From 2cc4703a2d73155fe3cacb776d13468f0b9898bf Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Sat, 18 Feb 2017 20:06:09 +0300 Subject: [PATCH] wrappers service: make /run/wrappers a mountpoint Also remove some compatibility code because the directory in question would be shadowed by a mountpoint anyway. --- nixos/modules/security/wrappers/default.nix | 27 +++++++++------------ nixos/modules/tasks/filesystems.nix | 2 +- 2 files changed, 12 insertions(+), 17 deletions(-) diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 52f25187660..65d875c3a37 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -3,6 +3,8 @@ let inherit (config.security) wrapperDir wrappers; + parentWrapperDir = dirOf wrapperDir; + programs = (lib.mapAttrsToList (n: v: (if v ? "program" then v else v // {program=n;})) @@ -15,8 +17,7 @@ let hardeningEnable = [ "pie" ]; installPhase = '' mkdir -p $out/bin - parentWrapperDir=$(dirname ${wrapperDir}) - gcc -Wall -O2 -DWRAPPER_DIR=\"$parentWrapperDir\" \ + gcc -Wall -O2 -DWRAPPER_DIR=\"${parentWrapperDir}\" \ -lcap-ng -lcap ${./wrapper.c} -o $out/bin/security-wrapper ''; }; @@ -156,6 +157,11 @@ in security.wrappers.fusermount.source = "${pkgs.fuse}/bin/fusermount"; + boot.specialFileSystems.${parentWrapperDir} = { + fsType = "tmpfs"; + options = [ "nodev" ]; + }; + # Make sure our wrapperDir exports to the PATH env variable when # initializing the shell environment.extraInit = '' @@ -183,19 +189,15 @@ in # Remove the old /run/setuid-wrappers-dir path from the # system as well... # - # TDOO: this is only necessary for ugprades 16.09 => 17.x; + # TODO: this is only necessary for ugprades 16.09 => 17.x; # this conditional removal block needs to be removed after # the release. if [ -d /run/setuid-wrapper-dirs ]; then rm -rf /run/setuid-wrapper-dirs fi - # Get the "/run/wrappers" path, we want to place the tmpdirs - # for the wrappers there - parentWrapperDir="$(dirname ${wrapperDir})" - - mkdir -p "$parentWrapperDir" - wrapperDir=$(mktemp --directory --tmpdir="$parentWrapperDir" wrappers.XXXXXXXXXX) + # We want to place the tmpdirs for the wrappers to the parent dir. + wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) chmod a+rx $wrapperDir ${lib.concatStringsSep "\n" mkWrappedPrograms} @@ -207,13 +209,6 @@ in ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir} rm --force --recursive $old - elif [ -d ${wrapperDir} ]; then - # Compatibility with old state, just remove the folder and symlink - rm -f ${wrapperDir}/* - # if it happens to be a tmpfs - ${pkgs.utillinux}/bin/umount ${wrapperDir} || true - rm -d ${wrapperDir} - ln -d --symbolic $wrapperDir ${wrapperDir} else # For initial setup ln --symbolic $wrapperDir ${wrapperDir} diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 8a4299113f2..9f30eb61146 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -291,7 +291,7 @@ in # Sync mount options with systemd's src/core/mount-setup.c: mount_table. boot.specialFileSystems = { "/proc" = { fsType = "proc"; options = [ "nosuid" "noexec" "nodev" ]; }; - "/run" = { fsType = "tmpfs"; options = [ "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; }; + "/run" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; }; "/dev" = { fsType = "devtmpfs"; options = [ "nosuid" "strictatime" "mode=755" "size=${config.boot.devSize}" ]; }; "/dev/shm" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=1777" "size=${config.boot.devShmSize}" ]; }; "/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "gid=${toString config.ids.gids.tty}" ]; };