programs: sandbox {s,}waylock lockscreen

This commit is contained in:
Colin 2024-02-14 08:48:03 +00:00
parent 3eb47a9a8d
commit 677e6e679b
3 changed files with 35 additions and 2 deletions

View File

@ -447,8 +447,16 @@ in
superTux.sandbox.whitelistWayland = true;
superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
swaylock.sandbox.method = "capshonly"; #< neither landlock nor bwrap works. pam_authenticate failed: invalid credentials. does it rely on SUID?
swaylock.sandbox.method = "bwrap";
swaylock.sandbox.wrapperType = "wrappedDerivation";
swaylock.sandbox.extraPaths = [
# N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.
# swaylock seems (?) to offload password checking to pam's `unix_chkpwd`,
# which needs read access to /etc/shadow. that can be either via suid bit (default; incompatible with sandbox)
# or by making /etc/shadow readable by the user (which is what i do -- check the activationScript)
"/etc/shadow"
];
swaylock.sandbox.whitelistWayland = true;
tdesktop.persist.byStore.private = [ ".local/share/TelegramDesktop" ];

View File

@ -6,8 +6,16 @@ let
in
{
sane.programs.waylock = {
sandbox.method = "capshonly"; # not even landlock with full access to / works.
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.extraPaths = [
# N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.
# waylock seems (?) to offload password checking to pam's `unix_chkpwd`,
# which needs read access to /etc/shadow. that can be either via suid bit (default; incompatible with sandbox)
# or by making /etc/shadow readable by the user (which is what i do -- check the activationScript)
"/etc/shadow"
];
sandbox.whitelistWayland = true;
};
# without a /etc/pam.d/waylock entry, you may lock but you may never *unlock* ;-)

View File

@ -33,6 +33,23 @@ in
security.pam.mount.enable = true;
system.activationScripts.makeEtcShadowSandboxable = {
deps = [ "users" ];
text = ''
# /etc is a public config directory. secrets like /etc/shadow don't belong there.
# move /etc/shadow to a non-config directory but link to it from /etc.
# this lets me keep all of /etc public, but only expose the private shadow file to sandboxed programs selectively.
# this is technically racy, but the nixos `users` activation script is not easily patchable.
mkdir -p /var/lib/etc_secrets
cp --preserve=all --dereference /etc/shadow /var/lib/etc_secrets/shadow
chown root:wheel /var/lib/etc_secrets/shadow
ln -sf /var/lib/etc_secrets/shadow /etc/shadow
'';
};
# define this specifically so that other parts of the config can know the real location of /etc/shadow
# i.e. so that sandboxed programs which require it can indeed provision it (sane.programs.sandbox...)
sane.fs."/etc/shadow".symlink.target = "/var/lib/etc_secrets/shadow";
# pam.d ordering (auth section only):
# /etc/pam.d/greetd:
# auth optional pam_unix.so likeauth nullok # unix-early (order 11600)