cat
/
fortify
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

nix: provide options for capability flags 

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
Ophestra Umiker 2024-09-08 02:45:00 +09:00
parent 1906853382
commit 60e4846542
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
2 changed files with 48 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@ -75,7 +75,7 @@ This adds the `environment.fortify` option:
chronos = { chronos = {
launchers = { launchers = {
weechat.method = "sudo"; weechat.method = "sudo";
claws-mail.pulse = false; claws-mail.capability.pulse = false;
discord = { discord = {
command = "vesktop --ozone-platform-hint=wayland"; command = "vesktop --ozone-platform-hint=wayland";
share = pkgs.vesktop; share = pkgs.vesktop;
@ -125,7 +125,13 @@ This adds the `environment.fortify` option:
* `command`, the command to run as the target user. Defaults to launcher name. * `command`, the command to run as the target user. Defaults to launcher name.
* `pulse`, whether to share the PulseAudio socket and cookie. * `capability.wayland`, whether to share the Wayland socket.
* `capability.x11`, whether to share the X11 socket and allow connection.
* `capability.dbus`, whether to proxy D-Bus. NOTE: this option is subject to change and should not be used
* `capability.pulse`, whether to share the PulseAudio socket and cookie.
* `share`, package containing desktop/icon files. Defaults to launcher name. * `share`, package containing desktop/icon files. Defaults to launcher name.

37
nixos.nix
View File

@ -63,6 +63,31 @@ in
''; '';
}; };
capability = {
wayland = mkOption {
type = bool;
default = true;
description = ''
Whether to share the Wayland socket.
'';
};
x11 = mkOption {
type = bool;
default = false;
description = ''
Whether to share the X11 socket and allow connection.
'';
};
dbus = mkOption {
type = bool;
default = false;
description = ''
Whether to proxy D-Bus.
'';
};
pulse = mkOption { pulse = mkOption {
type = bool; type = bool;
default = true; default = true;
@ -70,6 +95,7 @@ in
Whether to share the PulseAudio socket and cookie. Whether to share the PulseAudio socket and cookie.
''; '';
}; };
};
share = mkOption { share = mkOption {
type = nullOr package; type = nullOr package;
@ -164,8 +190,15 @@ in
user: launchers: user: launchers:
mapAttrsToList ( mapAttrsToList (
name: launcher: name: launcher:
with launcher.capability;
let let
command = if launcher.command == null then name else launcher.command; command = if launcher.command == null then name else launcher.command;
capArgs =
(if wayland then " -wayland" else "")
+ (if x11 then " -X" else "")
+ (if dbus then " -dbus" else "")
+ (if pulse then " -pulse" else "")
+ (if launcher.method == "fortify-sudo" then " -sudo" else "");
in in
pkgs.writeShellScriptBin name ( pkgs.writeShellScriptBin name (
if launcher.method == "sudo" then if launcher.method == "sudo" then
@ -174,9 +207,7 @@ in
'' ''
else else
'' ''
exec fortify${if launcher.pulse then " -pulse" else ""} -u ${user}${ exec fortify${capArgs} -u ${user} ${cfg.shell} -c "exec ${command} $@"
if launcher.method == "fortify-sudo" then " -sudo" else ""
} ${cfg.shell} -c "exec ${command} $@"
'' ''
) )
) launchers; ) launchers;