summaryrefslogtreecommitdiffstats
path: root/krebs/3modules/setuid.nix
blob: 22123c9260a69a9979f071290fac78432ee128ee (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
{ config, pkgs, lib, ... }:
with lib;
let
  cfg = config.krebs.setuid;

  out = {
    options.krebs.setuid = api;
    config = imp;
  };

  api = mkOption {
    default = {};
    type = let
      # TODO make wrapperDir configurable
      inherit (config.security) wrapperDir;
      inherit (config.users) groups users;
    in types.attrsOf (types.submodule ({ config, ... }: {
      options = {
        name = mkOption {
          type = types.filename;
          default = config._module.args.name;
        };
        filename = mkOption {
          type = mkOptionType {
            # TODO unyuck string and merge with toC
            name = "derivation or string";
            check = x:
              isDerivation x ||
              isString x;
          };
          apply = toString;
        };
        owner = mkOption {
          default = "root";
          type = types.enum (attrNames users);
        };
        group = mkOption {
          default = "root";
          type = types.enum (attrNames groups);
        };
        mode = mkOption {
          default = "4710";
          type = mkOptionType {
            # TODO admit symbolic mode
            name = "octal mode";
            check = x:
              isString x &&
              match "[0-7][0-7][0-7][0-7]" x != null;
          };
        };
        activate = mkOption {
          type = types.str;
          visible = false;
          readOnly = true;
        };
      };
      config.activate = let
        src = pkgs.execve config.name {
          inherit (config) filename;
        };
        dst = "${wrapperDir}/${config.name}";
      in ''
        cp ${src} ${dst}
        chown ${config.owner}.${config.group} ${dst}
        chmod ${config.mode} ${dst}
      '';
    }));
  };

  imp = {
    system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ]
      (concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg));
  };

in out