foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 04:58:01 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

wrapper-manager/sandboxing/bubblewrap: add dbus-proxy-specific bwrap arguments to the launcher

Browse Source
This commit is contained in:
Gabriel Arazas 2024-08-15 12:15:57 +08:00
parent 9b2b69483b
commit 5ffcfc2070
No known key found for this signature in database
GPG Key ID: 62104B43D00AA360
4 changed files with 56 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
View File

@ -82,18 +82,27 @@ in
options.wrappers = options.wrappers =
let let
addressesModule = { config, lib, ... }: { addressesModule = { config, lib, name, ... }: {
options = { options = {
path = lib.mkOption { path = lib.mkOption {
type = with lib.types; nullOr path; type = lib.types.str;
default = null; default = "$XDG_RUNTIME_DIR/wrapper-manager-fds/$(echo $RANDOM | base64)";
description = '' description = ''
Path of the unix socket domain. A value of `null` means Path of the unix socket domain. A value of `null` means
the launcher takes care of it. the launcher takes care of it.
''; '';
}; };
policies = options.sandboxing.bubblewrap.dbus.filter.policies; policies = lib.mkOption {
type = lib.types.submodule dbusFilterType;
description = ''
Policies to be set to that address.
'';
default = { };
example = {
level = "see";
};
};
extraArgs = lib.mkOption { extraArgs = lib.mkOption {
type = with lib.types; listOf str; type = with lib.types; listOf str;
@ -108,12 +117,11 @@ in
config.policies = cfg.dbus.filter.policies; config.policies = cfg.dbus.filter.policies;
config.extraArgs = config.extraArgs =
let let
makePolicyArgs = dbusName: policyMetadata: inherit (config) policies;
lib.optionals (policyMetadata.level != null) [ "--${policyMetadata.level}=${dbusName}" ]
++ builtins.map (rule: "--call=${dbusName}=${rule}") policyMetadata.call
++ builtins.map (rule: "--broadcast=${dbusName}=${rule}") policyMetadata.broadcast;
in in
lib.mapAttrsToList makePolicyArgs config.dbus.filter.policies; lib.optionals (policies.level != null) [ "--${policies.level}=${name}" ]
++ builtins.map (rule: "--call=${name}=${rule}") policies.call
++ builtins.map (rule: "--broadcast=${name}=${rule}") policies.broadcast;
}; };
bubblewrapModule = { config, lib, pkgs, name, ... }: bubblewrapModule = { config, lib, pkgs, name, ... }:
@ -134,6 +142,15 @@ in
default = [ ]; default = [ ];
}; };
bwrapArgs = lib.mkOption {
type = with lib.types; listOf str;
description = ''
List of arguments to be passed to the Bubblewrap
environment of the D-Bus proxy.
'';
default = [ ];
};
addresses = lib.mkOption { addresses = lib.mkOption {
type = with lib.types; attrsOf (submodule addressesModule); type = with lib.types; attrsOf (submodule addressesModule);
description = '' description = ''
@ -142,8 +159,10 @@ in
''; '';
default = { }; default = { };
example = { example = {
"org.example.Bar" = { "org.example.Bar".policies.level = "talk";
}; "org.freedesktop.systemd1".policies.level = "talk";
"org.gtk.vfs.*".policies.level = "talk";
"org.gtk.vfs".policies.level = "talk";
}; };
}; };
}; };
@ -153,9 +172,13 @@ in
sandboxing.bubblewrap.dbus.filter.extraArgs = sandboxing.bubblewrap.dbus.filter.extraArgs =
let let
makeDbusProxyArgs = address: metadata: makeDbusProxyArgs = address: metadata:
[ address metadata.path ] ++ metadata.extraArgs; [ address (builtins.toString metadata.path) ] ++ metadata.extraArgs;
in in
lib.lists.flatten (lib.mapAttrsToList makeDbusProxyArgs submoduleCfg.dbus.filter.addresses); lib.lists.flatten (lib.mapAttrsToList makeDbusProxyArgs submoduleCfg.dbus.filter.addresses);
sandboxing.bubblewrap.sharedNixPaths = [
submoduleCfg.dbus.filter.package
];
}; };
}; };
in in

8
modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
View File

@ -248,6 +248,14 @@ in
in in
builtins.map (p: "--ro-bind ${p} ${p}") closurePaths; builtins.map (p: "--ro-bind ${p} ${p}") closurePaths;
}) })
(lib.mkIf submoduleCfg.dbus.enable {
sandboxing.bubblewrap.dbus.filter.bwrapArgs =
let
closurePaths = getClosurePaths submoduleCfg.sharedNixPaths;
in
builtins.map (p: "--ro-bind ${p} ${p}") closurePaths;
})
]); ]);
}; };
in in

3
modules/wrapper-manager/sandboxing/bubblewrap/launcher.nix
View File

@ -48,13 +48,14 @@ in
# We're just unsetting autoconfigure since we're configuring this # We're just unsetting autoconfigure since we're configuring this
# through the module system anyways and would allow the user to # through the module system anyways and would allow the user to
# have some more control over what can be enabled. # have some more control over what can be enabled.
"${envSuffix "AUTOCONFIGURE"}".value = ""; "${envSuffix "AUTOCONFIGURE"}".value = "0";
}; };
} }
(lib.mkIf config.sandboxing.bubblewrap.dbus.enable { (lib.mkIf config.sandboxing.bubblewrap.dbus.enable {
env.${envSuffix "DBUS_PROXY"}.value = lib.getExe' config.sandboxing.bubblewrap.dbus.filter.package "xdg-dbus-proxy"; env.${envSuffix "DBUS_PROXY"}.value = lib.getExe' config.sandboxing.bubblewrap.dbus.filter.package "xdg-dbus-proxy";
env.${envSuffix "DBUS_PROXY_ARGS"}.value = lib.concatStringsSep " " config.sandboxing.bubblewrap.dbus.filter.extraArgs; env.${envSuffix "DBUS_PROXY_ARGS"}.value = lib.concatStringsSep " " config.sandboxing.bubblewrap.dbus.filter.extraArgs;
env.${envSuffix "DBUS_PROXY_BWRAP_ARGS"}.value = lib.concatStringsSep " " config.sandboxing.bubblewrap.dbus.filter.bwrapArgs;
}) })
(lib.mkIf submoduleCfg.integrations.pulseaudio.enable { (lib.mkIf submoduleCfg.integrations.pulseaudio.enable {

18
modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh
View File

@ -19,10 +19,10 @@
# launcher. Let the user do it themselves if they want. # launcher. Let the user do it themselves if they want.
declare -a additional_flags declare -a additional_flags
: "${XDG_RUNTIME_DIR:="/run/user/$(id -u)"}" : "${XDG_RUNTIME_DIR:="/run/user/$(id -u)"}" \
: "${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP:="bwrap"}" "${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP:="bwrap"}" \
: "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY:="xdg-dbus-proxy"}" "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY:="xdg-dbus-proxy"}" \
: "${WRAPPER_MANAGER_BWRAP_LAUNCHER_AUTOCONFIGURE:="1"}" "${WRAPPER_MANAGER_BWRAP_LAUNCHER_AUTOCONFIGURE:="1"}"
is_autoconfigured_or() { is_autoconfigured_or() {
local service="$1" local service="$1"
@ -85,10 +85,14 @@ fi
# Fork the D-Bus proxy in case it is needed. We only need to know if its needed # Fork the D-Bus proxy in case it is needed. We only need to know if its needed
# if the *DBUS_PROXY_ARGS envvar is set. # if the *DBUS_PROXY_ARGS envvar is set.
if [ -n "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY_ARGS}" ]; then if [ -n "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY_ARGS}" ] && [ -n "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY}" ]; then
( (
${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP} "${additional_flags[@]}" \ # shellcheck disable=2068
-- "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY}" "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY_ARGS[@]}" ${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP} \
${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY_BWRAP_ARGS[@]} \
"${additional_flags[@]}" \
-- "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY}" \
${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY_ARGS[@]}
) & ) &
fi fi
exec ${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP} "${additional_flags[@]}" "$@" exec ${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP} "${additional_flags[@]}" "$@"