public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixing

Browse Source
This commit is contained in:
Parnell Springmeyer 2017-01-26 00:32:59 -08:00
parent 025555d7f1
commit a20e65724b
No known key found for this signature in database
GPG Key ID: DCCF89258EAD874A
3 changed files with 46 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
nixos/modules/security/permissions-wrappers/default.nix
View File

@ -66,6 +66,39 @@ let
chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${permissionsWrapperDir}/${program} chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${permissionsWrapperDir}/${program}
''; '';
mkActivationScript = programsToWrap:
lib.stringAfter [ "users" ]
''
# Look in the system path and in the default profile for
# programs to be wrapped.
PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
mkdir -p /run/permissions-wrapper-dirs
permissionsWrapperDir=$(mktemp --directory --tmpdir=/run/permissions-wrapper-dirs permissions-wrappers.XXXXXXXXXX)
chmod a+rx $permissionsWrapperDir
${programsToWrap}
if [ -L ${permissionsWrapperDir} ]; then
# Atomically replace the symlink
# See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
old=$(readlink ${permissionsWrapperDir})
ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp
mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir}
rm --force --recursive $old
elif [ -d ${permissionsWrapperDir} ]; then
# Compatibility with old state, just remove the folder and symlink
rm -f ${permissionsWrapperDir}/*
# if it happens to be a tmpfs
${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true
rm -d ${permissionsWrapperDir}
ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
else
# For initial setup
ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
fi
'';
in in
{ {
@ -160,45 +193,10 @@ in
###### setcap activation script ###### setcap activation script
system.activationScripts.setcap = system.activationScripts.setcap =
lib.stringAfter [ "users" ] mkActivationScript (lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap));
''
# Look in the system path and in the default profile for
# programs to be wrapped.
PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
# When a program is removed from the security.permissionsWrappers.setcap
# list we have to remove all of the previous program wrappers
# and re-build them minus the wrapper for the program removed,
# hence the rm here in the activation script.
rm -f ${permissionsWrapperDir}/*
# Concatenate the generated shell slices to configure
# wrappers for each program needing specialized capabilities.
${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)}
'';
###### setuid activation script ###### setuid activation script
system.activationScripts.setuid = system.activationScripts.setuid =
lib.stringAfter [ "users" ] mkActivationScript (lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid));
''
# Look in the system path and in the default profile for
# programs to be wrapped.
PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
# When a program is removed from the security.permissionsWrappers.setcap
# list we have to remove all of the previous program wrappers
# and re-build them minus the wrapper for the program removed,
# hence the rm here in the activation script.
rm -f ${permissionsWrapperDir}/*
# Concatenate the generated shell slices to configure
# wrappers for each program needing specialized capabilities.
${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)}
'';
}; };
} }

2
nixos/modules/security/permissions-wrappers/permissions-wrapper.c
View File

@ -211,7 +211,7 @@ int main(int argc, char * * argv)
// Read the capabilities set on the file and raise them in to the // Read the capabilities set on the file and raise them in to the
// Ambient set so the program we're wrapping receives the // Ambient set so the program we're wrapping receives the
// capabilities too! // capabilities too!
assert(!make_caps_ambient(selfPath)); if (strcmp(wrapperType, "setcap") == 0) assert(!make_caps_ambient(selfPath));
execve(sourceProg, argv, environ); execve(sourceProg, argv, environ);

5
nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
View File

@ -5,15 +5,14 @@ let
# Produce a shell-code splice intended to be stitched into one of # Produce a shell-code splice intended to be stitched into one of
# the build or install phases within the derivation. # the build or install phases within the derivation.
mkSetuidWrapper = { program, source ? null, ...}: mkSetuidWrapper = { program, source ? null, ...}: ''
''
if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
# If we can't find the program, fall back to the # If we can't find the program, fall back to the
# system profile. # system profile.
source=/nix/var/nix/profiles/default/bin/${program} source=/nix/var/nix/profiles/default/bin/${program}
fi fi
gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \ gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
-lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \ -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
-I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
''; '';