colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

modules/programs: sandbox: introduce an interface which will allow for sandboxers other than sanebox

Browse Source
This commit is contained in:
Colin
2024-08-23 14:01:33 +00:00
parent c5ed1263dc
commit effec38a99
2 changed files with 46 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
modules/programs/default.nix
View File

@@ -78,6 +78,7 @@ let
capabilities
extraConfig
method
usePortal
whitelistPwd
;
netDev = if vpn != null then
@@ -96,6 +97,8 @@ let
allowedPaths = lib.unique allowedPaths;
allowedHomePaths = lib.unique allowedHomePaths;
allowedRunPaths = lib.unique allowedRunPaths;
keepPids = !sandbox.isolatePids;
keepUsers = !sandbox.isolateUsers;
};
in
makeSandboxed {
@@ -522,13 +525,6 @@ let
++ lib.optionals (mainProgram != null) (whitelistDir ".config/${mainProgram}")
++ lib.optionals (mainProgram != null) (whitelistDir ".local/share/${mainProgram}")
;
sandbox.extraConfig = lib.optionals config.sandbox.usePortal [
"--sanebox-portal"
] ++ lib.optionals (!config.sandbox.isolatePids) [
"--sanebox-keep-namespace" "pid"
] ++ lib.optionals (!config.sandbox.isolateUsers) [
"--sanebox-keep-namespace" "user"
];
};
});
toPkgSpec = with lib; types.coercedTo types.package (p: { package = p; }) pkgSpec;

77
modules/programs/make-sandbox-args.nix
View File

@@ -1,47 +1,56 @@
{ lib }:
{ method
, allowedPaths ? []
, allowedHomePaths ? []
, allowedRunPaths ? []
, autodetectCliPaths ? false
, capabilities ? []
, dns ? null
, netDev ? null
, netGateway ? null
, whitelistPwd ? false
, extraConfig ? []
{
method,
allowedPaths ? [],
allowedHomePaths ? [],
allowedRunPaths ? [],
autodetectCliPaths ? false,
capabilities ? [],
dns ? null,
keepPids ? false,
keepUsers ? false,
netDev ? null,
netGateway ? null,
usePortal ? false,
whitelistPwd ? false,
extraConfig ? [],
}:
let
allowPath = flavor: p: [
"--sanebox${flavor}-path"
p
];
allowPaths = flavor: paths: lib.flatten (builtins.map (allowPath flavor) paths);
saneboxGenerators = {
autodetectCliPaths = style: [ "--sanebox-autodetect" style ];
capability = cap: [ "--sanebox-cap" cap ];
dns = addr: [ "--sanebox-dns" addr ];
keepPids = [ "--sanebox-keep-namespace" "pid" ];
keepUsers = [ "--sanebox-keep-namespace" "user" ];
method = method: [ "--sanebox-method" method ];
netDev = netDev: [ "--sanebox-net-dev" netDev ];
netGateway = netGateway: [ "--sanebox-net-gateway" netGateway ];
path = p: [ "--sanebox-path" p ];
path-home = p: [ "--sanebox-home-path" p ];
path-run = p: [ "--sanebox-run-path" p ];
usePortal = [ "--sanebox-portal" ];
whitelistPwd = [ "--sanebox-add-pwd" ];
};
gen = saneboxGenerators;
allowPaths = flavor: paths: lib.flatten (builtins.map gen."path${flavor}" paths);
capabilityFlags = lib.flatten (builtins.map (c: [ "--sanebox-cap" c ]) capabilities);
capabilityFlags = lib.flatten (builtins.map gen.capability capabilities);
netItems = lib.optionals (netDev != null) [
"--sanebox-net-dev"
netDev
] ++ lib.optionals (netGateway != null) [
"--sanebox-net-gateway"
netGateway
] ++ lib.optionals (dns != null) (
lib.flatten (builtins.map
(addr: [ "--sanebox-dns" addr ])
dns
)
);
netItems = lib.optionals (netDev != null) (gen.netDev netDev)
++ lib.optionals (netGateway != null) (gen.netGateway netGateway)
++ lib.optionals (dns != null) (lib.flatten (builtins.map gen.dns dns))
;
in
[
"--sanebox-method" method
]
(gen.method method)
++ netItems
++ allowPaths "" allowedPaths
++ allowPaths "-home" allowedHomePaths
++ allowPaths "-run" allowedRunPaths
++ capabilityFlags
++ lib.optionals (autodetectCliPaths != null) [ "--sanebox-autodetect" autodetectCliPaths ]
++ lib.optionals whitelistPwd [ "--sanebox-add-pwd" ]
++ lib.optionals (autodetectCliPaths != null) (gen.autodetectCliPaths autodetectCliPaths)
++ lib.optionals keepPids gen.keepPids
++ lib.optionals keepUsers gen.keepUsers
++ lib.optionals whitelistPwd gen.whitelistPwd
++ lib.optionals usePortal gen.usePortal
++ extraConfig