summaryrefslogtreecommitdiffstats
path: root/krebs/3modules/setuid.nix
diff options
context:
space:
mode:
authorlassulus <lassulus@lassul.us>2022-01-27 10:55:55 +0100
committerlassulus <lassulus@lassul.us>2022-01-27 10:55:55 +0100
commit83ec0fdb970c4aa0e29d221cb25aac2115e5abcd (patch)
tree7a4a8dce4c7ce6a291d3a8378676fd25752d783a /krebs/3modules/setuid.nix
parentba8a196faf2a28cd2a8defcdf3c2e7711281b9db (diff)
parentad6f0cd9014e13478a622786b9643970bae1c90a (diff)
Merge remote-tracking branch 'ni/master'
Diffstat (limited to 'krebs/3modules/setuid.nix')
-rw-r--r--krebs/3modules/setuid.nix16
1 files changed, 14 insertions, 2 deletions
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index 64fedb911..b141c7de4 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -30,6 +30,10 @@ with import <stockholm/lib>;
};
apply = toString;
};
+ capabilities = mkOption {
+ default = [];
+ type = types.listOf types.str;
+ };
owner = mkOption {
default = "root";
type = types.enum (attrNames users);
@@ -62,18 +66,26 @@ with import <stockholm/lib>;
inherit (cfg) envp filename;
};
dst = "${cfg.wrapperDir}/${cfg.name}";
- in ''
+ in /* sh */ ''
mkdir -p ${cfg.wrapperDir}
cp ${src} ${dst}
chown ${cfg.owner}.${cfg.group} ${dst}
chmod ${cfg.mode} ${dst}
+ ${optionalString (cfg.capabilities != []) /* sh */ ''
+ ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst}
+ ''}
'';
}));
};
imp = {
system.activationScripts."krebs.setuid" = stringAfter [ "wrappers" ]
- (concatMapStringsSep "\n" (getAttr "activate") (attrValues config.krebs.setuid));
+ (concatMapStringsSep "\n"
+ (cfg: /* sh */ ''
+ ${cfg.activate}
+ rm -f ${cfg.wrapperDir}/${cfg.name}.real
+ '')
+ (attrValues config.krebs.setuid));
};
in out