colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bubblewrap: debugging

Browse Source
This commit is contained in:
Colin
2024-01-26 09:13:00 +00:00
parent 563a75e9b2
commit c4874c85b1
3 changed files with 46 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
hosts/common/programs/bubblewrap.nix Normal file
View File

@@ -0,0 +1,41 @@
{ pkgs, ... }:
{
sane.programs.bubblewrap = {
packageUnwrapped = pkgs.bubblewrap.overrideAttrs (base: {
# patches = (base.patches or []) ++ [
# (pkgs.fetchpatch {
# url = "https://git.uninsane.org/colin/bubblewrap/commit/9843f9b2b5f086563fd37250658d69350a2939be.patch";
# name = "enable debug logging and add a bunch more tracing";
# hash = "sha256-AlDsqddaBahhqGibZlCjgmChuK7mmxDt0aYHNgY05OI=";
# })
# ];
postPatch = (base.postPatch or "") + ''
# bwrap doesn't like to be invoked with any capabilities, which is troublesome if i
# want to do things like ship CAP_NET_ADMIN,CAP_NET_RAW in the ambient set for tools like Wireshark.
# but this limitation of bwrap is artificial and at first look is just a scenario the author probably
# never expected: patch out the guard check.
#
# see: <https://github.com/containers/bubblewrap/issues/397>
substituteInPlace bubblewrap.c --replace \
'die ("Unexpected capabilities but not setuid, old file caps config?");' \
'// die ("Unexpected capabilities but not setuid, old file caps config?");'
# bwrap bin/foo produces two processes:
# - the parent (occupies the namespace from which it's called)
# - the child (occupies new namespaces, created for it by the parent).
# this patch changes the parent to not drop *all* privs, hoping that this would allow
# privileged sandboxes to do privileged net operations.
# but in actuality, processes within a child namespace can *NEVER* have capabilities within
# their parent namespace.
# substituteInPlace bubblewrap.c --replace \
# 'drop_privs (FALSE, FALSE)' \
# 'drop_privs (TRUE, FALSE)'
# enable debug printing
# substituteInPlace utils.h --replace \
# '#define __debug__(x)' \
# '#define __debug__(x) printf x'
'';
});
};
}

1
hosts/common/programs/default.nix
View File

@@ -10,6 +10,7 @@
./audacity.nix ./audacity.nix
./bemenu.nix ./bemenu.nix
./brave.nix ./brave.nix
./bubblewrap.nix
./calls.nix ./calls.nix
./cantata.nix ./cantata.nix
./catt.nix ./catt.nix

5
modules/programs/default.nix
View File

@@ -368,7 +368,10 @@ in
}; };
sane.sandboxHelper = mkOption { sane.sandboxHelper = mkOption {
type = types.package; type = types.package;
default = pkgs.callPackage ./sane-sandboxed.nix {}; default = pkgs.callPackage ./sane-sandboxed.nix {
bubblewrap = cfg.bubblewrap.package;
firejail = cfg.firejail.package;
};
description = '' description = ''
`sane-sandbox` package. `sane-sandbox` package.
exposed to facilitate debugging, e.g. `nix build '.#hostConfigs.desko.sane.sandboxHelper'` exposed to facilitate debugging, e.g. `nix build '.#hostConfigs.desko.sane.sandboxHelper'`