programs: sandbox {s,}waylock lockscreen
This commit is contained in:
parent
3eb47a9a8d
commit
677e6e679b
|
@ -447,8 +447,16 @@ in
|
|||
superTux.sandbox.whitelistWayland = true;
|
||||
superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
|
||||
|
||||
swaylock.sandbox.method = "capshonly"; #< neither landlock nor bwrap works. pam_authenticate failed: invalid credentials. does it rely on SUID?
|
||||
swaylock.sandbox.method = "bwrap";
|
||||
swaylock.sandbox.wrapperType = "wrappedDerivation";
|
||||
swaylock.sandbox.extraPaths = [
|
||||
# N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.
|
||||
# swaylock seems (?) to offload password checking to pam's `unix_chkpwd`,
|
||||
# which needs read access to /etc/shadow. that can be either via suid bit (default; incompatible with sandbox)
|
||||
# or by making /etc/shadow readable by the user (which is what i do -- check the activationScript)
|
||||
"/etc/shadow"
|
||||
];
|
||||
swaylock.sandbox.whitelistWayland = true;
|
||||
|
||||
tdesktop.persist.byStore.private = [ ".local/share/TelegramDesktop" ];
|
||||
|
||||
|
|
|
@ -6,8 +6,16 @@ let
|
|||
in
|
||||
{
|
||||
sane.programs.waylock = {
|
||||
sandbox.method = "capshonly"; # not even landlock with full access to / works.
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.extraPaths = [
|
||||
# N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.
|
||||
# waylock seems (?) to offload password checking to pam's `unix_chkpwd`,
|
||||
# which needs read access to /etc/shadow. that can be either via suid bit (default; incompatible with sandbox)
|
||||
# or by making /etc/shadow readable by the user (which is what i do -- check the activationScript)
|
||||
"/etc/shadow"
|
||||
];
|
||||
sandbox.whitelistWayland = true;
|
||||
};
|
||||
|
||||
# without a /etc/pam.d/waylock entry, you may lock but you may never *unlock* ;-)
|
||||
|
|
|
@ -33,6 +33,23 @@ in
|
|||
|
||||
security.pam.mount.enable = true;
|
||||
|
||||
system.activationScripts.makeEtcShadowSandboxable = {
|
||||
deps = [ "users" ];
|
||||
text = ''
|
||||
# /etc is a public config directory. secrets like /etc/shadow don't belong there.
|
||||
# move /etc/shadow to a non-config directory but link to it from /etc.
|
||||
# this lets me keep all of /etc public, but only expose the private shadow file to sandboxed programs selectively.
|
||||
# this is technically racy, but the nixos `users` activation script is not easily patchable.
|
||||
mkdir -p /var/lib/etc_secrets
|
||||
cp --preserve=all --dereference /etc/shadow /var/lib/etc_secrets/shadow
|
||||
chown root:wheel /var/lib/etc_secrets/shadow
|
||||
ln -sf /var/lib/etc_secrets/shadow /etc/shadow
|
||||
'';
|
||||
};
|
||||
# define this specifically so that other parts of the config can know the real location of /etc/shadow
|
||||
# i.e. so that sandboxed programs which require it can indeed provision it (sane.programs.sandbox...)
|
||||
sane.fs."/etc/shadow".symlink.target = "/var/lib/etc_secrets/shadow";
|
||||
|
||||
# pam.d ordering (auth section only):
|
||||
# /etc/pam.d/greetd:
|
||||
# auth optional pam_unix.so likeauth nullok # unix-early (order 11600)
|
||||
|
|
Loading…
Reference in New Issue
Block a user