libfuse-sane: ship
This commit is contained in:
31
pkgs/additional/libfuse-sane/default.nix
Normal file
31
pkgs/additional/libfuse-sane/default.nix
Normal file
@@ -0,0 +1,31 @@
|
||||
{
|
||||
fuse3
|
||||
}:
|
||||
let
|
||||
patched = fuse3.overrideAttrs (upstream: {
|
||||
outputs = upstream.outputs ++ [ "sane" ];
|
||||
defaultOutput = "sane";
|
||||
patches = (upstream.patches or []) ++ [
|
||||
./pass_fuse_fd.patch
|
||||
];
|
||||
postFixup = (upstream.postFixup or "") + ''
|
||||
ln -s $out/bin/mount.fuse3 $out/bin/mount.fuse3.sane
|
||||
moveToOutput bin/mount.fuse3.sane "$sane"
|
||||
'';
|
||||
meta = (upstream.meta or {}) // {
|
||||
mainProgram = "mount.fuse3.sane";
|
||||
description = ''
|
||||
provides `mount.fuse3.sane`, which behaves identically to `mount.fuse3` except
|
||||
it supports an additional mount flag, `-o pass_fuse_fd`.
|
||||
|
||||
when mounting with `-o pass_fuse_fd`, `mount.fuse3.sane` opens the `/dev/fuse` device (which requires CAP_SYS_ADMIN),
|
||||
and then `exec`s the userspace implementation, which inherits this file descriptor.
|
||||
`mount.fuse3.sane` invokes the userspace implementation with the device argument set to something like `/dev/fd/3`, indicating which fd holds the fuse device.
|
||||
|
||||
the aim of this flag is to provide a clear handoff point at which the filesystem may drop CAP_SYS_ADMIN.
|
||||
in this regard, it's much like `-o drop_privileges`, only it leaves the responsibility for that to the fs impl,
|
||||
in case the fs needs to preserve _other_ privileges besides CAP_SYS_ADMIN.
|
||||
'';
|
||||
};
|
||||
});
|
||||
in patched.sane
|
15
pkgs/additional/libfuse-sane/pass_fuse_fd.patch
Normal file
15
pkgs/additional/libfuse-sane/pass_fuse_fd.patch
Normal file
@@ -0,0 +1,15 @@
|
||||
diff --git a/util/mount.fuse.c b/util/mount.fuse.c
|
||||
index b98fb2a..f46c4f7 100644
|
||||
--- a/util/mount.fuse.c
|
||||
+++ b/util/mount.fuse.c
|
||||
@@ -327,6 +327,10 @@ int main(int argc, char *argv[])
|
||||
if (strncmp(opt, "setuid=", 7) == 0) {
|
||||
setuid_name = xstrdup(opt + 7);
|
||||
ignore = 1;
|
||||
+ } else if (strcmp(opt,
|
||||
+ "pass_fuse_fd") == 0) {
|
||||
+ pass_fuse_fd = 1;
|
||||
+ ignore = 1;
|
||||
} else if (strcmp(opt,
|
||||
"drop_privileges") == 0) {
|
||||
pass_fuse_fd = 1;
|
@@ -53,6 +53,7 @@ let
|
||||
lemmy-lemonade = callPackage ./additional/lemonade { }; # XXX: nixpkgs already has a `lemonade` pkg
|
||||
lgtrombetta-compass = callPackage ./additional/lgtrombetta-compass { };
|
||||
libdng = callPackage ./additional/libdng { };
|
||||
libfuse-sane = callPackage ./additional/libfuse-sane { };
|
||||
libmegapixels = callPackage ./additional/libmegapixels { };
|
||||
lightdm-mobile-greeter = callPackage ./additional/lightdm-mobile-greeter { };
|
||||
linux-exynos5-mainline = callPackage ./additional/linux-exynos5-mainline { };
|
||||
|
Reference in New Issue
Block a user