krebs/3modules/setuid.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

{ config, pkgs, lib, ... }:
with import ../../lib/pure.nix { inherit lib; };
let

  out = {
    options.krebs.setuid = api;
    config = mkIf (config.krebs.setuid != {}) imp;
  };

  api = mkOption {
    default = {};
    type = let
      inherit (config.users) groups users;
    in types.attrsOf (types.submodule (self: let cfg = self.config; in {
      options = {
        name = mkOption {
          type = types.filename;
          default = cfg._module.args.name;
        };
        envp = mkOption {
          type = types.nullOr (types.attrsOf types.str);
          default = null;
        };
        filename = mkOption {
          type = mkOptionType {
            # TODO unyuck string and merge with toC
            name = "derivation or string";
            check = x:
              isDerivation x ||
              isString x;
          };
          apply = toString;
        };
        capabilities = mkOption {
          default = [];
          type = types.listOf types.str;
        };
        owner = mkOption {
          default = "root";
          type = types.enum (attrNames users);
        };
        group = mkOption {
          default = "root";
          type = types.enum (attrNames groups);
        };
        mode = mkOption {
          default = "4710";
          type = mkOptionType {
            # TODO admit symbolic mode
            name = "octal mode";
            check = test "[0-7][0-7][0-7][0-7]";
            merge = mergeOneOption;
          };
        };
        wrapperDir = mkOption {
          default = config.security.wrapperDir;
          type = types.absolute-pathname;
        };
        activate = mkOption {
          type = types.str;
          visible = false;
          readOnly = true;
        };
      };
      config.activate = let
        src = pkgs.exec cfg.name {
          inherit (cfg) envp filename;
        };
        dst = "${cfg.wrapperDir}/${cfg.name}";
      in /* sh */ ''
        mkdir -p ${cfg.wrapperDir}
        cp ${src} ${dst}
        chown ${cfg.owner}:${cfg.group} ${dst}
        chmod ${cfg.mode} ${dst}
        ${optionalString (cfg.capabilities != []) /* sh */ ''
          ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst}
        ''}
      '';
    }));
  };

  imp = {
    system.activationScripts."krebs.setuid" = stringAfter [ "usrbinenv" ]
      (concatMapStringsSep "\n"
        (cfg: /* sh */ ''
          ${cfg.activate}
          rm -f ${cfg.wrapperDir}/${cfg.name}.real
        '')
        (attrValues config.krebs.setuid));
  };

in out