diff options
author | lassulus <lassulus@lassul.us> | 2022-01-27 10:55:55 +0100 |
---|---|---|
committer | lassulus <lassulus@lassul.us> | 2022-01-27 10:55:55 +0100 |
commit | 83ec0fdb970c4aa0e29d221cb25aac2115e5abcd (patch) | |
tree | 7a4a8dce4c7ce6a291d3a8378676fd25752d783a /krebs/3modules/setuid.nix | |
parent | ba8a196faf2a28cd2a8defcdf3c2e7711281b9db (diff) | |
parent | ad6f0cd9014e13478a622786b9643970bae1c90a (diff) |
Merge remote-tracking branch 'ni/master'
Diffstat (limited to 'krebs/3modules/setuid.nix')
-rw-r--r-- | krebs/3modules/setuid.nix | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index 64fedb911..b141c7de4 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -30,6 +30,10 @@ with import <stockholm/lib>; }; apply = toString; }; + capabilities = mkOption { + default = []; + type = types.listOf types.str; + }; owner = mkOption { default = "root"; type = types.enum (attrNames users); @@ -62,18 +66,26 @@ with import <stockholm/lib>; inherit (cfg) envp filename; }; dst = "${cfg.wrapperDir}/${cfg.name}"; - in '' + in /* sh */ '' mkdir -p ${cfg.wrapperDir} cp ${src} ${dst} chown ${cfg.owner}.${cfg.group} ${dst} chmod ${cfg.mode} ${dst} + ${optionalString (cfg.capabilities != []) /* sh */ '' + ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst} + ''} ''; })); }; imp = { system.activationScripts."krebs.setuid" = stringAfter [ "wrappers" ] - (concatMapStringsSep "\n" (getAttr "activate") (attrValues config.krebs.setuid)); + (concatMapStringsSep "\n" + (cfg: /* sh */ '' + ${cfg.activate} + rm -f ${cfg.wrapperDir}/${cfg.name}.real + '') + (attrValues config.krebs.setuid)); }; in out |