commit d8ecd5eb0d30c3dc302e336755a4a1d6d0cb1ba4 · pyrox.dev/nixpkgs

+26 -20

nixos/modules/security/wrappers/default.nix

···

       8
        
             (n: v: (if v ? "program" then v else v // {program=n;}))

     

       9
        
             wrappers);

     

       10
        
       

     

       11
       -
         mkWrapper = { program, source ? null, ...}: ''

     

       12
       -
           parentWrapperDir=$(dirname ${wrapperDir})

     

       13
       -
           gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \

     

       14
       -
               -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \

     

       15
       -
               -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include

     

       16
       -
         '';

     

       17
       -
       

     

       18
       -
         wrappedPrograms = pkgs.stdenv.mkDerivation {

     

       19
       -
           name         = "permissions-wrapper";

     

       20
       -
           unpackPhase  = "true";

     

       21
       -
           installPhase = ''

     

       22
       -
             mkdir -p $out/bin

     

       23
       -
             ${lib.concatMapStrings mkWrapper programs}

     

       24
       -
           '';

     

       25
       -
         };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       26
        
       

     

       27
        
         ###### Activation script for the setcap wrappers

     

       28
        
         mkSetcapProgram =

     
···

       32
        
           , owner  ? "nobody"

     

       33
        
           , group  ? "nogroup"

     

       34
        
           , ...

     

       35
       -
           }: 

     

       36
        
           assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");

     

       37
       -
           ''

     

       38
       -
             cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program}

     

       0
        
       
     

       39
        
       

     

       40
        
             # Prevent races

     

       41
        
             chmod 0000 $wrapperDir/${program}

     
···

       60
        
           , setgid ? false

     

       61
        
           , permissions ? "u+rx,g+x,o+x"

     

       62
        
           , ...

     

       63
       -
           }: ''

     

       64
       -
             cp ${wrappedPrograms}/bin/${program}.wrapper $wrapperDir/${program}

     

       0
        
       
     

       0
        
       
     

       65
        
       

     

       66
        
             # Prevent races

     

       67
        
             chmod 0000 $wrapperDir/${program}

···

       8
        
             (n: v: (if v ? "program" then v else v // {program=n;}))

     

       9
        
             wrappers);

     

       10
        
       

     

       11
       +
         mkWrapper = { program, source ? null, ...}:

     

       12
       +
           let buildWrapper = ''

     

       13
       +
                 parentWrapperDir=$(dirname ${wrapperDir})

     

       14
       +
                 gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \

     

       15
       +
                     -Wformat -Wformat-security -Werror=format-security \

     

       16
       +
                     -fstack-protector-strong --param ssp-buffer-size=4 \

     

       17
       +
                     -D_FORTIFY_SOURCE=2 -fPIC \

     

       18
       +
                     -lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \

     

       19
       +
                     -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include

     

       20
       +
               '';

     

       21
       +
           in pkgs.stdenv.mkDerivation {

     

       22
       +
             name         = "${program}-wrapper";

     

       23
       +
             unpackPhase  = "true";

     

       24
       +
             installPhase = ''

     

       25
       +
               mkdir -p $out/bin

     

       26
       +
               ${buildWrapper}

     

       27
       +
             '';

     

       28
       +
           };

     

       29
        
       

     

       30
        
         ###### Activation script for the setcap wrappers

     

       31
        
         mkSetcapProgram =

     
···

       35
        
           , owner  ? "nobody"

     

       36
        
           , group  ? "nogroup"

     

       37
        
           , ...

     

       38
       +
           }:

     

       39
        
           assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");

     

       40
       +
           let wrapperDrv = mkWrapper { inherit program source; };

     

       41
       +
           in ''

     

       42
       +
             cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program}

     

       43
        
       

     

       44
        
             # Prevent races

     

       45
        
             chmod 0000 $wrapperDir/${program}

     
···

       64
        
           , setgid ? false

     

       65
        
           , permissions ? "u+rx,g+x,o+x"

     

       66
        
           , ...

     

       67
       +
           }:

     

       68
       +
           let wrapperDrv = mkWrapper { inherit program source; };

     

       69
       +
           in ''

     

       70
       +
             cp ${wrapperDrv}/bin/${program}.wrapper $wrapperDir/${program}

     

       71
        
       

     

       72
        
             # Prevent races

     

       73
        
             chmod 0000 $wrapperDir/${program}