modules/programs: sandbox: introduce an interface which will allow for sandboxers other than sanebox

This commit is contained in:
2024-08-23 14:01:33 +00:00
parent c5ed1263dc
commit effec38a99
2 changed files with 46 additions and 41 deletions

View File

@@ -78,6 +78,7 @@ let
capabilities capabilities
extraConfig extraConfig
method method
usePortal
whitelistPwd whitelistPwd
; ;
netDev = if vpn != null then netDev = if vpn != null then
@@ -96,6 +97,8 @@ let
allowedPaths = lib.unique allowedPaths; allowedPaths = lib.unique allowedPaths;
allowedHomePaths = lib.unique allowedHomePaths; allowedHomePaths = lib.unique allowedHomePaths;
allowedRunPaths = lib.unique allowedRunPaths; allowedRunPaths = lib.unique allowedRunPaths;
keepPids = !sandbox.isolatePids;
keepUsers = !sandbox.isolateUsers;
}; };
in in
makeSandboxed { makeSandboxed {
@@ -522,13 +525,6 @@ let
++ lib.optionals (mainProgram != null) (whitelistDir ".config/${mainProgram}") ++ lib.optionals (mainProgram != null) (whitelistDir ".config/${mainProgram}")
++ lib.optionals (mainProgram != null) (whitelistDir ".local/share/${mainProgram}") ++ lib.optionals (mainProgram != null) (whitelistDir ".local/share/${mainProgram}")
; ;
sandbox.extraConfig = lib.optionals config.sandbox.usePortal [
"--sanebox-portal"
] ++ lib.optionals (!config.sandbox.isolatePids) [
"--sanebox-keep-namespace" "pid"
] ++ lib.optionals (!config.sandbox.isolateUsers) [
"--sanebox-keep-namespace" "user"
];
}; };
}); });
toPkgSpec = with lib; types.coercedTo types.package (p: { package = p; }) pkgSpec; toPkgSpec = with lib; types.coercedTo types.package (p: { package = p; }) pkgSpec;

View File

@@ -1,47 +1,56 @@
{ lib }: { lib }:
{ method {
, allowedPaths ? [] method,
, allowedHomePaths ? [] allowedPaths ? [],
, allowedRunPaths ? [] allowedHomePaths ? [],
, autodetectCliPaths ? false allowedRunPaths ? [],
, capabilities ? [] autodetectCliPaths ? false,
, dns ? null capabilities ? [],
, netDev ? null dns ? null,
, netGateway ? null keepPids ? false,
, whitelistPwd ? false keepUsers ? false,
, extraConfig ? [] netDev ? null,
netGateway ? null,
usePortal ? false,
whitelistPwd ? false,
extraConfig ? [],
}: }:
let let
allowPath = flavor: p: [ saneboxGenerators = {
"--sanebox${flavor}-path" autodetectCliPaths = style: [ "--sanebox-autodetect" style ];
p capability = cap: [ "--sanebox-cap" cap ];
]; dns = addr: [ "--sanebox-dns" addr ];
allowPaths = flavor: paths: lib.flatten (builtins.map (allowPath flavor) paths); keepPids = [ "--sanebox-keep-namespace" "pid" ];
keepUsers = [ "--sanebox-keep-namespace" "user" ];
method = method: [ "--sanebox-method" method ];
netDev = netDev: [ "--sanebox-net-dev" netDev ];
netGateway = netGateway: [ "--sanebox-net-gateway" netGateway ];
path = p: [ "--sanebox-path" p ];
path-home = p: [ "--sanebox-home-path" p ];
path-run = p: [ "--sanebox-run-path" p ];
usePortal = [ "--sanebox-portal" ];
whitelistPwd = [ "--sanebox-add-pwd" ];
};
gen = saneboxGenerators;
allowPaths = flavor: paths: lib.flatten (builtins.map gen."path${flavor}" paths);
capabilityFlags = lib.flatten (builtins.map (c: [ "--sanebox-cap" c ]) capabilities); capabilityFlags = lib.flatten (builtins.map gen.capability capabilities);
netItems = lib.optionals (netDev != null) [ netItems = lib.optionals (netDev != null) (gen.netDev netDev)
"--sanebox-net-dev" ++ lib.optionals (netGateway != null) (gen.netGateway netGateway)
netDev ++ lib.optionals (dns != null) (lib.flatten (builtins.map gen.dns dns))
] ++ lib.optionals (netGateway != null) [ ;
"--sanebox-net-gateway"
netGateway
] ++ lib.optionals (dns != null) (
lib.flatten (builtins.map
(addr: [ "--sanebox-dns" addr ])
dns
)
);
in in
[ (gen.method method)
"--sanebox-method" method
]
++ netItems ++ netItems
++ allowPaths "" allowedPaths ++ allowPaths "" allowedPaths
++ allowPaths "-home" allowedHomePaths ++ allowPaths "-home" allowedHomePaths
++ allowPaths "-run" allowedRunPaths ++ allowPaths "-run" allowedRunPaths
++ capabilityFlags ++ capabilityFlags
++ lib.optionals (autodetectCliPaths != null) [ "--sanebox-autodetect" autodetectCliPaths ] ++ lib.optionals (autodetectCliPaths != null) (gen.autodetectCliPaths autodetectCliPaths)
++ lib.optionals whitelistPwd [ "--sanebox-add-pwd" ] ++ lib.optionals keepPids gen.keepPids
++ lib.optionals keepUsers gen.keepUsers
++ lib.optionals whitelistPwd gen.whitelistPwd
++ lib.optionals usePortal gen.usePortal
++ extraConfig ++ extraConfig