programs: sandboxing: pass home- and runtime-relative paths to the sandboxer, instead of making absolute first
This commit is contained in:
parent
d97f0f7300
commit
ea2653b7ce
|
@ -64,18 +64,20 @@ let
|
||||||
vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
|
vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
|
||||||
|
|
||||||
sandboxProfilesFor = userName: let
|
sandboxProfilesFor = userName: let
|
||||||
|
allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ sandbox.extraHomePaths;
|
||||||
|
allowedRunPaths = sandbox.extraRuntimePaths;
|
||||||
homeDir = config.sane.users."${userName}".home;
|
homeDir = config.sane.users."${userName}".home;
|
||||||
uid = config.users.users."${userName}".uid;
|
uid = config.users.users."${userName}".uid;
|
||||||
xdgRuntimeDir = "/run/user/${builtins.toString uid}";
|
xdgRuntimeDir = "/run/user/${builtins.toString uid}";
|
||||||
fullHomePaths = lib.optionals (userName != null) (
|
fullHomePaths = lib.optionals (userName != null) (
|
||||||
builtins.map
|
builtins.map
|
||||||
(p: path-lib.concat [ homeDir p ])
|
(p: path-lib.concat [ homeDir p ])
|
||||||
(builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ sandbox.extraHomePaths)
|
allowedHomePaths
|
||||||
);
|
);
|
||||||
fullRuntimePaths = lib.optionals (userName != null) (
|
fullRunPaths = lib.optionals (userName != null) (
|
||||||
builtins.map
|
builtins.map
|
||||||
(p: path-lib.concat [ xdgRuntimeDir p ])
|
(p: path-lib.concat [ xdgRuntimeDir p ])
|
||||||
sandbox.extraRuntimePaths
|
allowedRunPaths
|
||||||
);
|
);
|
||||||
allowedPaths = [
|
allowedPaths = [
|
||||||
"/nix/store"
|
"/nix/store"
|
||||||
|
@ -91,7 +93,8 @@ let
|
||||||
] ++ lib.optionals (config.services.resolved.enable) [
|
] ++ lib.optionals (config.services.resolved.enable) [
|
||||||
"/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
|
"/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
|
||||||
] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [ "/run/dbus/system_bus_socket" ]
|
] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [ "/run/dbus/system_bus_socket" ]
|
||||||
++ sandbox.extraPaths ++ fullHomePaths ++ fullRuntimePaths;
|
++ sandbox.extraPaths
|
||||||
|
;
|
||||||
in makeProfile {
|
in makeProfile {
|
||||||
inherit pkgName;
|
inherit pkgName;
|
||||||
inherit (sandbox)
|
inherit (sandbox)
|
||||||
|
@ -109,7 +112,7 @@ let
|
||||||
vpn.dns
|
vpn.dns
|
||||||
else
|
else
|
||||||
null;
|
null;
|
||||||
inherit allowedPaths;
|
inherit allowedPaths allowedHomePaths allowedRunPaths;
|
||||||
|
|
||||||
symlinkCache = {
|
symlinkCache = {
|
||||||
"/bin/sh" = config.environment.binsh;
|
"/bin/sh" = config.environment.binsh;
|
||||||
|
@ -140,7 +143,7 @@ let
|
||||||
};
|
};
|
||||||
in "${package}";
|
in "${package}";
|
||||||
} // (
|
} // (
|
||||||
symlinksToAttrs (symlinksClosure allowedPaths)
|
symlinksToAttrs (symlinksClosure (allowedPaths ++ fullHomePaths ++ fullRunPaths))
|
||||||
);
|
);
|
||||||
};
|
};
|
||||||
defaultProfile = sandboxProfilesFor config.sane.defaultUser;
|
defaultProfile = sandboxProfilesFor config.sane.defaultUser;
|
||||||
|
|
|
@ -4,6 +4,8 @@
|
||||||
{ pkgName
|
{ pkgName
|
||||||
, method
|
, method
|
||||||
, allowedPaths ? []
|
, allowedPaths ? []
|
||||||
|
, allowedHomePaths ? []
|
||||||
|
, allowedRunPaths ? []
|
||||||
, symlinkCache ? {}
|
, symlinkCache ? {}
|
||||||
, autodetectCliPaths ? false
|
, autodetectCliPaths ? false
|
||||||
, capabilities ? []
|
, capabilities ? []
|
||||||
|
@ -13,11 +15,11 @@
|
||||||
, extraConfig ? []
|
, extraConfig ? []
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
allowPath = p: [
|
allowPath = flavor: p: [
|
||||||
"--sanebox-path"
|
"--sanebox${flavor}-path"
|
||||||
p
|
p
|
||||||
];
|
];
|
||||||
allowPaths = paths: lib.flatten (builtins.map allowPath paths);
|
allowPaths = flavor: paths: lib.flatten (builtins.map (allowPath flavor) paths);
|
||||||
|
|
||||||
cacheLink = from: to: [
|
cacheLink = from: to: [
|
||||||
"--sanebox-cache-symlink"
|
"--sanebox-cache-symlink"
|
||||||
|
@ -42,7 +44,9 @@ let
|
||||||
"--sanebox-method" method
|
"--sanebox-method" method
|
||||||
]
|
]
|
||||||
++ netItems
|
++ netItems
|
||||||
++ allowPaths allowedPaths
|
++ allowPaths "" allowedPaths
|
||||||
|
++ allowPaths "-home" allowedHomePaths
|
||||||
|
++ allowPaths "-run" allowedRunPaths
|
||||||
++ capabilityFlags
|
++ capabilityFlags
|
||||||
++ lib.optionals (autodetectCliPaths != null) [ "--sanebox-autodetect" autodetectCliPaths ]
|
++ lib.optionals (autodetectCliPaths != null) [ "--sanebox-autodetect" autodetectCliPaths ]
|
||||||
++ lib.optionals whitelistPwd [ "--sanebox-add-pwd" ]
|
++ lib.optionals whitelistPwd [ "--sanebox-add-pwd" ]
|
||||||
|
|
Loading…
Reference in New Issue
Block a user