diff --git a/hosts/common/programs/sane-scripts.nix b/hosts/common/programs/sane-scripts.nix index 0c95a8cb4..a0afed3e5 100644 --- a/hosts/common/programs/sane-scripts.nix +++ b/hosts/common/programs/sane-scripts.nix @@ -121,12 +121,35 @@ in # extraPaths = [ "/boot" ]; # }; + # it's just a thin wrapper around rsync, which is already sandboxed + "sane-scripts.rcp".sandbox.enable = false; + # but make sure rsync is always on PATH, so that we actually do get sandboxing :) + "sane-scripts.rcp".suggestedPrograms = [ "rsync" ]; + + "sane-scripts.reboot".sandbox = { + method = "bwrap"; + wrapperType = "wrappedDerivation"; + extraPaths = [ + "/run/dbus" + "/run/systemd" + ]; + }; + "sane-scripts.reclaim-disk-space".sandbox = { method = "bwrap"; wrapperType = "wrappedDerivation"; extraPaths = [ "/nix/var/nix" ]; }; + "sane-scripts.shutdown".sandbox = { + method = "bwrap"; + wrapperType = "wrappedDerivation"; + extraPaths = [ + "/run/dbus" + "/run/systemd" + ]; + }; + # if `tee` isn't trustworthy we have bigger problems "sane-scripts.sudo-redirect".sandbox.enable = false; diff --git a/pkgs/additional/sane-scripts/default.nix b/pkgs/additional/sane-scripts/default.nix index e0c2ae17e..c46b319f1 100644 --- a/pkgs/additional/sane-scripts/default.nix +++ b/pkgs/additional/sane-scripts/default.nix @@ -130,7 +130,7 @@ let reboot = static-nix-shell.mkBash { pname = "sane-reboot"; src = ./src; - pkgs = [ "systemd" ]; + pkgs = [ "nettools" "systemd" ]; }; reclaim-boot-space = static-nix-shell.mkPython3Bin { pname = "sane-reclaim-boot-space"; @@ -159,7 +159,7 @@ let shutdown = static-nix-shell.mkBash { pname = "sane-shutdown"; src = ./src; - pkgs = [ "inetutils" "systemd" ]; + pkgs = [ "nettools" "systemd" ]; }; stop-all-servo = static-nix-shell.mkBash { pname = "sane-stop-all-servo"; diff --git a/pkgs/additional/sane-scripts/src/sane-reboot b/pkgs/additional/sane-scripts/src/sane-reboot index c5230e04a..33820560b 100755 --- a/pkgs/additional/sane-scripts/src/sane-reboot +++ b/pkgs/additional/sane-scripts/src/sane-reboot @@ -1,11 +1,14 @@ #!/usr/bin/env nix-shell -#!nix-shell -i bash -p systemd +#!nix-shell -i bash -p nettools -p systemd target="$1" +shift + host="$(hostname)" if [ "$host" = "$target" ] then - sudo reboot now + # N.B.: anything other than just `reboot` with no args requires `sudo` privilegs (to write to /run/systemd/) + reboot "$@" else echo "WRONG MACHINE. you're on $host." exit 1 diff --git a/pkgs/additional/sane-scripts/src/sane-shutdown b/pkgs/additional/sane-scripts/src/sane-shutdown index 1e702f4a1..18ee1ea66 100755 --- a/pkgs/additional/sane-scripts/src/sane-shutdown +++ b/pkgs/additional/sane-scripts/src/sane-shutdown @@ -1,11 +1,13 @@ #!/usr/bin/env nix-shell -#!nix-shell -i bash -p inetutils -p systemd +#!nix-shell -i bash -p nettools -p systemd target="$1" +shift + host="$(hostname)" if [ "$host" = "$target" ] then - sudo shutdown now + shutdown now "$@" else echo "WRONG MACHINE. you're on $host." exit 1