From 5ffcfc2070fd6287dc844ce130d88fadff9ce9fc Mon Sep 17 00:00:00 2001 From: Gabriel Arazas Date: Thu, 15 Aug 2024 12:15:57 +0800 Subject: [PATCH] wrapper-manager/sandboxing/bubblewrap: add dbus-proxy-specific bwrap arguments to the launcher --- .../sandboxing/bubblewrap/dbus-filter.nix | 47 ++++++++++++++----- .../sandboxing/bubblewrap/filesystem.nix | 8 ++++ .../sandboxing/bubblewrap/launcher.nix | 3 +- .../sandboxing/bubblewrap/launcher/app.sh | 18 ++++--- 4 files changed, 56 insertions(+), 20 deletions(-) diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix b/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix index 8e7295bd..8ca74e60 100644 --- a/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix +++ b/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix @@ -82,18 +82,27 @@ in options.wrappers = let - addressesModule = { config, lib, ... }: { + addressesModule = { config, lib, name, ... }: { options = { path = lib.mkOption { - type = with lib.types; nullOr path; - default = null; + type = lib.types.str; + default = "$XDG_RUNTIME_DIR/wrapper-manager-fds/$(echo $RANDOM | base64)"; description = '' Path of the unix socket domain. A value of `null` means the launcher takes care of it. ''; }; - policies = options.sandboxing.bubblewrap.dbus.filter.policies; + policies = lib.mkOption { + type = lib.types.submodule dbusFilterType; + description = '' + Policies to be set to that address. + ''; + default = { }; + example = { + level = "see"; + }; + }; extraArgs = lib.mkOption { type = with lib.types; listOf str; @@ -108,12 +117,11 @@ in config.policies = cfg.dbus.filter.policies; config.extraArgs = let - makePolicyArgs = dbusName: policyMetadata: - lib.optionals (policyMetadata.level != null) [ "--${policyMetadata.level}=${dbusName}" ] - ++ builtins.map (rule: "--call=${dbusName}=${rule}") policyMetadata.call - ++ builtins.map (rule: "--broadcast=${dbusName}=${rule}") policyMetadata.broadcast; + inherit (config) policies; in - lib.mapAttrsToList makePolicyArgs config.dbus.filter.policies; + lib.optionals (policies.level != null) [ "--${policies.level}=${name}" ] + ++ builtins.map (rule: "--call=${name}=${rule}") policies.call + ++ builtins.map (rule: "--broadcast=${name}=${rule}") policies.broadcast; }; bubblewrapModule = { config, lib, pkgs, name, ... }: @@ -134,6 +142,15 @@ in default = [ ]; }; + bwrapArgs = lib.mkOption { + type = with lib.types; listOf str; + description = '' + List of arguments to be passed to the Bubblewrap + environment of the D-Bus proxy. + ''; + default = [ ]; + }; + addresses = lib.mkOption { type = with lib.types; attrsOf (submodule addressesModule); description = '' @@ -142,8 +159,10 @@ in ''; default = { }; example = { - "org.example.Bar" = { - }; + "org.example.Bar".policies.level = "talk"; + "org.freedesktop.systemd1".policies.level = "talk"; + "org.gtk.vfs.*".policies.level = "talk"; + "org.gtk.vfs".policies.level = "talk"; }; }; }; @@ -153,9 +172,13 @@ in sandboxing.bubblewrap.dbus.filter.extraArgs = let makeDbusProxyArgs = address: metadata: - [ address metadata.path ] ++ metadata.extraArgs; + [ address (builtins.toString metadata.path) ] ++ metadata.extraArgs; in lib.lists.flatten (lib.mapAttrsToList makeDbusProxyArgs submoduleCfg.dbus.filter.addresses); + + sandboxing.bubblewrap.sharedNixPaths = [ + submoduleCfg.dbus.filter.package + ]; }; }; in diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix index 11a3f1ec..190a37ab 100644 --- a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix +++ b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix @@ -248,6 +248,14 @@ in in builtins.map (p: "--ro-bind ${p} ${p}") closurePaths; }) + + (lib.mkIf submoduleCfg.dbus.enable { + sandboxing.bubblewrap.dbus.filter.bwrapArgs = + let + closurePaths = getClosurePaths submoduleCfg.sharedNixPaths; + in + builtins.map (p: "--ro-bind ${p} ${p}") closurePaths; + }) ]); }; in diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/launcher.nix b/modules/wrapper-manager/sandboxing/bubblewrap/launcher.nix index 108dadaf..7345d3c7 100644 --- a/modules/wrapper-manager/sandboxing/bubblewrap/launcher.nix +++ b/modules/wrapper-manager/sandboxing/bubblewrap/launcher.nix @@ -48,13 +48,14 @@ in # We're just unsetting autoconfigure since we're configuring this # through the module system anyways and would allow the user to # have some more control over what can be enabled. - "${envSuffix "AUTOCONFIGURE"}".value = ""; + "${envSuffix "AUTOCONFIGURE"}".value = "0"; }; } (lib.mkIf config.sandboxing.bubblewrap.dbus.enable { env.${envSuffix "DBUS_PROXY"}.value = lib.getExe' config.sandboxing.bubblewrap.dbus.filter.package "xdg-dbus-proxy"; env.${envSuffix "DBUS_PROXY_ARGS"}.value = lib.concatStringsSep " " config.sandboxing.bubblewrap.dbus.filter.extraArgs; + env.${envSuffix "DBUS_PROXY_BWRAP_ARGS"}.value = lib.concatStringsSep " " config.sandboxing.bubblewrap.dbus.filter.bwrapArgs; }) (lib.mkIf submoduleCfg.integrations.pulseaudio.enable { diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh b/modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh index 9e1fd222..d14ab32c 100644 --- a/modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh +++ b/modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh @@ -19,10 +19,10 @@ # launcher. Let the user do it themselves if they want. declare -a additional_flags -: "${XDG_RUNTIME_DIR:="/run/user/$(id -u)"}" -: "${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP:="bwrap"}" -: "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY:="xdg-dbus-proxy"}" -: "${WRAPPER_MANAGER_BWRAP_LAUNCHER_AUTOCONFIGURE:="1"}" +: "${XDG_RUNTIME_DIR:="/run/user/$(id -u)"}" \ + "${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP:="bwrap"}" \ + "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY:="xdg-dbus-proxy"}" \ + "${WRAPPER_MANAGER_BWRAP_LAUNCHER_AUTOCONFIGURE:="1"}" is_autoconfigured_or() { local service="$1" @@ -85,10 +85,14 @@ fi # Fork the D-Bus proxy in case it is needed. We only need to know if its needed # if the *DBUS_PROXY_ARGS envvar is set. -if [ -n "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY_ARGS}" ]; then +if [ -n "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY_ARGS}" ] && [ -n "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY}" ]; then ( - ${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP} "${additional_flags[@]}" \ - -- "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY}" "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY_ARGS[@]}" + # shellcheck disable=2068 + ${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP} \ + ${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY_BWRAP_ARGS[@]} \ + "${additional_flags[@]}" \ + -- "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY}" \ + ${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY_ARGS[@]} ) & fi exec ${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP} "${additional_flags[@]}" "$@"