colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sandboxing: add a global toggle to disable sandboxing

Browse Source
This commit is contained in:
Colin
2024-09-15 22:34:29 +00:00
parent fe353f3417
commit e9decbbf40
1 changed files with 26 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
modules/programs/default.nix
View File

@@ -301,7 +301,8 @@ let
};
sandbox.enable = mkOption {
type = types.bool;
default = true;
default = saneCfg.sandbox.enable;
apply = value: saneCfg.sandbox.enable && value;
};
sandbox.embedSandboxer = mkOption {
type = types.bool;
@@ -509,17 +510,19 @@ let
else
wrapPkg name config config.packageUnwrapped
;
suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [
"sanebox" "bubblewrap" "passt" "iproute2" "iptables"
] ++ lib.optionals (config.sandbox.method == "landlock") [
"sanebox" "landlock-sandboxer" "capsh"
] ++ lib.optionals (config.sandbox.method == "pastaonly") [
"sanebox" "passt" "iproute2" "iptables" "capsh"
] ++ lib.optionals (config.sandbox.method == "capshonly") [
"sanebox" "capsh"
] ++ lib.optionals (config.sandbox.method == "bunpen") [
"bunpen"
];
suggestedPrograms = lib.mkIf saneCfg.sandbox.enable (
lib.optionals (config.sandbox.method == "bwrap") [
"sanebox" "bubblewrap" "passt" "iproute2" "iptables"
] ++ lib.optionals (config.sandbox.method == "landlock") [
"sanebox" "landlock-sandboxer" "capsh"
] ++ lib.optionals (config.sandbox.method == "pastaonly") [
"sanebox" "passt" "iproute2" "iptables" "capsh"
] ++ lib.optionals (config.sandbox.method == "capshonly") [
"sanebox" "capsh"
] ++ lib.optionals (config.sandbox.method == "bunpen") [
"bunpen"
]
);
# declare a fs dependency for each secret, but don't specify how to populate it yet.
# can't populate it here because it varies per-user.
# this gets the symlink into the sandbox, but not the actual secret.
@@ -590,11 +593,11 @@ let
configs = lib.mapAttrsToList (name: p: {
assertions = [
{
assertion = !(p.sandbox.enable && p.sandbox.method == null) || !p.enabled || p.package == null || config.sane.strictSandboxing != "assert";
assertion = !(p.sandbox.enable && p.sandbox.method == null) || !p.enabled || p.package == null || config.sane.sandbox.strict != "assert";
message = "program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false.";
}
{
assertion = p.sandbox.net == "all" || p.sandbox.method != null || !p.enabled || p.package == null || config.sane.strictSandboxing != "assert";
assertion = p.sandbox.net == "all" || p.sandbox.method != null || !p.enabled || p.package == null || config.sane.sandbox.strict != "assert";
message = ''program "${name}" requests net "${builtins.toString p.sandbox.net}", which requires sandboxing, but sandboxing wasn't configured'';
}
] ++ builtins.map (sug: {
@@ -602,7 +605,7 @@ let
message = ''program "${sug}" referenced by "${name}", but not defined'';
}) p.suggestedPrograms;
warnings = lib.mkIf (config.sane.strictSandboxing == "warn" && p.sandbox.enable && p.sandbox.method == null && p.enabled && p.package != null) [
warnings = lib.mkIf (config.sane.sandbox.strict == "warn" && p.sandbox.enable && p.sandbox.method == null && p.enabled && p.package != null) [
"program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false."
];
@@ -689,13 +692,20 @@ in
set to 0 to get the fastest, but most restrictive build.
'';
};
sane.strictSandboxing = mkOption {
sane.sandbox.strict = mkOption {
type = types.enum [ false "warn" "assert" ];
default = "warn";
description = ''
whether to require that every `sane.program` explicitly specify its sandbox settings.
'';
};
sane.sandbox.enable = mkOption {
type = types.bool;
default = true;
description = ''
whether to sandbox any programs at all
'';
};
};
config =