From f4e35a731286d9ce733e3b18ba7d284ada58f76e Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 26 Jan 2022 12:48:24 +0100 Subject: krebs.setuid: add support for capabilities --- krebs/3modules/setuid.nix | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'krebs/3modules') diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index 64fedb911..6ad2f1264 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -30,6 +30,10 @@ with import ; }; apply = toString; }; + capabilities = mkOption { + default = []; + type = types.listOf types.str; + }; owner = mkOption { default = "root"; type = types.enum (attrNames users); @@ -67,6 +71,9 @@ with import ; cp ${src} ${dst} chown ${cfg.owner}.${cfg.group} ${dst} chmod ${cfg.mode} ${dst} + ${optionalString (cfg.capabilities != []) /* sh */ '' + ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst} + ''} ''; })); }; -- cgit v1.2.3 From 10891882ab4787c958e3473d595a7f8ce9551dcf Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 27 Jan 2022 05:37:06 +0100 Subject: krebs.setuid: mark activate string as sh --- krebs/3modules/setuid.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index 6ad2f1264..11c5e9d75 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -66,7 +66,7 @@ with import ; inherit (cfg) envp filename; }; dst = "${cfg.wrapperDir}/${cfg.name}"; - in '' + in /* sh */ '' mkdir -p ${cfg.wrapperDir} cp ${src} ${dst} chown ${cfg.owner}.${cfg.group} ${dst} -- cgit v1.2.3 From ad6f0cd9014e13478a622786b9643970bae1c90a Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 27 Jan 2022 05:37:32 +0100 Subject: krebs.setuid: remove security.wrappers's cruft --- krebs/3modules/setuid.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index 11c5e9d75..b141c7de4 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -80,7 +80,12 @@ with import ; imp = { system.activationScripts."krebs.setuid" = stringAfter [ "wrappers" ] - (concatMapStringsSep "\n" (getAttr "activate") (attrValues config.krebs.setuid)); + (concatMapStringsSep "\n" + (cfg: /* sh */ '' + ${cfg.activate} + rm -f ${cfg.wrapperDir}/${cfg.name}.real + '') + (attrValues config.krebs.setuid)); }; in out -- cgit v1.2.3