programs: sandbox sane-shutdown, sane-reboot

2024-02-20 13:43:05 +00:00 · 2024-02-20 13:43:05 +00:00 · 8beac8df2f
commit 8beac8df2f
parent 58db553c84
4 changed files with 34 additions and 6 deletions
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@ -121,12 +121,35 @@ in
    #   extraPaths = [ "/boot" ];
    # };

+    # it's just a thin wrapper around rsync, which is already sandboxed
+    "sane-scripts.rcp".sandbox.enable = false;
+    # but make sure rsync is always on PATH, so that we actually do get sandboxing :)
+    "sane-scripts.rcp".suggestedPrograms = [ "rsync" ];
+
+    "sane-scripts.reboot".sandbox = {
+      method = "bwrap";
+      wrapperType = "wrappedDerivation";
+      extraPaths = [
+        "/run/dbus"
+        "/run/systemd"
+      ];
+    };
+
    "sane-scripts.reclaim-disk-space".sandbox = {
      method = "bwrap";
      wrapperType = "wrappedDerivation";
      extraPaths = [ "/nix/var/nix" ];
    };

+    "sane-scripts.shutdown".sandbox = {
+      method = "bwrap";
+      wrapperType = "wrappedDerivation";
+      extraPaths = [
+        "/run/dbus"
+        "/run/systemd"
+      ];
+    };
+
    # if `tee` isn't trustworthy we have bigger problems
    "sane-scripts.sudo-redirect".sandbox.enable = false;

--- a/pkgs/additional/sane-scripts/default.nix
+++ b/pkgs/additional/sane-scripts/default.nix
@ -130,7 +130,7 @@ let
    reboot = static-nix-shell.mkBash {
      pname = "sane-reboot";
      src = ./src;
-      pkgs = [ "systemd" ];
+      pkgs = [ "nettools" "systemd" ];
    };
    reclaim-boot-space = static-nix-shell.mkPython3Bin {
      pname = "sane-reclaim-boot-space";
@ -159,7 +159,7 @@ let
    shutdown = static-nix-shell.mkBash {
      pname = "sane-shutdown";
      src = ./src;
-      pkgs = [ "inetutils" "systemd" ];
+      pkgs = [ "nettools" "systemd" ];
    };
    stop-all-servo = static-nix-shell.mkBash {
      pname = "sane-stop-all-servo";
--- a/pkgs/additional/sane-scripts/src/sane-reboot
+++ b/pkgs/additional/sane-scripts/src/sane-reboot
@ -1,11 +1,14 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p systemd
+#!nix-shell -i bash -p nettools -p systemd

 target="$1"
+shift
+
 host="$(hostname)"
 if [ "$host" = "$target" ]
 then
-  sudo reboot now
+  # N.B.: anything other than just `reboot` with no args requires `sudo` privilegs (to write to /run/systemd/)
+  reboot "$@"
 else
  echo "WRONG MACHINE. you're on $host."
  exit 1
--- a/pkgs/additional/sane-scripts/src/sane-shutdown
+++ b/pkgs/additional/sane-scripts/src/sane-shutdown
@ -1,11 +1,13 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p inetutils -p systemd
+#!nix-shell -i bash -p nettools -p systemd

 target="$1"
+shift
+
 host="$(hostname)"
 if [ "$host" = "$target" ]
 then
-  sudo shutdown now
+  shutdown now "$@"
 else
  echo "WRONG MACHINE. you're on $host."
  exit 1