programs: sandboxing: pass home- and runtime-relative paths to the sandboxer, instead of making absolute first

2024-05-15 08:14:49 +00:00 · 2024-05-15 08:14:49 +00:00 · ea2653b7ce
commit ea2653b7ce
parent d97f0f7300
2 changed files with 17 additions and 10 deletions
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -64,18 +64,20 @@ let
        vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);

        sandboxProfilesFor = userName: let
+          allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ sandbox.extraHomePaths;
+          allowedRunPaths = sandbox.extraRuntimePaths;
          homeDir = config.sane.users."${userName}".home;
          uid = config.users.users."${userName}".uid;
          xdgRuntimeDir = "/run/user/${builtins.toString uid}";
          fullHomePaths = lib.optionals (userName != null) (
            builtins.map
              (p: path-lib.concat [ homeDir p ])
-              (builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ sandbox.extraHomePaths)
+              allowedHomePaths
          );
-          fullRuntimePaths = lib.optionals (userName != null) (
+          fullRunPaths = lib.optionals (userName != null) (
            builtins.map
              (p: path-lib.concat [ xdgRuntimeDir p ])
-              sandbox.extraRuntimePaths
+              allowedRunPaths
          );
          allowedPaths = [
            "/nix/store"
@ -91,7 +93,8 @@ let
          ] ++ lib.optionals (config.services.resolved.enable) [
            "/run/systemd/resolve"  #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
          ] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [ "/run/dbus/system_bus_socket" ]
-            ++ sandbox.extraPaths ++ fullHomePaths ++ fullRuntimePaths;
+            ++ sandbox.extraPaths
+          ;
        in makeProfile {
          inherit pkgName;
          inherit (sandbox)
@ -109,7 +112,7 @@ let
            vpn.dns
          else
            null;
-          inherit allowedPaths;
+          inherit allowedPaths allowedHomePaths allowedRunPaths;

          symlinkCache = {
            "/bin/sh" = config.environment.binsh;
@ -140,7 +143,7 @@ let
              };
            in "${package}";
          } // (
-            symlinksToAttrs (symlinksClosure allowedPaths)
+            symlinksToAttrs (symlinksClosure (allowedPaths ++ fullHomePaths ++ fullRunPaths))
          );
        };
        defaultProfile = sandboxProfilesFor config.sane.defaultUser;
--- a/modules/programs/make-sandbox-profile.nix
+++ b/modules/programs/make-sandbox-profile.nix
@ -4,6 +4,8 @@
 { pkgName
 , method
 , allowedPaths ? []
+, allowedHomePaths ? []
+, allowedRunPaths ? []
 , symlinkCache ? {}
 , autodetectCliPaths ? false
 , capabilities ? []
@ -13,11 +15,11 @@
 , extraConfig ? []
 }:
 let
-  allowPath = p: [
-    "--sanebox-path"
+  allowPath = flavor: p: [
+    "--sanebox${flavor}-path"
    p
  ];
-  allowPaths = paths: lib.flatten (builtins.map allowPath paths);
+  allowPaths = flavor: paths: lib.flatten (builtins.map (allowPath flavor) paths);

  cacheLink = from: to: [
    "--sanebox-cache-symlink"
@ -42,7 +44,9 @@ let
    "--sanebox-method" method
  ]
    ++ netItems
-    ++ allowPaths allowedPaths
+    ++ allowPaths "" allowedPaths
+    ++ allowPaths "-home" allowedHomePaths
+    ++ allowPaths "-run" allowedRunPaths
    ++ capabilityFlags
    ++ lib.optionals (autodetectCliPaths != null) [ "--sanebox-autodetect" autodetectCliPaths ]
    ++ lib.optionals whitelistPwd [ "--sanebox-add-pwd" ]