diff options
author | makefu <github@syntax-fehler.de> | 2016-02-15 17:07:48 +0100 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2016-02-15 17:07:48 +0100 |
commit | 3ceff0ec29a36119ea83f02c8943752d91b250e9 (patch) | |
tree | 7b179bc972ea01c9305ea64697e14237346885d8 /krebs/3modules/setuid.nix | |
parent | 9a4071b66ff45e99a30e9a314eb43c6efc7e921f (diff) | |
parent | 372f2d77f301719e396a6f943657325e2f8b2cf4 (diff) |
Merge remote-tracking branch 'cd/master'
Diffstat (limited to 'krebs/3modules/setuid.nix')
-rw-r--r-- | krebs/3modules/setuid.nix | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix new file mode 100644 index 000000000..1137788d8 --- /dev/null +++ b/krebs/3modules/setuid.nix @@ -0,0 +1,75 @@ +{ config, pkgs, lib, ... }: +with config.krebs.lib; +let + cfg = config.krebs.setuid; + + out = { + options.krebs.setuid = api; + config = imp; + }; + + api = mkOption { + default = {}; + type = let + # TODO make wrapperDir configurable + inherit (config.security) wrapperDir; + inherit (config.users) groups users; + in types.attrsOf (types.submodule ({ config, ... }: { + options = { + name = mkOption { + type = types.filename; + default = config._module.args.name; + }; + filename = mkOption { + type = mkOptionType { + # TODO unyuck string and merge with toC + name = "derivation or string"; + check = x: + isDerivation x || + isString x; + }; + apply = toString; + }; + owner = mkOption { + default = "root"; + type = types.enum (attrNames users); + }; + group = mkOption { + default = "root"; + type = types.enum (attrNames groups); + }; + mode = mkOption { + default = "4710"; + type = mkOptionType { + # TODO admit symbolic mode + name = "octal mode"; + check = x: + isString x && + match "[0-7][0-7][0-7][0-7]" x != null; + }; + }; + activate = mkOption { + type = types.str; + visible = false; + readOnly = true; + }; + }; + config.activate = let + src = pkgs.execve config.name { + inherit (config) filename; + }; + dst = "${wrapperDir}/${config.name}"; + in '' + cp ${src} ${dst} + chown ${config.owner}.${config.group} ${dst} + chmod ${config.mode} ${dst} + ''; + })); + }; + + imp = { + system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ] + (concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg)); + }; + +in out |