programs: sandboxing: pass home- and runtime-relative paths to the sandboxer, instead of making absolute first
This commit is contained in:
parent
d97f0f7300
commit
ea2653b7ce
|
@ -64,18 +64,20 @@ let
|
|||
vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
|
||||
|
||||
sandboxProfilesFor = userName: let
|
||||
allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ sandbox.extraHomePaths;
|
||||
allowedRunPaths = sandbox.extraRuntimePaths;
|
||||
homeDir = config.sane.users."${userName}".home;
|
||||
uid = config.users.users."${userName}".uid;
|
||||
xdgRuntimeDir = "/run/user/${builtins.toString uid}";
|
||||
fullHomePaths = lib.optionals (userName != null) (
|
||||
builtins.map
|
||||
(p: path-lib.concat [ homeDir p ])
|
||||
(builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ sandbox.extraHomePaths)
|
||||
allowedHomePaths
|
||||
);
|
||||
fullRuntimePaths = lib.optionals (userName != null) (
|
||||
fullRunPaths = lib.optionals (userName != null) (
|
||||
builtins.map
|
||||
(p: path-lib.concat [ xdgRuntimeDir p ])
|
||||
sandbox.extraRuntimePaths
|
||||
allowedRunPaths
|
||||
);
|
||||
allowedPaths = [
|
||||
"/nix/store"
|
||||
|
@ -91,7 +93,8 @@ let
|
|||
] ++ lib.optionals (config.services.resolved.enable) [
|
||||
"/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
|
||||
] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [ "/run/dbus/system_bus_socket" ]
|
||||
++ sandbox.extraPaths ++ fullHomePaths ++ fullRuntimePaths;
|
||||
++ sandbox.extraPaths
|
||||
;
|
||||
in makeProfile {
|
||||
inherit pkgName;
|
||||
inherit (sandbox)
|
||||
|
@ -109,7 +112,7 @@ let
|
|||
vpn.dns
|
||||
else
|
||||
null;
|
||||
inherit allowedPaths;
|
||||
inherit allowedPaths allowedHomePaths allowedRunPaths;
|
||||
|
||||
symlinkCache = {
|
||||
"/bin/sh" = config.environment.binsh;
|
||||
|
@ -140,7 +143,7 @@ let
|
|||
};
|
||||
in "${package}";
|
||||
} // (
|
||||
symlinksToAttrs (symlinksClosure allowedPaths)
|
||||
symlinksToAttrs (symlinksClosure (allowedPaths ++ fullHomePaths ++ fullRunPaths))
|
||||
);
|
||||
};
|
||||
defaultProfile = sandboxProfilesFor config.sane.defaultUser;
|
||||
|
|
|
@ -4,6 +4,8 @@
|
|||
{ pkgName
|
||||
, method
|
||||
, allowedPaths ? []
|
||||
, allowedHomePaths ? []
|
||||
, allowedRunPaths ? []
|
||||
, symlinkCache ? {}
|
||||
, autodetectCliPaths ? false
|
||||
, capabilities ? []
|
||||
|
@ -13,11 +15,11 @@
|
|||
, extraConfig ? []
|
||||
}:
|
||||
let
|
||||
allowPath = p: [
|
||||
"--sanebox-path"
|
||||
allowPath = flavor: p: [
|
||||
"--sanebox${flavor}-path"
|
||||
p
|
||||
];
|
||||
allowPaths = paths: lib.flatten (builtins.map allowPath paths);
|
||||
allowPaths = flavor: paths: lib.flatten (builtins.map (allowPath flavor) paths);
|
||||
|
||||
cacheLink = from: to: [
|
||||
"--sanebox-cache-symlink"
|
||||
|
@ -42,7 +44,9 @@ let
|
|||
"--sanebox-method" method
|
||||
]
|
||||
++ netItems
|
||||
++ allowPaths allowedPaths
|
||||
++ allowPaths "" allowedPaths
|
||||
++ allowPaths "-home" allowedHomePaths
|
||||
++ allowPaths "-run" allowedRunPaths
|
||||
++ capabilityFlags
|
||||
++ lib.optionals (autodetectCliPaths != null) [ "--sanebox-autodetect" autodetectCliPaths ]
|
||||
++ lib.optionals whitelistPwd [ "--sanebox-add-pwd" ]
|
||||
|
|
Loading…
Reference in New Issue
Block a user