diff --git a/nixos/modules/security/permissions-wrappers/default.nix b/nixos/modules/security/permissions-wrappers/default.nix index 14f9dadcb24..55033266c9a 100644 --- a/nixos/modules/security/permissions-wrappers/default.nix +++ b/nixos/modules/security/permissions-wrappers/default.nix @@ -61,37 +61,7 @@ let ''; mkActivationScript = programsToWrap: - lib.stringAfter [ "users" ] - '' - # Look in the system path and in the default profile for - # programs to be wrapped. - PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin - - mkdir -p /run/permissions-wrapper-dirs - permissionsWrapperDir=$(mktemp --directory --tmpdir=/run/permissions-wrapper-dirs permissions-wrappers.XXXXXXXXXX) - chmod a+rx $permissionsWrapperDir - - ${programsToWrap} - - if [ -L ${permissionsWrapperDir} ]; then - # Atomically replace the symlink - # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ - old=$(readlink ${permissionsWrapperDir}) - ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp - mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir} - rm --force --recursive $old - elif [ -d ${permissionsWrapperDir} ]; then - # Compatibility with old state, just remove the folder and symlink - rm -f ${permissionsWrapperDir}/* - # if it happens to be a tmpfs - ${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true - rm -d ${permissionsWrapperDir} - ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir} - else - # For initial setup - ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir} - fi - ''; +; in { @@ -184,11 +154,38 @@ in ''; ###### setcap activation script - system.activationScripts.setcap = - mkActivationScript (lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)); + system.activationScripts.permissions-wrappers = + lib.stringAfter [ "users" ] + '' + # Look in the system path and in the default profile for + # programs to be wrapped. + PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin - ###### setuid activation script - system.activationScripts.setuid = - mkActivationScript (lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)); + mkdir -p /run/permissions-wrapper-dirs + permissionsWrapperDir=$(mktemp --directory --tmpdir=/run/permissions-wrapper-dirs permissions-wrappers.XXXXXXXXXX) + chmod a+rx $permissionsWrapperDir + + ${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)} + ${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)} + + if [ -L ${permissionsWrapperDir} ]; then + # Atomically replace the symlink + # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ + old=$(readlink ${permissionsWrapperDir}) + ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp + mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir} + rm --force --recursive $old + elif [ -d ${permissionsWrapperDir} ]; then + # Compatibility with old state, just remove the folder and symlink + rm -f ${permissionsWrapperDir}/* + # if it happens to be a tmpfs + ${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true + rm -d ${permissionsWrapperDir} + ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir} + else + # For initial setup + ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir} + fi + ''; }; }