colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

modules/programs: when sandboxing, use makeBinaryWrapper if supported

Browse Source
This commit is contained in:
Colin
2024-09-06 00:07:37 +00:00
parent b1b12c353d
commit 850c975321
1 changed files with 30 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
modules/programs/make-sandboxed.nix
View File

@@ -6,7 +6,8 @@
gnugrep, gnugrep,
gnused, gnused,
linkFarm, linkFarm,
makeWrapper, makeBinaryWrapper,
makeShellWrapper,
runCommandLocal, runCommandLocal,
sanebox, sanebox,
writeShellScriptBin, writeShellScriptBin,
@@ -59,7 +60,8 @@ let
# so that the unwrapped's take precendence and we limit interference (e.g. makeWrapper impl) # so that the unwrapped's take precendence and we limit interference (e.g. makeWrapper impl)
fakeSaneSandboxed fakeSaneSandboxed
gnugrep gnugrep
makeWrapper makeBinaryWrapper
makeShellWrapper
] ++ (unwrapped.nativeBuildInputs or []); ] ++ (unwrapped.nativeBuildInputs or []);
disallowedReferences = (unwrapped.disallowedReferences or []) ++ [ disallowedReferences = (unwrapped.disallowedReferences or []) ++ [
# the fake sandbox gates itself behind SANEBOX_DISABLE, so if it did end up deployed # the fake sandbox gates itself behind SANEBOX_DISABLE, so if it did end up deployed
@@ -71,14 +73,14 @@ let
assertExecutable() { assertExecutable() {
: # my programs refer to sanebox by name, not path, which triggers an over-eager assertion in nixpkgs (so, mask that) : # my programs refer to sanebox by name, not path, which triggers an over-eager assertion in nixpkgs (so, mask that)
} }
# makeDocumentedCWrapper() { makeDocumentedCWrapper() {
# # this is identical to nixpkgs' implementation, only replace execv with execvp, the latter which looks for the executable on PATH. # this is identical to nixpkgs' implementation, only replace execv with execvp, the latter which looks for the executable on PATH.
# local src=$(makeCWrapper "$@") local src=$(makeCWrapper "$@")
# src="''${src/return execv(/return execvp(}" src="''${src/return execv(/return execvp(}"
# local docs=$(docstring "$@") local docs=$(docstring "$@")
# printf '%s\n\n' "$src" printf '%s\n\n' "$src"
# printf '%s\n' "$docs" printf '%s\n' "$docs"
# } }
sandboxWrap() { sandboxWrap() {
local _dir="$1" local _dir="$1"
@@ -99,18 +101,26 @@ let
mv "$_dir/$_name" "$_dir/.sandboxed/" mv "$_dir/$_name" "$_dir/.sandboxed/"
fi fi
if [ -n "${sanebox.interpreter or ""}" ]; then
# N.B.: double `escapeShellArg`: once for the shell wrapper, and again for runtime because the shell wrapper doesn't escape. # N.B.: double `escapeShellArg`: once for the shell wrapper, and again for runtime because the shell wrapper doesn't escape.
# spotcheck this by seeing if animatch (requires a path "Holy Pangolin") works # spotcheck this by seeing if animatch (requires a path "Holy Pangolin") works
makeShellWrapper ${sanebox'} "$_dir/$_name" --suffix PATH : /run/current-system/sw/libexec/${sanebox.pname} \ makeShellWrapper ${sanebox'} "$_dir/$_name" \
--suffix PATH : /run/current-system/sw/libexec/${sanebox.pname} \
--inherit-argv0 \ --inherit-argv0 \
${lib.escapeShellArgs (lib.flatten (builtins.map (f: [ "--add-flags" (lib.escapeShellArg f) ]) extraSandboxArgs))} \ ${lib.escapeShellArgs (lib.flatten (builtins.map (f: [ "--add-flags" (lib.escapeShellArg f) ]) extraSandboxArgs))} \
--add-flags "$_dir/.sandboxed/$_name" --add-flags "$_dir/.sandboxed/$_name"
if [ -n "${sanebox.interpreter or ""}" ]; then
# `exec`ing a script with an interpreter will smash $0. instead, source it to preserve $0: # `exec`ing a script with an interpreter will smash $0. instead, source it to preserve $0:
# - <https://github.com/NixOS/nixpkgs/issues/150841#issuecomment-995589961> # - <https://github.com/NixOS/nixpkgs/issues/150841#issuecomment-995589961>
substituteInPlace "$_dir/$_name" \ substituteInPlace "$_dir/$_name" \
--replace-fail 'exec -a "$0" ' 'source ' --replace-fail 'exec -a "$0" ' 'source '
else
# we can use a binary shell wrapper since the wrapper's environment is capable of forwarding argv[0].
makeBinaryWrapper ${sanebox'} "$_dir/$_name" \
--suffix PATH : /run/current-system/sw/libexec/${sanebox.pname} \
--inherit-argv0 \
${lib.escapeShellArgs (lib.flatten (builtins.map (f: [ "--add-flags" f ]) extraSandboxArgs))} \
--add-flags "$_dir/.sandboxed/$_name"
fi fi
} }
@@ -406,6 +416,8 @@ let
local dir="$1" local dir="$1"
local binname="$2" local binname="$2"
echo "checking if $dir/$binname is sandboxed" echo "checking if $dir/$binname is sandboxed"
echo " sandboxer is ${sanebox.name}"
echo " PATH=$PATH"
# XXX: call by full path because some binaries (e.g. util-linux) would otherwise # XXX: call by full path because some binaries (e.g. util-linux) would otherwise
# be shadowed by things the nix builder implicitly puts on PATH. # be shadowed by things the nix builder implicitly puts on PATH.
# additionally, call via qemu and manually specify the interpreter *if the file has one*. # additionally, call via qemu and manually specify the interpreter *if the file has one*.
@@ -457,7 +469,7 @@ let
}; };
}); });
make-sandboxed = { pkgName, package, wrapperType, embedSandboxer ? false, extraSandboxerArgs ? [], passthru ? {} }@args: make-sandboxed = { pkgName, package, wrapperType, embedSandboxer ? false, extraSandboxerArgs ? [], passthru ? {} }:
let let
unsandboxed = package; unsandboxed = package;
sanebox' = if embedSandboxer then sanebox' = if embedSandboxer then