colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

libfuse-sane: ship

Browse Source
This commit is contained in:
Colin
2024-08-03 22:59:34 +00:00
parent 74662df720
commit 90c495e74c
3 changed files with 47 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
pkgs/additional/libfuse-sane/default.nix Normal file
View File

@@ -0,0 +1,31 @@
{
fuse3
}:
let
patched = fuse3.overrideAttrs (upstream: {
outputs = upstream.outputs ++ [ "sane" ];
defaultOutput = "sane";
patches = (upstream.patches or []) ++ [
./pass_fuse_fd.patch
];
postFixup = (upstream.postFixup or "") + ''
ln -s $out/bin/mount.fuse3 $out/bin/mount.fuse3.sane
moveToOutput bin/mount.fuse3.sane "$sane"
'';
meta = (upstream.meta or {}) // {
mainProgram = "mount.fuse3.sane";
description = ''
provides `mount.fuse3.sane`, which behaves identically to `mount.fuse3` except
it supports an additional mount flag, `-o pass_fuse_fd`.
when mounting with `-o pass_fuse_fd`, `mount.fuse3.sane` opens the `/dev/fuse` device (which requires CAP_SYS_ADMIN),
and then `exec`s the userspace implementation, which inherits this file descriptor.
`mount.fuse3.sane` invokes the userspace implementation with the device argument set to something like `/dev/fd/3`, indicating which fd holds the fuse device.
the aim of this flag is to provide a clear handoff point at which the filesystem may drop CAP_SYS_ADMIN.
in this regard, it's much like `-o drop_privileges`, only it leaves the responsibility for that to the fs impl,
in case the fs needs to preserve _other_ privileges besides CAP_SYS_ADMIN.
'';
};
});
in patched.sane

15
pkgs/additional/libfuse-sane/pass_fuse_fd.patch Normal file
View File

@@ -0,0 +1,15 @@
diff --git a/util/mount.fuse.c b/util/mount.fuse.c
index b98fb2a..f46c4f7 100644
--- a/util/mount.fuse.c
+++ b/util/mount.fuse.c
@@ -327,6 +327,10 @@ int main(int argc, char *argv[])
if (strncmp(opt, "setuid=", 7) == 0) {
setuid_name = xstrdup(opt + 7);
ignore = 1;
+ } else if (strcmp(opt,
+ "pass_fuse_fd") == 0) {
+ pass_fuse_fd = 1;
+ ignore = 1;
} else if (strcmp(opt,
"drop_privileges") == 0) {
pass_fuse_fd = 1;

1
pkgs/default.nix
View File

@@ -53,6 +53,7 @@ let
lemmy-lemonade = callPackage ./additional/lemonade { }; # XXX: nixpkgs already has a `lemonade` pkg lemmy-lemonade = callPackage ./additional/lemonade { }; # XXX: nixpkgs already has a `lemonade` pkg
lgtrombetta-compass = callPackage ./additional/lgtrombetta-compass { }; lgtrombetta-compass = callPackage ./additional/lgtrombetta-compass { };
libdng = callPackage ./additional/libdng { }; libdng = callPackage ./additional/libdng { };
libfuse-sane = callPackage ./additional/libfuse-sane { };
libmegapixels = callPackage ./additional/libmegapixels { }; libmegapixels = callPackage ./additional/libmegapixels { };
lightdm-mobile-greeter = callPackage ./additional/lightdm-mobile-greeter { }; lightdm-mobile-greeter = callPackage ./additional/lightdm-mobile-greeter { };
linux-exynos5-mainline = callPackage ./additional/linux-exynos5-mainline { }; linux-exynos5-mainline = callPackage ./additional/linux-exynos5-mainline { };