foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-04-24 18:19:11 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

wrapper-manager/sandboxing/bubblewrap: add D-Bus integration

Browse Source 
With xdg-dbus-proxy for filtering.

Also, as of writing, we have no internet so there's basically no testing
done here :)
This commit is contained in:
Gabriel Arazas 2024-07-26 15:56:16 +08:00
parent d633fc2b38
commit 22ecf7726e
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
2 changed files with 174 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

167
modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix Normal file
View File

@ -0,0 +1,167 @@
# The D-Bus integration for Bubblewrap-wrapped wrappers. As noted from the
# Bubblewrap's README, it encourages to use something like xdg-dbus-proxy to
# limit reach to overarching services such as systemd's so we're doing it here.
{ config, lib, options, pkgs, ... }:
let
cfg = config.sandboxing.bubblewrap;
dbusFilterType = { lib, ... }:
let
ruleBasedPoliciesType = with lib.types; listOf str;
in
{
options = {
level = lib.mkOption {
type = with lib.types; nullOr (enum [ "see" "talk" "own" ]);
description = ''
Basic policy action level for a given name.
'';
default = null;
example = "see";
};
call = lib.mkOption {
type = ruleBasedPoliciesType;
description = ''
A list of rules to be specified for calls on the given name.
'';
default = [ ];
example = [ "*@com.example.*" ];
};
broadcast = lib.mkOption {
type = ruleBasedPoliciesType;
description = ''
A list of rules to be specified for broadcasts on the given name;
'';
default = [ ];
example = [ ];
};
};
};
bubblewrapModuleFactory = { isGlobal ? false }: {
dbus = {
enable = lib.mkEnableOption "D-Bus integration" // {
default = if isGlobal then false else cfg.dbus.enable;
};
filter = {
package = lib.mkPackageOption pkgs "xdg-dbus-proxy" { } // lib.optionalAttrs isGlobal {
default = cfg.filter.package;
};
};
};
};
in
{
options.sandboxing.bubblewrap =
lib.recursiveUpdate
(bubblewrapModuleFactory { isGlobal = true; })
{
dbus.filter.policies = lib.mkOption {
type = with lib.types; attrsOf (submodule dbusFilterType);
description = ''
A global set of D-Bus addresses with their policies set with
{program}`xdg-dbus-proxy` for each D-Bus address specified on the
Bubblewrap-enabled wrappers. See {manpage}`xdg-dbus-proxy(1)` for
more details.
'';
default = { };
example = {
"org.systemd.Systemd".level = "talk";
"org.example.*".level = "own";
"org.foo.Bar" = {
call = [ "*" ];
broadcast = [ ];
};
};
};
};
options.wrappers =
let
addressesModule = { config, lib, ... }: {
options = {
path = lib.mkOption {
type = with lib.types; nullOr path;
default = null;
description = ''
Path of the unix socket domain. A value of `null` means
the launcher takes care of it.
'';
};
policies = options.sandboxing.bubblewrap.dbus.filter.policies // {
default = cfg.dbus.filter.policies;
};
extraArgs = lib.mkOption {
type = with lib.types; listOf str;
description = ''
List of proxy-specific arguments to be passed to
{program}`xdg-dbus-proxy`.
'';
default = [ ];
};
};
config.dbus.filter.extraArgs =
let
makePolicyArgs = dbusName: policyMetadata:
lib.optionals (policyMetadata.level != null) [ "--${policyMetadata.level}=${dbusName}" ]
++ builtins.map (rule: "--call=${dbusName}=${rule}") policyMetadata.call
++ builtins.map (rule: "--broadcast=${dbusName}=${rule}") policyMetadata.broadcast;
in
lib.mapAttrsToList makePolicyArgs config.dbus.filter.policies;
};
bubblewrapModule = { config, lib, pkgs, name, ... }:
let
submoduleCfg = config;
in
{
options.sandboxing.bubblewrap =
lib.recursiveUpdate
(bubblewrapModuleFactory { isGlobal = false; })
{
dbus.filter = {
extraArgs = lib.mkOption {
type = with lib.types; listOf str;
description = ''
List of arguments to be passed to {program}`xdg-dbus-proxy`.
'';
default = [ ];
};
addresses = lib.mkOption {
type = with lib.types; attrsOf (submodule addressesModule);
description = ''
A set of addresses to be applied with the filter through
{program}`xdg-dbus-proxy`.
'';
default = { };
example = {
"org.example.Bar" = {
};
};
};
};
config = lib.mkIf (config.sandboxing.variant == "bubblewrap") {
bubblewrap.dbus.filter.extraArgs =
let
makeDbusProxyArgs = address: metadata:
[ address metadata.path ] ++ metadata.extraArgs;
in
lib.lists.flatten (lib.mapAttrsToList makeDbusProxyArgs submoduleCfg.dbus.filter.addresses);
};
};
};
in
lib.mkOption {
type = with lib.types; attrsOf (submodule bubblewrapModule);
};
}

7
modules/wrapper-manager/sandboxing/bubblewrap/default.nix
View File

@ -6,6 +6,9 @@
# #
# Similar to most of them, this is basically a builder for the right arguments # Similar to most of them, this is basically a builder for the right arguments
# to be passed to `bwrap`. # to be passed to `bwrap`.
#
# As already mentioned from the Bubblewrap README, we'll have to be careful for
# handling D-Bus so we'll use xdg-dbus-proxy for that.
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
@ -93,6 +96,10 @@ let
}; };
in in
{ {
imports = [
./dbus-filter.nix
];
options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; }; options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };
options.wrappers = options.wrappers =