diff options
| author | makefu <github@syntax-fehler.de> | 2022-01-26 17:59:53 +0100 |
|---|---|---|
| committer | makefu <github@syntax-fehler.de> | 2022-01-26 17:59:53 +0100 |
| commit | 54aaf5af8ed4d62a2e6645b7ca662ffac310e86c (patch) | |
| tree | b3b1a1797791cd8cf763254a3fd88f7d35a2340c /lass/3modules/xjail.nix | |
| parent | ef48f536a3e539b215bb004b512e62c2d0f96907 (diff) | |
| parent | 31fc5a95c735ab3b9b832d407195e422c07cd4c0 (diff) | |
Merge remote-tracking branch 'lass/master'
Diffstat (limited to 'lass/3modules/xjail.nix')
| -rw-r--r-- | lass/3modules/xjail.nix | 32 |
1 files changed, 15 insertions, 17 deletions
diff --git a/lass/3modules/xjail.nix b/lass/3modules/xjail.nix index f94e7ebbf..08a28b8e3 100644 --- a/lass/3modules/xjail.nix +++ b/lass/3modules/xjail.nix @@ -41,10 +41,6 @@ with import <stockholm/lib>; type = types.path; default = pkgs.writeScript "echo_lol" "echo lol"; }; - vglrun = mkOption { - type = types.bool; - default = false; - }; wm = mkOption { #TODO find type type = types.str; @@ -122,21 +118,14 @@ with import <stockholm/lib>; ${pkgs.coreutils}/bin/kill $XEPHYR_PID ''; # TODO fix xephyr which doesn't honor resizes anymore - sudo_ = pkgs.writeDash "${cfg.name}-sudo" (if cfg.vglrun then '' - /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${vglrun_} "$@" - '' else '' + sudo_ = pkgs.writeDash "${cfg.name}-sudo" '' #/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@" - /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${cfg.script} "$@" - - ''); - vglrun_ = pkgs.writeDash "${cfg.name}-vglrun" '' - DISPLAY=:${cfg.display} ${pkgs.virtualgl}/bin/vglrun ${cfg.extraVglrunArgs} ${cfg.script} "$@" + ${pkgs.systemd}/bin/machinectl shell -E DISPLAY=:0 --uid=${cfg.name} .host ${cfg.script} "$@" ''; in nameValuePair name { existing = newOrExisting; xephyr = xephyr_; sudo = sudo_; - vglrun = vglrun_; } ) config.lass.xjail; in { @@ -161,10 +150,19 @@ with import <stockholm/lib>; } ) config.lass.xjail; - security.sudo.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: - # TODO allow just the right script with sudo - "${cfg.from} ALL=(${cfg.name}) NOPASSWD: ALL" - ) config.lass.xjail)); + security.polkit.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: '' + polkit.addRule(function(action, subject) { + if ( + subject.user == "${cfg.from}" && + action.id == "org.freedesktop.machine1.host-shell" && + action.lookup("user") == "${cfg.user}" && + action.lookup("program") == "${cfg.script}" && + true + ) { + return polkit.Result.YES; + } + }); + '') config.lass.xjail)); lass.xjail-bins = mapAttrs' (name: cfg: nameValuePair name (pkgs.writeScriptBin cfg.name '' |