···
1
+
{ config, lib, ... }:
3
+
inherit (lib) mkOption types optionalString;
5
+
cfg = config.boot.binfmtMiscRegistrations;
7
+
makeBinfmtLine = name: { recognitionType, offset, magicOrExtension
8
+
, mask, preserveArgvZero, openBinary
9
+
, matchCredentials, fixBinary, ...
11
+
type = if recognitionType == "magic" then "M" else "E";
12
+
offset' = toString offset;
13
+
mask' = toString mask;
14
+
interpreter = "/run/binfmt/${name}";
15
+
flags = if !(matchCredentials -> openBinary)
16
+
then throw "boot.binfmtMiscRegistrations.${name}: you can't specify openBinary = false when matchCredentials = true."
17
+
else optionalString preserveArgvZero "P" +
18
+
optionalString (openBinary && !matchCredentials) "O" +
19
+
optionalString matchCredentials "C" +
20
+
optionalString fixBinary "F";
21
+
in ":${name}:${type}:${offset'}:${magicOrExtension}:${mask'}:${interpreter}:${flags}";
23
+
binfmtFile = builtins.toFile "binfmt_nixos.conf"
24
+
(lib.concatStringsSep "\n" (lib.mapAttrsToList makeBinfmtLine cfg));
26
+
activationSnippet = name: { interpreter, ... }:
27
+
"ln -sf ${interpreter} /run/binfmt/${name}";
28
+
activationScript = ''
29
+
mkdir -p -m 0755 /run/binfmt
30
+
${lib.concatStringsSep "\n" (lib.mapAttrsToList activationSnippet cfg)}
34
+
boot.binfmtMiscRegistrations = mkOption {
38
+
Extra binary formats to register with the kernel.
39
+
See https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html for more details.
42
+
type = types.attrsOf (types.submodule ({ config, ... }: {
44
+
recognitionType = mkOption {
46
+
description = "Whether to recognize executables by magic number or extension.";
47
+
type = types.enum [ "magic" "extension" ];
52
+
description = "The byte offset of the magic number used for recognition.";
53
+
type = types.nullOr types.int;
56
+
magicOrExtension = mkOption {
57
+
description = "The magic number or extension to match on.";
64
+
"A mask to be ANDed with the byte sequence of the file before matching";
65
+
type = types.nullOr types.str;
68
+
interpreter = mkOption {
70
+
The interpreter to invoke to run the program.
72
+
Note that the actual registration will point to
73
+
/run/binfmt/''${name}, so the kernel interpreter length
74
+
limit doesn't apply.
79
+
preserveArgvZero = mkOption {
82
+
Whether to pass the original argv[0] to the interpreter.
84
+
See the description of the 'P' flag in the kernel docs
90
+
openBinary = mkOption {
91
+
default = config.matchCredentials;
93
+
Whether to pass the binary to the interpreter as an open
94
+
file descriptor, instead of a path.
99
+
matchCredentials = mkOption {
102
+
Whether to launch with the credentials and security
103
+
token of the binary, not the interpreter (e.g. setuid
106
+
See the description of the 'C' flag in the kernel docs
109
+
Implies/requires openBinary = true.
114
+
fixBinary = mkOption {
117
+
Whether to open the interpreter file as soon as the
118
+
registration is loaded, rather than waiting for a
119
+
relevant file to be invoked.
121
+
See the description of the 'F' flag in the kernel docs
131
+
config = lib.mkIf (cfg != {}) {
132
+
environment.etc."binfmt.d/nixos.conf".source = binfmtFile;
133
+
system.activationScripts.binfmt = activationScript;
134
+
systemd.additionalUpstreamSystemUnits =
135
+
[ "proc-sys-fs-binfmt_misc.automount"
136
+
"proc-sys-fs-binfmt_misc.mount"
pyrox.dev