summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2022-01-26 12:48:24 +0100
committertv <tv@krebsco.de>2022-01-26 12:58:26 +0100
commitf4e35a731286d9ce733e3b18ba7d284ada58f76e (patch)
tree9061b9736d14508d38747293f915110893b92855
parentc5c0caa4c12ca366f2afd00521d4d392a4b0d181 (diff)
krebs.setuid: add support for capabilities
-rw-r--r--krebs/3modules/setuid.nix7
1 files changed, 7 insertions, 0 deletions
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index 64fedb911..6ad2f1264 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -30,6 +30,10 @@ with import <stockholm/lib>;
};
apply = toString;
};
+ capabilities = mkOption {
+ default = [];
+ type = types.listOf types.str;
+ };
owner = mkOption {
default = "root";
type = types.enum (attrNames users);
@@ -67,6 +71,9 @@ with import <stockholm/lib>;
cp ${src} ${dst}
chown ${cfg.owner}.${cfg.group} ${dst}
chmod ${cfg.mode} ${dst}
+ ${optionalString (cfg.capabilities != []) /* sh */ ''
+ ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst}
+ ''}
'';
}));
};