questionable
      cfg.package
      pkgs.shadow
      redirect-tty
@ -99,8 +100,28 @@ in
        sleep ${builtins.toString cfg.config.delay} && exec ${cfg.config.afterLogin}
      fi
    '');
+
+    # N.B.: this sandboxing applies to `unl0kr` itself -- the on-screen-keyboard;
+    #       NOT to the wrapper which invokes `login`.
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistDri = true;
+    sandbox.extraPaths = [
+      "/dev/fb0"
+      "/dev/input"
+      "/run/udev"
+      "/sys/class/input"
+      "/sys/devices"
+      #v without /dev/tty0, it fails to fully take over the tty (even though it's ostensibly running on ${cfg.config.vt})
+      # and your password is dumped to the framebuffer.
+      # it still *works*, but wow, kinda weird and concerning
+      "/dev/tty0"
+    ];
  };

+  # unl0kr is run as root, and especially with sandboxing, needs to be installed for root if expected to work.
+  sane.programs.unl0kr.enableFor.system = lib.mkIf (builtins.any (en: en)(builtins.attrValues config.sane.programs.unl0kr.enableFor.user)) true;
+
  systemd = lib.mkIf cfg.enabled {
    # prevent nixos-rebuild from killing us after a redeploy
    services."autovt@${tty}".enable = false;
@ -110,6 +131,13 @@ in
      # N.B.: exec paths here must be absolute. neither systemd nor agetty query PATH.
      serviceConfig.ExecStart = "${pkgs.util-linux}/bin/agetty --login-program '${cfg.config.launcher}/bin/unl0kr-login' --noclear --skip-login --keep-baud ${tty} 115200,38400,9600 $TERM";

+      path = [
+        # necessary for `sane-sandboxed` to be found. TODO: add this to every systemd service.
+        "/run/current-system/sw"  # `/bin` is appended
+      ];
+      # needed to find sane-sandbox profiles (TODO: add this to every service)
+      environment.XDG_DATA_DIRS = "/run/current-system/sw/share";
+
      serviceConfig.Type = "simple";
      serviceConfig.Restart = "always";
      serviceConfig.RestartSec = "5";