stockholm/krebs/3modules/setuid.nix

105 lines
2.8 KiB
Nix
Raw Normal View History

2023-06-10 12:50:53 +02:00
{ config, pkgs, lib, ... }:
with import ../../lib/pure.nix { inherit lib; };
let
2016-02-14 13:26:37 +01:00
out = {
options.krebs.setuid = api;
2021-02-05 17:43:24 +01:00
config = mkIf (config.krebs.setuid != {}) imp;
2016-02-14 13:26:37 +01:00
};
api = mkOption {
default = {};
type = let
inherit (config.users) groups users;
2021-02-05 17:43:24 +01:00
in types.attrsOf (types.submodule (self: let cfg = self.config; in {
2016-02-14 13:26:37 +01:00
options = {
name = mkOption {
type = types.filename;
2021-02-05 17:43:24 +01:00
default = cfg._module.args.name;
2016-02-14 13:26:37 +01:00
};
2016-06-05 00:31:36 +02:00
envp = mkOption {
2019-04-13 13:44:39 +02:00
type = types.nullOr (types.attrsOf types.str);
default = null;
2016-06-05 00:31:36 +02:00
};
2016-02-14 13:26:37 +01:00
filename = mkOption {
type = mkOptionType {
# TODO unyuck string and merge with toC
name = "derivation or string";
check = x:
isDerivation x ||
isString x;
};
apply = toString;
};
capabilities = mkOption {
default = [];
type = types.listOf types.str;
};
2016-02-14 13:26:37 +01:00
owner = mkOption {
default = "root";
type = types.enum (attrNames users);
};
group = mkOption {
default = "root";
type = types.enum (attrNames groups);
};
mode = mkOption {
default = "4710";
type = mkOptionType {
# TODO admit symbolic mode
name = "octal mode";
2017-06-18 15:36:18 +02:00
check = test "[0-7][0-7][0-7][0-7]";
merge = mergeOneOption;
2016-02-14 13:26:37 +01:00
};
};
wrapperDir = mkOption {
default = config.security.wrapperDir;
type = types.absolute-pathname;
};
2016-02-14 13:26:37 +01:00
activate = mkOption {
type = types.str;
visible = false;
readOnly = true;
};
};
config.activate = let
2021-02-05 17:43:24 +01:00
src = pkgs.exec cfg.name {
inherit (cfg) envp filename;
2016-02-14 13:26:37 +01:00
};
dst = "${cfg.wrapperDir}/${cfg.name}";
in /* sh */ ''
mkdir -p ${cfg.wrapperDir}
2016-02-14 13:26:37 +01:00
cp ${src} ${dst}
2022-10-31 18:26:10 +01:00
chown ${cfg.owner}:${cfg.group} ${dst}
2021-02-05 17:43:24 +01:00
chmod ${cfg.mode} ${dst}
${optionalString (cfg.capabilities != []) /* sh */ ''
${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst}
''}
2016-02-14 13:26:37 +01:00
'';
}));
};
imp = {
systemd.services."krebs.setuid" = {
wantedBy = [ "suid-sgid-wrappers.service" ];
after = [ "suid-sgid-wrappers.service" ];
path = [
pkgs.coreutils
];
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeDash "krebs.setuid.sh" ''
${concatMapStringsSep "\n"
(getAttr "activate")
(attrValues config.krebs.setuid)
}
'';
};
unitConfig = {
DefaultDependencies = false;
};
};
2016-02-14 13:26:37 +01:00
};
in out