nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you to think about what the wrapper ownership and permissions will be.
This commit is contained in:
parent
8f76a6eefc
commit
fedd7cd690
39 changed files with 276 additions and 72 deletions
|
@ -22,8 +22,10 @@ in {
|
|||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = with pkgs; [ bandwhich ];
|
||||
security.wrappers.bandwhich = {
|
||||
source = "${pkgs.bandwhich}/bin/bandwhich";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_net_raw,cap_net_admin+ep";
|
||||
source = "${pkgs.bandwhich}/bin/bandwhich";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -105,11 +105,15 @@ in
|
|||
);
|
||||
|
||||
security.wrappers.udhcpc = {
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_net_raw+p";
|
||||
source = "${pkgs.busybox}/bin/udhcpc";
|
||||
};
|
||||
|
||||
security.wrappers.captive-browser = {
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_net_raw+p";
|
||||
source = pkgs.writeShellScript "captive-browser" ''
|
||||
export PREV_CONFIG_HOME="$XDG_CONFIG_HOME"
|
||||
|
|
|
@ -81,7 +81,12 @@ in {
|
|||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail";
|
||||
security.wrappers.firejail =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${lib.getBin pkgs.firejail}/bin/firejail";
|
||||
};
|
||||
|
||||
environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ];
|
||||
};
|
||||
|
|
|
@ -56,6 +56,8 @@ in
|
|||
polkit.enable = true;
|
||||
wrappers = mkIf cfg.enableRenice {
|
||||
gamemoded = {
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.gamemode}/bin/gamemoded";
|
||||
capabilities = "cap_sys_nice+ep";
|
||||
};
|
||||
|
|
|
@ -11,8 +11,10 @@ in {
|
|||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ pkgs.iftop ];
|
||||
security.wrappers.iftop = {
|
||||
source = "${pkgs.iftop}/bin/iftop";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_net_raw+p";
|
||||
source = "${pkgs.iftop}/bin/iftop";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -10,8 +10,10 @@ in {
|
|||
};
|
||||
config = mkIf cfg.enable {
|
||||
security.wrappers.iotop = {
|
||||
source = "${pkgs.iotop}/bin/iotop";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_net_admin+p";
|
||||
source = "${pkgs.iotop}/bin/iotop";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -11,6 +11,11 @@ in
|
|||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ pkgs.kbdlight ];
|
||||
security.wrappers.kbdlight.source = "${pkgs.kbdlight.out}/bin/kbdlight";
|
||||
security.wrappers.kbdlight =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.kbdlight.out}/bin/kbdlight";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -13,8 +13,10 @@ in {
|
|||
security.wrappers = mkMerge (map (
|
||||
exec: {
|
||||
"${exec}" = {
|
||||
source = "${pkgs.liboping}/bin/${exec}";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_net_raw+p";
|
||||
source = "${pkgs.liboping}/bin/${exec}";
|
||||
};
|
||||
}
|
||||
) [ "oping" "noping" ]);
|
||||
|
|
|
@ -31,8 +31,10 @@ in {
|
|||
environment.systemPackages = with pkgs; [ cfg.package ];
|
||||
|
||||
security.wrappers.mtr-packet = {
|
||||
source = "${cfg.package}/bin/mtr-packet";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_net_raw+p";
|
||||
source = "${cfg.package}/bin/mtr-packet";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -18,8 +18,10 @@ in {
|
|||
|
||||
config = mkIf cfg.enable {
|
||||
security.wrappers.noisetorch = {
|
||||
source = "${cfg.package}/bin/noisetorch";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_sys_resource=+ep";
|
||||
source = "${cfg.package}/bin/noisetorch";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -43,6 +43,13 @@ let
|
|||
|
||||
'';
|
||||
|
||||
mkSetuidRoot = source:
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
inherit source;
|
||||
};
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
|
@ -109,14 +116,14 @@ in
|
|||
};
|
||||
|
||||
security.wrappers = {
|
||||
su.source = "${pkgs.shadow.su}/bin/su";
|
||||
sg.source = "${pkgs.shadow.out}/bin/sg";
|
||||
newgrp.source = "${pkgs.shadow.out}/bin/newgrp";
|
||||
newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap";
|
||||
newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap";
|
||||
su = mkSetuidRoot "${pkgs.shadow.su}/bin/su";
|
||||
sg = mkSetuidRoot "${pkgs.shadow.out}/bin/sg";
|
||||
newgrp = mkSetuidRoot "${pkgs.shadow.out}/bin/newgrp";
|
||||
newuidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newuidmap";
|
||||
newgidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newgidmap";
|
||||
} // lib.optionalAttrs config.users.mutableUsers {
|
||||
chsh.source = "${pkgs.shadow.out}/bin/chsh";
|
||||
passwd.source = "${pkgs.shadow.out}/bin/passwd";
|
||||
chsh = mkSetuidRoot "${pkgs.shadow.out}/bin/chsh";
|
||||
passwd = mkSetuidRoot "${pkgs.shadow.out}/bin/passwd";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -16,7 +16,12 @@ in {
|
|||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ singularity ];
|
||||
security.wrappers.singularity-suid.source = "${singularity}/libexec/singularity/bin/starter-suid.orig";
|
||||
security.wrappers.singularity-suid =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${singularity}/libexec/singularity/bin/starter-suid.orig";
|
||||
};
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/singularity/mnt/session 0770 root root -"
|
||||
"d /var/singularity/mnt/final 0770 root root -"
|
||||
|
|
|
@ -21,6 +21,11 @@ in
|
|||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ pkgs.slock ];
|
||||
security.wrappers.slock.source = "${pkgs.slock.out}/bin/slock";
|
||||
security.wrappers.slock =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.slock.out}/bin/slock";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -19,8 +19,10 @@ in {
|
|||
|
||||
config = mkIf cfg.enable {
|
||||
security.wrappers.traceroute = {
|
||||
source = "${pkgs.traceroute}/bin/traceroute";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_net_raw+p";
|
||||
source = "${pkgs.traceroute}/bin/traceroute";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -9,6 +9,11 @@ in {
|
|||
options.programs.udevil.enable = mkEnableOption "udevil";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
security.wrappers.udevil.source = "${lib.getBin pkgs.udevil}/bin/udevil";
|
||||
security.wrappers.udevil =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${lib.getBin pkgs.udevil}/bin/udevil";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -21,8 +21,10 @@ in {
|
|||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = with pkgs; [ wavemon ];
|
||||
security.wrappers.wavemon = {
|
||||
source = "${pkgs.wavemon}/bin/wavemon";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_net_admin+ep";
|
||||
source = "${pkgs.wavemon}/bin/wavemon";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -17,6 +17,11 @@ in {
|
|||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
security.wrappers.wshowkeys.source = "${pkgs.wshowkeys}/bin/wshowkeys";
|
||||
security.wrappers.wshowkeys =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.wshowkeys}/bin/wshowkeys";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -28,6 +28,11 @@ in
|
|||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ sandbox ];
|
||||
security.wrappers.${sandbox.passthru.sandboxExecutableName}.source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
|
||||
security.wrappers.${sandbox.passthru.sandboxExecutableName} =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -241,9 +241,12 @@ in
|
|||
}
|
||||
];
|
||||
|
||||
security.wrappers = {
|
||||
doas.source = "${doas}/bin/doas";
|
||||
};
|
||||
security.wrappers.doas =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${doas}/bin/doas";
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
doas
|
||||
|
|
|
@ -186,7 +186,12 @@ in
|
|||
config = mkIf (cfg.ssh.enable || cfg.pam.enable) {
|
||||
environment.systemPackages = [ pkgs.duo-unix ];
|
||||
|
||||
security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
|
||||
security.wrappers.login_duo =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.duo-unix.out}/bin/login_duo";
|
||||
};
|
||||
|
||||
system.activationScripts = {
|
||||
login_duo = mkIf cfg.ssh.enable ''
|
||||
|
|
|
@ -32,8 +32,18 @@ in
|
|||
|
||||
# Make sure pmount and pumount are setuid wrapped.
|
||||
security.wrappers = {
|
||||
pmount.source = "${pkgs.pmount.out}/bin/pmount";
|
||||
pumount.source = "${pkgs.pmount.out}/bin/pumount";
|
||||
pmount =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.pmount.out}/bin/pmount";
|
||||
};
|
||||
pumount =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.pmount.out}/bin/pumount";
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [ pkgs.pmount ];
|
||||
|
|
|
@ -83,8 +83,18 @@ in
|
|||
security.pam.services.polkit-1 = {};
|
||||
|
||||
security.wrappers = {
|
||||
pkexec.source = "${pkgs.polkit.bin}/bin/pkexec";
|
||||
polkit-agent-helper-1.source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
|
||||
pkexec =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.polkit.bin}/bin/pkexec";
|
||||
};
|
||||
polkit-agent-helper-1 =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
|
|
|
@ -33,12 +33,10 @@ let
|
|||
};
|
||||
options.owner = lib.mkOption
|
||||
{ type = lib.types.str;
|
||||
default = "root";
|
||||
description = "The owner of the wrapper program.";
|
||||
};
|
||||
options.group = lib.mkOption
|
||||
{ type = lib.types.str;
|
||||
default = "root";
|
||||
description = "The group of the wrapper program.";
|
||||
};
|
||||
options.permissions = lib.mkOption
|
||||
|
@ -74,7 +72,7 @@ let
|
|||
};
|
||||
options.setuid = lib.mkOption
|
||||
{ type = lib.types.bool;
|
||||
default = true;
|
||||
default = false;
|
||||
description = "Whether to add the setuid bit the wrapper program.";
|
||||
};
|
||||
options.setgid = lib.mkOption
|
||||
|
@ -156,13 +154,30 @@ in
|
|||
default = {};
|
||||
example = lib.literalExample
|
||||
''
|
||||
{ sendmail.source = "/nix/store/.../bin/sendmail";
|
||||
ping = {
|
||||
source = "${pkgs.iputils.out}/bin/ping";
|
||||
owner = "nobody";
|
||||
group = "nogroup";
|
||||
capabilities = "cap_net_raw+ep";
|
||||
};
|
||||
{
|
||||
# a setuid root program
|
||||
doas =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "''${pkgs.doas}/bin/doas";
|
||||
};
|
||||
|
||||
# a setgid program
|
||||
locate =
|
||||
{ setgid = true;
|
||||
owner = "root";
|
||||
group = "mlocate";
|
||||
source = "''${pkgs.locate}/bin/locate";
|
||||
};
|
||||
|
||||
# a program with the CAP_NET_RAW capability
|
||||
ping =
|
||||
{ owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_net_raw+ep";
|
||||
source = "''${pkgs.iputils.out}/bin/ping";
|
||||
};
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
|
@ -198,13 +213,21 @@ in
|
|||
}
|
||||
) wrappers;
|
||||
|
||||
security.wrappers = {
|
||||
# These are mount related wrappers that require the +s permission.
|
||||
fusermount.source = "${pkgs.fuse}/bin/fusermount";
|
||||
fusermount3.source = "${pkgs.fuse3}/bin/fusermount3";
|
||||
mount.source = "${lib.getBin pkgs.util-linux}/bin/mount";
|
||||
umount.source = "${lib.getBin pkgs.util-linux}/bin/umount";
|
||||
};
|
||||
security.wrappers =
|
||||
let
|
||||
mkSetuidRoot = source:
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
inherit source;
|
||||
};
|
||||
in
|
||||
{ # These are mount related wrappers that require the +s permission.
|
||||
fusermount = mkSetuidRoot "${pkgs.fuse}/bin/fusermount";
|
||||
fusermount3 = mkSetuidRoot "${pkgs.fuse3}/bin/fusermount3";
|
||||
mount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount";
|
||||
umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount";
|
||||
};
|
||||
|
||||
boot.specialFileSystems.${parentWrapperDir} = {
|
||||
fsType = "tmpfs";
|
||||
|
|
|
@ -52,8 +52,10 @@ with lib;
|
|||
security.pam.services.login.enableGnomeKeyring = true;
|
||||
|
||||
security.wrappers.gnome-keyring-daemon = {
|
||||
source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_ipc_lock=ep";
|
||||
source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon";
|
||||
};
|
||||
|
||||
};
|
||||
|
|
|
@ -104,7 +104,12 @@ in
|
|||
gid = config.ids.gids.exim;
|
||||
};
|
||||
|
||||
security.wrappers.exim.source = "${cfg.package}/bin/exim";
|
||||
security.wrappers.exim =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${cfg.package}/bin/exim";
|
||||
};
|
||||
|
||||
systemd.services.exim = {
|
||||
description = "Exim Mail Daemon";
|
||||
|
|
|
@ -45,8 +45,10 @@ in
|
|||
environment.systemPackages = [ pkgs.mame ];
|
||||
|
||||
security.wrappers."${mame}" = {
|
||||
source = "${pkgs.mame}/bin/${mame}";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_net_admin,cap_net_raw+eip";
|
||||
source = "${pkgs.mame}/bin/${mame}";
|
||||
};
|
||||
|
||||
systemd.services.mame = {
|
||||
|
|
|
@ -52,7 +52,12 @@ in
|
|||
wants = [ "network.target" ];
|
||||
};
|
||||
|
||||
security.wrappers.screen.source = "${pkgs.screen}/bin/screen";
|
||||
security.wrappers.screen =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.screen}/bin/screen";
|
||||
};
|
||||
};
|
||||
|
||||
meta.doc = ./weechat.xml;
|
||||
|
|
|
@ -71,7 +71,12 @@ in
|
|||
|
||||
environment.systemPackages = [ pkgs.incron ];
|
||||
|
||||
security.wrappers.incrontab.source = "${pkgs.incron}/bin/incrontab";
|
||||
security.wrappers.incrontab =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.incron}/bin/incrontab";
|
||||
};
|
||||
|
||||
# incron won't read symlinks
|
||||
environment.etc."incron.d/system" = {
|
||||
|
|
|
@ -262,7 +262,12 @@ in
|
|||
};
|
||||
|
||||
security.wrappers = {
|
||||
fping.source = "${pkgs.fping}/bin/fping";
|
||||
fping =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.fping}/bin/fping";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.zabbix-proxy = {
|
||||
|
|
|
@ -278,8 +278,18 @@ in
|
|||
}
|
||||
];
|
||||
security.wrappers = {
|
||||
fping.source = "${pkgs.fping}/bin/fping";
|
||||
fping6.source = "${pkgs.fping}/bin/fping6";
|
||||
fping =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.fping}/bin/fping";
|
||||
};
|
||||
fping6 =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.fping}/bin/fping6";
|
||||
};
|
||||
};
|
||||
environment.systemPackages = [ pkgs.fping ];
|
||||
users.users.${cfg.user} = {
|
||||
|
|
|
@ -93,7 +93,12 @@ in
|
|||
|
||||
{ services.cron.enable = mkDefault (allFiles != []); }
|
||||
(mkIf (config.services.cron.enable) {
|
||||
security.wrappers.crontab.source = "${cronNixosPkg}/bin/crontab";
|
||||
security.wrappers.crontab =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${cronNixosPkg}/bin/crontab";
|
||||
};
|
||||
environment.systemPackages = [ cronNixosPkg ];
|
||||
environment.etc.crontab =
|
||||
{ source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }
|
||||
|
|
|
@ -142,6 +142,7 @@ in
|
|||
source = "${pkgs.fcron}/bin/fcronsighup";
|
||||
owner = "root";
|
||||
group = "fcron";
|
||||
setuid = true;
|
||||
};
|
||||
};
|
||||
systemd.services.fcron = {
|
||||
|
|
|
@ -44,8 +44,10 @@ in
|
|||
|
||||
security.wrappers = mkIf cfg.enableSysAdminCapability {
|
||||
replay-sorcery = {
|
||||
source = "${pkgs.replay-sorcery}/bin/replay-sorcery";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_sys_admin+ep";
|
||||
source = "${pkgs.replay-sorcery}/bin/replay-sorcery";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -65,9 +65,24 @@ in
|
|||
|
||||
# Wrappers for programs installed by enlightenment that should be setuid
|
||||
security.wrappers = {
|
||||
enlightenment_ckpasswd.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd";
|
||||
enlightenment_sys.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys";
|
||||
enlightenment_system.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system";
|
||||
enlightenment_ckpasswd =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd";
|
||||
};
|
||||
enlightenment_sys =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys";
|
||||
};
|
||||
enlightenment_system =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system";
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc."X11/xkb".source = xcfg.xkbDir;
|
||||
|
|
|
@ -197,12 +197,24 @@ in
|
|||
};
|
||||
|
||||
security.wrappers = {
|
||||
kcheckpass.source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass";
|
||||
start_kdeinit.source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit";
|
||||
kwin_wayland = {
|
||||
source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland";
|
||||
capabilities = "cap_sys_nice+ep";
|
||||
};
|
||||
kcheckpass =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass";
|
||||
};
|
||||
start_kdeinit =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit";
|
||||
};
|
||||
kwin_wayland =
|
||||
{ owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_sys_nice+ep";
|
||||
source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland";
|
||||
};
|
||||
};
|
||||
|
||||
# DDC support
|
||||
|
|
|
@ -7,8 +7,18 @@ with lib;
|
|||
config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) {
|
||||
system.fsPackages = [ pkgs.ecryptfs ];
|
||||
security.wrappers = {
|
||||
"mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
|
||||
"umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
|
||||
"mount.ecryptfs_private" =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
|
||||
};
|
||||
"umount.ecryptfs_private" =
|
||||
{ setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1133,11 +1133,16 @@ in
|
|||
# kernel because we need the ambient capability
|
||||
security.wrappers = if (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") then {
|
||||
ping = {
|
||||
source = "${pkgs.iputils.out}/bin/ping";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_net_raw+p";
|
||||
source = "${pkgs.iputils.out}/bin/ping";
|
||||
};
|
||||
} else {
|
||||
ping.source = "${pkgs.iputils.out}/bin/ping";
|
||||
setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "${pkgs.iputils.out}/bin/ping";
|
||||
};
|
||||
security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''
|
||||
/run/wrappers/bin/ping {
|
||||
|
|
|
@ -183,6 +183,9 @@ in {
|
|||
};
|
||||
|
||||
security.wrappers.qemu-bridge-helper = {
|
||||
setuid = true;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
source = "/run/${dirName}/nix-helpers/qemu-bridge-helper";
|
||||
};
|
||||
|
||||
|
|
|
@ -14,9 +14,11 @@
|
|||
|
||||
config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable {
|
||||
environment.systemPackages = [ pkgs.spice-gtk ]; # For polkit actions
|
||||
security.wrappers.spice-client-glib-usb-acl-helper ={
|
||||
source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
|
||||
security.wrappers.spice-client-glib-usb-acl-helper = {
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_fowner+ep";
|
||||
source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue