From e7d5a610147e5166e2e55fb459b79b77018502ef Mon Sep 17 00:00:00 2001 From: Colin Date: Mon, 12 Aug 2024 10:13:50 +0000 Subject: [PATCH] libcap: split into separate `capsh` and `captree` programs, and sandbox the latter --- hosts/common/programs/assorted.nix | 3 +-- hosts/common/programs/capsh.nix | 7 +++++++ hosts/common/programs/captree.nix | 8 ++++++++ hosts/common/programs/default.nix | 2 ++ hosts/common/programs/sanebox.nix | 2 +- modules/programs/default.nix | 6 +++--- 6 files changed, 22 insertions(+), 6 deletions(-) create mode 100644 hosts/common/programs/capsh.nix create mode 100644 hosts/common/programs/captree.nix diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix index 60126a829..3ff93385d 100644 --- a/hosts/common/programs/assorted.nix +++ b/hosts/common/programs/assorted.nix @@ -38,6 +38,7 @@ in "bridge-utils" # for brctl; debug linux "bridge" inet devices "btrfs-progs" "cacert.unbundled" # some services require unbundled /etc/ssl/certs + "captree" "cryptsetup" "curl" "ddrescue" @@ -818,8 +819,6 @@ in libcamera = {}; - libcap.packageUnwrapped = pkgs.libcap-with-captree; - libcap.sandbox.enable = false; #< for `capsh`, which i use as a sandboxer libcap_ng.sandbox.enable = false; # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only) libnotify.sandbox.method = "bwrap"; diff --git a/hosts/common/programs/capsh.nix b/hosts/common/programs/capsh.nix new file mode 100644 index 000000000..cce82f80c --- /dev/null +++ b/hosts/common/programs/capsh.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: +{ + sane.programs.capsh = { + packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap "capsh"; + sandbox.enable = false; #< i use `capsh` as a sandboxer. + }; +} diff --git a/hosts/common/programs/captree.nix b/hosts/common/programs/captree.nix new file mode 100644 index 000000000..84be325f2 --- /dev/null +++ b/hosts/common/programs/captree.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + sane.programs.captree = { + packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap-with-captree "captree"; + sandbox.method = "bwrap"; + sandbox.isolatePids = false; + }; +} diff --git a/hosts/common/programs/default.nix b/hosts/common/programs/default.nix index feb1e5059..0b0f8fc38 100644 --- a/hosts/common/programs/default.nix +++ b/hosts/common/programs/default.nix @@ -21,6 +21,8 @@ ./callaudiod.nix ./calls.nix ./cantata.nix + ./capsh.nix + ./captree.nix ./catt.nix ./celeste64.nix ./chatty.nix diff --git a/hosts/common/programs/sanebox.nix b/hosts/common/programs/sanebox.nix index 34ef54d04..79ad61cd6 100644 --- a/hosts/common/programs/sanebox.nix +++ b/hosts/common/programs/sanebox.nix @@ -20,7 +20,7 @@ in bubblewrap = cfg.bubblewrap.package; iproute2 = cfg.iproute2.package; iptables = cfg.iptables.package; - libcap = cfg.libcap.package; + libcap = cfg.capsh.package; #< the sandboxer doesn't use any other libcap binaries passt = cfg.passt.package; landlock-sandboxer = cfg.landlock-sandboxer.package; # landlock-sandboxer = pkgs.landlock-sandboxer.override { diff --git a/modules/programs/default.nix b/modules/programs/default.nix index 5b0f82fe7..a0eb360be 100644 --- a/modules/programs/default.nix +++ b/modules/programs/default.nix @@ -480,11 +480,11 @@ let suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [ "bubblewrap" "passt" "iproute2" "iptables" ] ++ lib.optionals (config.sandbox.method == "landlock") [ - "landlock-sandboxer" "libcap" + "landlock-sandboxer" "capsh" ] ++ lib.optionals (config.sandbox.method == "pastaonly") [ - "passt" "iproute2" "iptables" "libcap" + "passt" "iproute2" "iptables" "capsh" ] ++ lib.optionals (config.sandbox.method == "capshonly") [ - "libcap" + "capsh" ]; # declare a fs dependency for each secret, but don't specify how to populate it yet. # can't populate it here because it varies per-user.