diff options
author | lassulus <lass@aidsballs.de> | 2016-02-16 17:15:00 +0100 |
---|---|---|
committer | lassulus <lass@aidsballs.de> | 2016-02-16 17:15:00 +0100 |
commit | 0b0b0d65ee05583529df831985580e392713d29a (patch) | |
tree | 7eb6799a996924d8e895c54633a47ea3d7a92a4c /krebs/3modules/setuid.nix | |
parent | 3d30e9cc9014ec6189410944015d3cd7d5ca95a6 (diff) | |
parent | b7a92f63884af00eb0243ec9328be689a6c9b845 (diff) |
Merge remote-tracking branch 'cd/master'
Diffstat (limited to 'krebs/3modules/setuid.nix')
-rw-r--r-- | krebs/3modules/setuid.nix | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix new file mode 100644 index 000000000..1137788d8 --- /dev/null +++ b/krebs/3modules/setuid.nix @@ -0,0 +1,75 @@ +{ config, pkgs, lib, ... }: +with config.krebs.lib; +let + cfg = config.krebs.setuid; + + out = { + options.krebs.setuid = api; + config = imp; + }; + + api = mkOption { + default = {}; + type = let + # TODO make wrapperDir configurable + inherit (config.security) wrapperDir; + inherit (config.users) groups users; + in types.attrsOf (types.submodule ({ config, ... }: { + options = { + name = mkOption { + type = types.filename; + default = config._module.args.name; + }; + filename = mkOption { + type = mkOptionType { + # TODO unyuck string and merge with toC + name = "derivation or string"; + check = x: + isDerivation x || + isString x; + }; + apply = toString; + }; + owner = mkOption { + default = "root"; + type = types.enum (attrNames users); + }; + group = mkOption { + default = "root"; + type = types.enum (attrNames groups); + }; + mode = mkOption { + default = "4710"; + type = mkOptionType { + # TODO admit symbolic mode + name = "octal mode"; + check = x: + isString x && + match "[0-7][0-7][0-7][0-7]" x != null; + }; + }; + activate = mkOption { + type = types.str; + visible = false; + readOnly = true; + }; + }; + config.activate = let + src = pkgs.execve config.name { + inherit (config) filename; + }; + dst = "${wrapperDir}/${config.name}"; + in '' + cp ${src} ${dst} + chown ${config.owner}.${config.group} ${dst} + chmod ${config.mode} ${dst} + ''; + })); + }; + + imp = { + system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ] + (concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg)); + }; + +in out |