colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sandboxing: add a global toggle to disable sandboxing

Browse Source
This commit is contained in:
Colin
2024-09-15 22:34:29 +00:00
parent fe353f3417
commit e9decbbf40
1 changed files with 26 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
modules/programs/default.nix
View File

@@ -301,7 +301,8 @@ let
}; };
sandbox.enable = mkOption { sandbox.enable = mkOption {
type = types.bool; type = types.bool;
default = true; default = saneCfg.sandbox.enable;
apply = value: saneCfg.sandbox.enable && value;
}; };
sandbox.embedSandboxer = mkOption { sandbox.embedSandboxer = mkOption {
type = types.bool; type = types.bool;
@@ -509,17 +510,19 @@ let
else else
wrapPkg name config config.packageUnwrapped wrapPkg name config config.packageUnwrapped
; ;
suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [ suggestedPrograms = lib.mkIf saneCfg.sandbox.enable (
"sanebox" "bubblewrap" "passt" "iproute2" "iptables" lib.optionals (config.sandbox.method == "bwrap") [
] ++ lib.optionals (config.sandbox.method == "landlock") [ "sanebox" "bubblewrap" "passt" "iproute2" "iptables"
"sanebox" "landlock-sandboxer" "capsh" ] ++ lib.optionals (config.sandbox.method == "landlock") [
] ++ lib.optionals (config.sandbox.method == "pastaonly") [ "sanebox" "landlock-sandboxer" "capsh"
"sanebox" "passt" "iproute2" "iptables" "capsh" ] ++ lib.optionals (config.sandbox.method == "pastaonly") [
] ++ lib.optionals (config.sandbox.method == "capshonly") [ "sanebox" "passt" "iproute2" "iptables" "capsh"
"sanebox" "capsh" ] ++ lib.optionals (config.sandbox.method == "capshonly") [
] ++ lib.optionals (config.sandbox.method == "bunpen") [ "sanebox" "capsh"
"bunpen" ] ++ lib.optionals (config.sandbox.method == "bunpen") [
]; "bunpen"
]
);
# declare a fs dependency for each secret, but don't specify how to populate it yet. # declare a fs dependency for each secret, but don't specify how to populate it yet.
# can't populate it here because it varies per-user. # can't populate it here because it varies per-user.
# this gets the symlink into the sandbox, but not the actual secret. # this gets the symlink into the sandbox, but not the actual secret.
@@ -590,11 +593,11 @@ let
configs = lib.mapAttrsToList (name: p: { configs = lib.mapAttrsToList (name: p: {
assertions = [ assertions = [
{ {
assertion = !(p.sandbox.enable && p.sandbox.method == null) || !p.enabled || p.package == null || config.sane.strictSandboxing != "assert"; assertion = !(p.sandbox.enable && p.sandbox.method == null) || !p.enabled || p.package == null || config.sane.sandbox.strict != "assert";
message = "program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false."; message = "program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false.";
} }
{ {
assertion = p.sandbox.net == "all" || p.sandbox.method != null || !p.enabled || p.package == null || config.sane.strictSandboxing != "assert"; assertion = p.sandbox.net == "all" || p.sandbox.method != null || !p.enabled || p.package == null || config.sane.sandbox.strict != "assert";
message = ''program "${name}" requests net "${builtins.toString p.sandbox.net}", which requires sandboxing, but sandboxing wasn't configured''; message = ''program "${name}" requests net "${builtins.toString p.sandbox.net}", which requires sandboxing, but sandboxing wasn't configured'';
} }
] ++ builtins.map (sug: { ] ++ builtins.map (sug: {
@@ -602,7 +605,7 @@ let
message = ''program "${sug}" referenced by "${name}", but not defined''; message = ''program "${sug}" referenced by "${name}", but not defined'';
}) p.suggestedPrograms; }) p.suggestedPrograms;
warnings = lib.mkIf (config.sane.strictSandboxing == "warn" && p.sandbox.enable && p.sandbox.method == null && p.enabled && p.package != null) [ warnings = lib.mkIf (config.sane.sandbox.strict == "warn" && p.sandbox.enable && p.sandbox.method == null && p.enabled && p.package != null) [
"program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false." "program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false."
]; ];
@@ -689,13 +692,20 @@ in
set to 0 to get the fastest, but most restrictive build. set to 0 to get the fastest, but most restrictive build.
''; '';
}; };
sane.strictSandboxing = mkOption { sane.sandbox.strict = mkOption {
type = types.enum [ false "warn" "assert" ]; type = types.enum [ false "warn" "assert" ];
default = "warn"; default = "warn";
description = '' description = ''
whether to require that every `sane.program` explicitly specify its sandbox settings. whether to require that every `sane.program` explicitly specify its sandbox settings.
''; '';
}; };
sane.sandbox.enable = mkOption {
type = types.bool;
default = true;
description = ''
whether to sandbox any programs at all
'';
};
}; };
config = config =