2023-06-10 12:50:53 +02:00
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
with import ../../lib/pure.nix { inherit lib; };
|
|
|
|
let
|
2016-02-14 13:26:37 +01:00
|
|
|
|
|
|
|
out = {
|
|
|
|
options.krebs.setuid = api;
|
2021-02-05 17:43:24 +01:00
|
|
|
config = mkIf (config.krebs.setuid != {}) imp;
|
2016-02-14 13:26:37 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
api = mkOption {
|
|
|
|
default = {};
|
|
|
|
type = let
|
|
|
|
inherit (config.users) groups users;
|
2021-02-05 17:43:24 +01:00
|
|
|
in types.attrsOf (types.submodule (self: let cfg = self.config; in {
|
2016-02-14 13:26:37 +01:00
|
|
|
options = {
|
|
|
|
name = mkOption {
|
|
|
|
type = types.filename;
|
2021-02-05 17:43:24 +01:00
|
|
|
default = cfg._module.args.name;
|
2016-02-14 13:26:37 +01:00
|
|
|
};
|
2016-06-05 00:31:36 +02:00
|
|
|
envp = mkOption {
|
2019-04-13 13:44:39 +02:00
|
|
|
type = types.nullOr (types.attrsOf types.str);
|
|
|
|
default = null;
|
2016-06-05 00:31:36 +02:00
|
|
|
};
|
2016-02-14 13:26:37 +01:00
|
|
|
filename = mkOption {
|
|
|
|
type = mkOptionType {
|
|
|
|
# TODO unyuck string and merge with toC
|
|
|
|
name = "derivation or string";
|
|
|
|
check = x:
|
|
|
|
isDerivation x ||
|
|
|
|
isString x;
|
|
|
|
};
|
|
|
|
apply = toString;
|
|
|
|
};
|
2022-01-26 12:48:24 +01:00
|
|
|
capabilities = mkOption {
|
|
|
|
default = [];
|
|
|
|
type = types.listOf types.str;
|
|
|
|
};
|
2016-02-14 13:26:37 +01:00
|
|
|
owner = mkOption {
|
|
|
|
default = "root";
|
|
|
|
type = types.enum (attrNames users);
|
|
|
|
};
|
|
|
|
group = mkOption {
|
|
|
|
default = "root";
|
|
|
|
type = types.enum (attrNames groups);
|
|
|
|
};
|
|
|
|
mode = mkOption {
|
|
|
|
default = "4710";
|
|
|
|
type = mkOptionType {
|
|
|
|
# TODO admit symbolic mode
|
|
|
|
name = "octal mode";
|
2017-06-18 15:36:18 +02:00
|
|
|
check = test "[0-7][0-7][0-7][0-7]";
|
2016-02-27 13:10:59 +01:00
|
|
|
merge = mergeOneOption;
|
2016-02-14 13:26:37 +01:00
|
|
|
};
|
|
|
|
};
|
2021-02-05 17:48:54 +01:00
|
|
|
wrapperDir = mkOption {
|
|
|
|
default = config.security.wrapperDir;
|
|
|
|
type = types.absolute-pathname;
|
|
|
|
};
|
2016-02-14 13:26:37 +01:00
|
|
|
activate = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
visible = false;
|
|
|
|
readOnly = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
config.activate = let
|
2021-02-05 17:43:24 +01:00
|
|
|
src = pkgs.exec cfg.name {
|
|
|
|
inherit (cfg) envp filename;
|
2016-02-14 13:26:37 +01:00
|
|
|
};
|
2021-02-05 17:48:54 +01:00
|
|
|
dst = "${cfg.wrapperDir}/${cfg.name}";
|
2022-01-27 05:37:06 +01:00
|
|
|
in /* sh */ ''
|
2021-02-05 17:48:54 +01:00
|
|
|
mkdir -p ${cfg.wrapperDir}
|
2016-02-14 13:26:37 +01:00
|
|
|
cp ${src} ${dst}
|
2022-10-31 18:26:10 +01:00
|
|
|
chown ${cfg.owner}:${cfg.group} ${dst}
|
2021-02-05 17:43:24 +01:00
|
|
|
chmod ${cfg.mode} ${dst}
|
2022-01-26 12:48:24 +01:00
|
|
|
${optionalString (cfg.capabilities != []) /* sh */ ''
|
|
|
|
${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst}
|
|
|
|
''}
|
2016-02-14 13:26:37 +01:00
|
|
|
'';
|
|
|
|
}));
|
|
|
|
};
|
|
|
|
|
|
|
|
imp = {
|
2023-12-06 22:30:12 +01:00
|
|
|
systemd.services."krebs.setuid" = {
|
|
|
|
wantedBy = [ "suid-sgid-wrappers.service" ];
|
|
|
|
after = [ "suid-sgid-wrappers.service" ];
|
|
|
|
path = [
|
|
|
|
pkgs.coreutils
|
|
|
|
];
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
ExecStart = pkgs.writeDash "krebs.setuid.sh" ''
|
|
|
|
${concatMapStringsSep "\n"
|
|
|
|
(getAttr "activate")
|
|
|
|
(attrValues config.krebs.setuid)
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
unitConfig = {
|
|
|
|
DefaultDependencies = false;
|
|
|
|
};
|
|
|
|
};
|
2016-02-14 13:26:37 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
in out
|