colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

libcap: split into separate capsh and captree programs, and sandbox the latter

Browse Source
This commit is contained in:
Colin
2024-08-12 10:13:50 +00:00
parent 6f47708624
commit e7d5a61014
6 changed files with 22 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
hosts/common/programs/assorted.nix
View File

@@ -38,6 +38,7 @@ in
"bridge-utils" # for brctl; debug linux "bridge" inet devices "bridge-utils" # for brctl; debug linux "bridge" inet devices
"btrfs-progs" "btrfs-progs"
"cacert.unbundled" # some services require unbundled /etc/ssl/certs "cacert.unbundled" # some services require unbundled /etc/ssl/certs
"captree"
"cryptsetup" "cryptsetup"
"curl" "curl"
"ddrescue" "ddrescue"
@@ -818,8 +819,6 @@ in
libcamera = {}; libcamera = {};
libcap.packageUnwrapped = pkgs.libcap-with-captree;
libcap.sandbox.enable = false; #< for `capsh`, which i use as a sandboxer
libcap_ng.sandbox.enable = false; # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only) libcap_ng.sandbox.enable = false; # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only)
libnotify.sandbox.method = "bwrap"; libnotify.sandbox.method = "bwrap";

7
hosts/common/programs/capsh.nix Normal file
View File

@@ -0,0 +1,7 @@
{ pkgs, ... }:
{
sane.programs.capsh = {
packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap "capsh";
sandbox.enable = false; #< i use `capsh` as a sandboxer.
};
}

8
hosts/common/programs/captree.nix Normal file
View File

@@ -0,0 +1,8 @@
{ pkgs, ... }:
{
sane.programs.captree = {
packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap-with-captree "captree";
sandbox.method = "bwrap";
sandbox.isolatePids = false;
};
}

2
hosts/common/programs/default.nix
View File

@@ -21,6 +21,8 @@
./callaudiod.nix ./callaudiod.nix
./calls.nix ./calls.nix
./cantata.nix ./cantata.nix
./capsh.nix
./captree.nix
./catt.nix ./catt.nix
./celeste64.nix ./celeste64.nix
./chatty.nix ./chatty.nix

2
hosts/common/programs/sanebox.nix
View File

@@ -20,7 +20,7 @@ in
bubblewrap = cfg.bubblewrap.package; bubblewrap = cfg.bubblewrap.package;
iproute2 = cfg.iproute2.package; iproute2 = cfg.iproute2.package;
iptables = cfg.iptables.package; iptables = cfg.iptables.package;
libcap = cfg.libcap.package; libcap = cfg.capsh.package; #< the sandboxer doesn't use any other libcap binaries
passt = cfg.passt.package; passt = cfg.passt.package;
landlock-sandboxer = cfg.landlock-sandboxer.package; landlock-sandboxer = cfg.landlock-sandboxer.package;
# landlock-sandboxer = pkgs.landlock-sandboxer.override { # landlock-sandboxer = pkgs.landlock-sandboxer.override {

6
modules/programs/default.nix
View File

@@ -480,11 +480,11 @@ let
suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [ suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [
"bubblewrap" "passt" "iproute2" "iptables" "bubblewrap" "passt" "iproute2" "iptables"
] ++ lib.optionals (config.sandbox.method == "landlock") [ ] ++ lib.optionals (config.sandbox.method == "landlock") [
"landlock-sandboxer" "libcap" "landlock-sandboxer" "capsh"
] ++ lib.optionals (config.sandbox.method == "pastaonly") [ ] ++ lib.optionals (config.sandbox.method == "pastaonly") [
"passt" "iproute2" "iptables" "libcap" "passt" "iproute2" "iptables" "capsh"
] ++ lib.optionals (config.sandbox.method == "capshonly") [ ] ++ lib.optionals (config.sandbox.method == "capshonly") [
"libcap" "capsh"
]; ];
# declare a fs dependency for each secret, but don't specify how to populate it yet. # declare a fs dependency for each secret, but don't specify how to populate it yet.
# can't populate it here because it varies per-user. # can't populate it here because it varies per-user.