2024-09-04 17:03:21 +09:00
|
|
|
{
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
|
|
|
|
config,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
|
|
|
|
|
let
|
|
|
|
|
inherit (lib)
|
|
|
|
|
types
|
|
|
|
|
mkOption
|
|
|
|
|
mkEnableOption
|
|
|
|
|
mkIf
|
|
|
|
|
mapAttrs
|
|
|
|
|
mapAttrsToList
|
|
|
|
|
foldlAttrs
|
|
|
|
|
optional
|
2024-11-06 04:25:15 +09:00
|
|
|
optionals
|
2024-09-04 17:03:21 +09:00
|
|
|
;
|
|
|
|
|
|
|
|
|
|
cfg = config.environment.fortify;
|
|
|
|
|
in
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
options = {
|
|
|
|
|
environment.fortify = {
|
|
|
|
|
enable = mkEnableOption "fortify";
|
|
|
|
|
|
|
|
|
|
target = mkOption {
|
|
|
|
|
default = { };
|
|
|
|
|
type =
|
|
|
|
|
let
|
|
|
|
|
inherit (types)
|
|
|
|
|
str
|
|
|
|
|
enum
|
|
|
|
|
bool
|
|
|
|
|
package
|
|
|
|
|
anything
|
|
|
|
|
submodule
|
|
|
|
|
listOf
|
|
|
|
|
attrsOf
|
|
|
|
|
nullOr
|
2024-11-06 04:25:15 +09:00
|
|
|
functionTo
|
2024-09-04 17:03:21 +09:00
|
|
|
;
|
|
|
|
|
in
|
|
|
|
|
attrsOf (submodule {
|
|
|
|
|
options = {
|
|
|
|
|
packages = mkOption {
|
|
|
|
|
type = listOf package;
|
|
|
|
|
default = [ ];
|
|
|
|
|
description = ''
|
|
|
|
|
List of extra packages to install via home-manager.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
launchers = mkOption {
|
|
|
|
|
type = attrsOf (submodule {
|
|
|
|
|
options = {
|
2024-11-06 04:25:15 +09:00
|
|
|
id = mkOption {
|
|
|
|
|
type = nullOr str;
|
|
|
|
|
default = null;
|
|
|
|
|
description = ''
|
|
|
|
|
Freedesktop application ID.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2024-09-04 17:03:21 +09:00
|
|
|
command = mkOption {
|
|
|
|
|
type = nullOr str;
|
|
|
|
|
default = null;
|
|
|
|
|
description = ''
|
|
|
|
|
Command to run as the target user.
|
|
|
|
|
Setting this to null will default command to wrapper name.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2024-11-06 04:25:15 +09:00
|
|
|
method = mkOption {
|
|
|
|
|
type = enum [
|
|
|
|
|
"simple"
|
|
|
|
|
"sudo"
|
|
|
|
|
"systemd"
|
|
|
|
|
];
|
|
|
|
|
default = "systemd";
|
|
|
|
|
description = ''
|
|
|
|
|
Launch method for the sandboxed program.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2024-09-09 04:37:42 +09:00
|
|
|
dbus = {
|
2024-11-06 04:25:15 +09:00
|
|
|
session = mkOption {
|
|
|
|
|
type = nullOr (functionTo anything);
|
2024-09-09 04:37:42 +09:00
|
|
|
default = null;
|
|
|
|
|
description = ''
|
2024-11-06 04:25:15 +09:00
|
|
|
D-Bus session bus custom configuration.
|
2024-09-09 04:37:42 +09:00
|
|
|
Setting this to null will enable built-in defaults.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2024-11-06 04:25:15 +09:00
|
|
|
system = mkOption {
|
2024-09-09 21:26:14 +09:00
|
|
|
type = nullOr anything;
|
|
|
|
|
default = null;
|
|
|
|
|
description = ''
|
|
|
|
|
D-Bus system bus custom configuration.
|
|
|
|
|
Setting this to null will disable the system bus proxy.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2024-11-06 04:25:15 +09:00
|
|
|
};
|
2024-09-09 21:26:14 +09:00
|
|
|
|
2024-11-06 04:25:15 +09:00
|
|
|
env = mkOption {
|
|
|
|
|
type = nullOr (attrsOf str);
|
|
|
|
|
default = null;
|
|
|
|
|
description = ''
|
|
|
|
|
Environment variables to set for the initial process in the sandbox.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2024-09-09 04:37:42 +09:00
|
|
|
|
2024-11-06 04:25:15 +09:00
|
|
|
nix = mkEnableOption ''
|
|
|
|
|
Whether to allow nix daemon connections from within sandbox.
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
userns = mkEnableOption ''
|
|
|
|
|
Whether to allow userns within sandbox.
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
useRealUid = mkEnableOption ''
|
|
|
|
|
Whether to map to fortify's real UID within the sandbox.
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
net =
|
|
|
|
|
mkEnableOption ''
|
|
|
|
|
Whether to allow network access within sandbox.
|
|
|
|
|
''
|
|
|
|
|
// {
|
|
|
|
|
default = true;
|
2024-09-09 04:37:42 +09:00
|
|
|
};
|
2024-11-06 04:25:15 +09:00
|
|
|
|
|
|
|
|
gpu = mkOption {
|
|
|
|
|
type = nullOr bool;
|
|
|
|
|
default = null;
|
|
|
|
|
description = ''
|
|
|
|
|
Target process GPU and driver access.
|
|
|
|
|
Setting this to null will enable GPU whenever X or Wayland is enabled.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
dev = mkEnableOption ''
|
|
|
|
|
Whether to allow access to all devices within sandbox.
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
extraPaths = mkOption {
|
|
|
|
|
type = listOf anything;
|
|
|
|
|
default = [ ];
|
|
|
|
|
description = ''
|
|
|
|
|
Extra paths to make available inside the sandbox.
|
|
|
|
|
'';
|
2024-09-09 04:37:42 +09:00
|
|
|
};
|
|
|
|
|
|
2024-09-08 02:45:00 +09:00
|
|
|
capability = {
|
|
|
|
|
wayland = mkOption {
|
|
|
|
|
type = bool;
|
|
|
|
|
default = true;
|
|
|
|
|
description = ''
|
|
|
|
|
Whether to share the Wayland socket.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
x11 = mkOption {
|
|
|
|
|
type = bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = ''
|
|
|
|
|
Whether to share the X11 socket and allow connection.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
dbus = mkOption {
|
|
|
|
|
type = bool;
|
2024-09-09 04:37:42 +09:00
|
|
|
default = true;
|
2024-09-08 02:45:00 +09:00
|
|
|
description = ''
|
|
|
|
|
Whether to proxy D-Bus.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
pulse = mkOption {
|
|
|
|
|
type = bool;
|
|
|
|
|
default = true;
|
|
|
|
|
description = ''
|
|
|
|
|
Whether to share the PulseAudio socket and cookie.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2024-09-04 17:03:21 +09:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
share = mkOption {
|
|
|
|
|
type = nullOr package;
|
|
|
|
|
default = null;
|
|
|
|
|
description = ''
|
|
|
|
|
Package containing share files.
|
|
|
|
|
Setting this to null will default package name to wrapper name.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
default = { };
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
persistence = mkOption {
|
|
|
|
|
type = submodule {
|
|
|
|
|
options = {
|
|
|
|
|
directories = mkOption {
|
|
|
|
|
type = listOf anything;
|
|
|
|
|
default = [ ];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
files = mkOption {
|
|
|
|
|
type = listOf anything;
|
|
|
|
|
default = [ ];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
description = ''
|
|
|
|
|
Per-user state passed to github:nix-community/impermanence.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
extraConfig = mkOption {
|
|
|
|
|
type = anything;
|
|
|
|
|
default = { };
|
|
|
|
|
description = "Extra home-manager configuration.";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
package = mkOption {
|
|
|
|
|
type = types.package;
|
|
|
|
|
default = pkgs.callPackage ./package.nix { };
|
|
|
|
|
description = "Package providing fortify.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
user = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
description = "Privileged user account.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
stateDir = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
description = ''
|
|
|
|
|
The path to persistent storage where per-user state should be stored.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
|
environment.persistence.${cfg.stateDir}.users = mapAttrs (_: target: target.persistence) cfg.target;
|
|
|
|
|
|
|
|
|
|
home-manager.users =
|
|
|
|
|
mapAttrs (_: target: target.extraConfig // { home.packages = target.packages; }) cfg.target
|
|
|
|
|
// {
|
|
|
|
|
${cfg.user}.home.packages =
|
|
|
|
|
let
|
|
|
|
|
wrap =
|
|
|
|
|
user: launchers:
|
|
|
|
|
mapAttrsToList (
|
|
|
|
|
name: launcher:
|
2024-09-08 02:45:00 +09:00
|
|
|
with launcher.capability;
|
2024-09-04 17:03:21 +09:00
|
|
|
let
|
2024-11-06 04:25:15 +09:00
|
|
|
extendDBusDefault = id: ext: {
|
|
|
|
|
filter = true;
|
|
|
|
|
|
|
|
|
|
talk = [ "org.freedesktop.Notifications" ] ++ ext.talk;
|
|
|
|
|
own =
|
|
|
|
|
(optionals (launcher.id != null) [
|
|
|
|
|
"${id}.*"
|
|
|
|
|
"org.mpris.MediaPlayer2.${id}.*"
|
|
|
|
|
])
|
|
|
|
|
++ ext.own;
|
|
|
|
|
call = {
|
|
|
|
|
"org.freedesktop.portal.*" = "*";
|
|
|
|
|
} // ext.call;
|
|
|
|
|
broadcast = {
|
|
|
|
|
"org.freedesktop.portal.*" = "@/org/freedesktop/portal/*";
|
|
|
|
|
} // ext.broadcast;
|
|
|
|
|
};
|
2024-09-09 04:37:42 +09:00
|
|
|
dbusConfig =
|
2024-11-06 04:25:15 +09:00
|
|
|
let
|
|
|
|
|
default = {
|
|
|
|
|
talk = [ ];
|
|
|
|
|
own = [ ];
|
|
|
|
|
call = { };
|
|
|
|
|
broadcast = { };
|
|
|
|
|
};
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
session_bus =
|
|
|
|
|
if launcher.dbus.session != null then
|
|
|
|
|
(launcher.dbus.session (extendDBusDefault launcher.id))
|
|
|
|
|
else
|
|
|
|
|
(extendDBusDefault launcher.id default);
|
|
|
|
|
system_bus = launcher.dbus.system;
|
|
|
|
|
};
|
|
|
|
|
command = if launcher.command == null then name else launcher.command;
|
|
|
|
|
enablements =
|
|
|
|
|
(if wayland then 1 else 0)
|
|
|
|
|
+ (if x11 then 2 else 0)
|
|
|
|
|
+ (if dbus then 4 else 0)
|
|
|
|
|
+ (if pulse then 8 else 0);
|
|
|
|
|
conf = {
|
|
|
|
|
inherit (launcher) id method;
|
|
|
|
|
inherit user;
|
|
|
|
|
command = [
|
|
|
|
|
"/run/current-system/sw/bin/zsh"
|
|
|
|
|
(pkgs.writeShellScript "${name}-start" ("exec " + command + " $@"))
|
|
|
|
|
];
|
|
|
|
|
confinement = {
|
|
|
|
|
sandbox = {
|
|
|
|
|
inherit (launcher)
|
|
|
|
|
userns
|
|
|
|
|
net
|
|
|
|
|
dev
|
|
|
|
|
env
|
|
|
|
|
;
|
|
|
|
|
use_real_uid = launcher.useRealUid;
|
|
|
|
|
filesystem =
|
|
|
|
|
[
|
|
|
|
|
{ src = "/bin"; }
|
|
|
|
|
{ src = "/usr/bin"; }
|
|
|
|
|
{ src = "/nix/store"; }
|
|
|
|
|
{ src = "/run/current-system"; }
|
|
|
|
|
{
|
|
|
|
|
src = "/sys/block";
|
|
|
|
|
require = false;
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
src = "/sys/bus";
|
|
|
|
|
require = false;
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
src = "/sys/class";
|
|
|
|
|
require = false;
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
src = "/sys/dev";
|
|
|
|
|
require = false;
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
src = "/sys/devices";
|
|
|
|
|
require = false;
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
src = "/home/${user}";
|
|
|
|
|
write = true;
|
|
|
|
|
require = true;
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
++ optionals launcher.nix [
|
|
|
|
|
{ src = "/nix/var"; }
|
|
|
|
|
{ src = "/var/db/nix-channels"; }
|
|
|
|
|
]
|
|
|
|
|
++ optionals (if launcher.gpu != null then launcher.gpu else wayland || x11) [
|
|
|
|
|
{ src = "/run/opengl-driver"; }
|
|
|
|
|
{
|
|
|
|
|
src = "/dev/dri";
|
|
|
|
|
dev = true;
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
++ launcher.extraPaths;
|
|
|
|
|
auto_etc = true;
|
|
|
|
|
override = [ "/var/run/nscd" ];
|
|
|
|
|
};
|
|
|
|
|
inherit enablements;
|
|
|
|
|
inherit (dbusConfig) session_bus system_bus;
|
|
|
|
|
};
|
|
|
|
|
};
|
2024-09-04 17:03:21 +09:00
|
|
|
in
|
|
|
|
|
pkgs.writeShellScriptBin name (
|
2024-09-13 11:54:23 +09:00
|
|
|
if launcher.method == "simple" then
|
2024-09-04 17:03:21 +09:00
|
|
|
''
|
|
|
|
|
exec sudo -u ${user} -i ${command} $@
|
|
|
|
|
''
|
|
|
|
|
else
|
|
|
|
|
''
|
2024-11-06 04:25:15 +09:00
|
|
|
exec fortify app ${pkgs.writeText "fortify-${name}.json" (builtins.toJSON conf)} $@
|
2024-09-04 17:03:21 +09:00
|
|
|
''
|
|
|
|
|
)
|
|
|
|
|
) launchers;
|
|
|
|
|
in
|
|
|
|
|
foldlAttrs (
|
|
|
|
|
acc: user: target:
|
|
|
|
|
acc
|
|
|
|
|
++ (foldlAttrs (
|
|
|
|
|
shares: name: launcher:
|
|
|
|
|
let
|
|
|
|
|
pkg = if launcher.share != null then launcher.share else pkgs.${name};
|
|
|
|
|
link = source: "[ -d '${source}' ] && ln -sv '${source}' $out/share || true";
|
|
|
|
|
in
|
|
|
|
|
shares
|
2024-09-17 23:15:33 +09:00
|
|
|
++
|
|
|
|
|
optional (launcher.method != "simple" && (launcher.capability.wayland || launcher.capability.x11))
|
|
|
|
|
(
|
|
|
|
|
pkgs.runCommand "${name}-share" { } ''
|
|
|
|
|
mkdir -p $out/share
|
|
|
|
|
${link "${pkg}/share/applications"}
|
|
|
|
|
${link "${pkg}/share/icons"}
|
|
|
|
|
${link "${pkg}/share/man"}
|
|
|
|
|
''
|
|
|
|
|
)
|
2024-09-04 17:03:21 +09:00
|
|
|
) (wrap user target.launchers) target.launchers)
|
|
|
|
|
) [ cfg.package ] cfg.target;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
security.polkit.extraConfig =
|
|
|
|
|
let
|
|
|
|
|
allowList = builtins.toJSON (mapAttrsToList (name: _: name) cfg.target);
|
|
|
|
|
in
|
|
|
|
|
''
|
|
|
|
|
polkit.addRule(function(action, subject) {
|
|
|
|
|
if (action.id == "org.freedesktop.machine1.host-shell" &&
|
|
|
|
|
${allowList}.indexOf(action.lookup("user")) > -1 &&
|
|
|
|
|
subject.user == "${cfg.user}") {
|
|
|
|
|
return polkit.Result.YES;
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
}
|
