From 183be440fd08476354ef35a1203cf0fcd511d2f2 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Wed, 9 Aug 2023 13:06:10 +0200 Subject: [PATCH] nixos/captive-browser: drop setcap wrapper for captive-browser Since Linux 5.7 it's possible to set `SO_BINDTODEVICE` via `setsockopt(2)` as unprivileged user if this operation doesn't imply escaping a VRF interface[1]. Dropping the wrapper is actually desirable because `captive-browser` itself doesn't drop capabilities and as a result, the capabilities are passed on to `chromium` itself[2]. For older kernels, this is still necessary, hence the wrapper will only be added nowadays if the kernel is older than 5.7. [1] https://github.com/torvalds/linux/commit/c427bfec18f2190b8f4718785ee8ed2db4f84ee6 [2] https://github.com/FiloSottile/captive-browser/blob/08450562e58bf9564ee98ad64ef7b2800e53338f/bind_device_linux.go#L11-L14 and because our setcap wrapper makes all capabilities inheritable. --- nixos/modules/programs/captive-browser.nix | 32 ++++++++++++---------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/nixos/modules/programs/captive-browser.nix b/nixos/modules/programs/captive-browser.nix index 36ceb1a69610..032c0e71f1f4 100644 --- a/nixos/modules/programs/captive-browser.nix +++ b/nixos/modules/programs/captive-browser.nix @@ -7,6 +7,8 @@ let concatStringsSep escapeShellArgs optionalString literalExpression mkEnableOption mkIf mkOption mkOptionDefault types; + requiresSetcapWrapper = config.boot.kernelPackages.kernelOlder "5.7" && cfg.bindInterface; + browserDefault = chromium: concatStringsSep " " [ ''env XDG_CONFIG_HOME="$PREV_CONFIG_HOME"'' ''${chromium}/bin/chromium'' @@ -23,11 +25,23 @@ let desktopItem = pkgs.makeDesktopItem { name = "captive-browser"; desktopName = "Captive Portal Browser"; - exec = "/run/wrappers/bin/captive-browser"; + exec = "captive-browser"; icon = "nix-snowflake"; categories = [ "Network" ]; }; + captive-browser-configured = pkgs.writeShellScriptBin "captive-browser" '' + export PREV_CONFIG_HOME="$XDG_CONFIG_HOME" + export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" '' + browser = """${cfg.browser}""" + dhcp-dns = """${cfg.dhcp-dns}""" + socks5-addr = """${cfg.socks5-addr}""" + ${optionalString cfg.bindInterface '' + bind-device = """${cfg.interface}""" + ''} + ''} + exec ${cfg.package}/bin/captive-browser + ''; in { ###### interface @@ -101,6 +115,7 @@ in (pkgs.runCommand "captive-browser-desktop-item" { } '' install -Dm444 -t $out/share/applications ${desktopItem}/share/applications/*.desktop '') + captive-browser-configured ]; programs.captive-browser.dhcp-dns = @@ -131,22 +146,11 @@ in source = "${pkgs.busybox}/bin/udhcpc"; }; - security.wrappers.captive-browser = { + security.wrappers.captive-browser = mkIf requiresSetcapWrapper { owner = "root"; group = "root"; capabilities = "cap_net_raw+p"; - source = pkgs.writeShellScript "captive-browser" '' - export PREV_CONFIG_HOME="$XDG_CONFIG_HOME" - export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" '' - browser = """${cfg.browser}""" - dhcp-dns = """${cfg.dhcp-dns}""" - socks5-addr = """${cfg.socks5-addr}""" - ${optionalString cfg.bindInterface '' - bind-device = """${cfg.interface}""" - ''} - ''} - exec ${cfg.package}/bin/captive-browser - ''; + source = "${captive-browser-configured}/bin/captive-browser"; }; }; }