wrapper-manager/sandboxing/bubblewrap: add dbus-proxy-specific bwrap arguments to the launcher

2025-01-31 04:58:01 +00:00 · 2024-08-15 12:15:57 +08:00 · 2024-08-15 12:15:57 +08:00 · 5ffcfc2070
commit 5ffcfc2070
parent 9b2b69483b
4 changed files with 56 additions and 20 deletions
--- a/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
@ -82,18 +82,27 @@ in

  options.wrappers =
    let
-      addressesModule = { config, lib, ... }: {
+      addressesModule = { config, lib, name, ... }: {
        options = {
          path = lib.mkOption {
-            type = with lib.types; nullOr path;
-            default = null;
+            type = lib.types.str;
+            default = "$XDG_RUNTIME_DIR/wrapper-manager-fds/$(echo $RANDOM | base64)";
            description = ''
              Path of the unix socket domain. A value of `null` means
              the launcher takes care of it.
            '';
          };

-          policies = options.sandboxing.bubblewrap.dbus.filter.policies;
+          policies = lib.mkOption {
+            type = lib.types.submodule dbusFilterType;
+            description = ''
+              Policies to be set to that address.
+            '';
+            default = { };
+            example = {
+              level = "see";
+            };
+          };

          extraArgs = lib.mkOption {
            type = with lib.types; listOf str;
@ -108,12 +117,11 @@ in
        config.policies = cfg.dbus.filter.policies;
        config.extraArgs =
          let
-            makePolicyArgs = dbusName: policyMetadata:
-              lib.optionals (policyMetadata.level != null) [ "--${policyMetadata.level}=${dbusName}" ]
-              ++ builtins.map (rule: "--call=${dbusName}=${rule}") policyMetadata.call
-              ++ builtins.map (rule: "--broadcast=${dbusName}=${rule}") policyMetadata.broadcast;
+            inherit (config) policies;
          in
-            lib.mapAttrsToList makePolicyArgs config.dbus.filter.policies;
+          lib.optionals (policies.level != null) [ "--${policies.level}=${name}" ]
+          ++ builtins.map (rule: "--call=${name}=${rule}") policies.call
+          ++ builtins.map (rule: "--broadcast=${name}=${rule}") policies.broadcast;
      };

      bubblewrapModule = { config, lib, pkgs, name, ... }:
@ -134,6 +142,15 @@ in
                      default = [ ];
                    };

+                    bwrapArgs = lib.mkOption {
+                      type = with lib.types; listOf str;
+                      description = ''
+                        List of arguments to be passed to the Bubblewrap
+                        environment of the D-Bus proxy.
+                      '';
+                      default = [ ];
+                    };
+
                    addresses = lib.mkOption {
                      type = with lib.types; attrsOf (submodule addressesModule);
                      description = ''
@ -142,8 +159,10 @@ in
                      '';
                      default = { };
                      example = {
-                        "org.example.Bar" = {
-                        };
+                        "org.example.Bar".policies.level = "talk";
+                        "org.freedesktop.systemd1".policies.level = "talk";
+                        "org.gtk.vfs.*".policies.level = "talk";
+                        "org.gtk.vfs".policies.level = "talk";
                      };
                    };
                  };
@ -153,9 +172,13 @@ in
                sandboxing.bubblewrap.dbus.filter.extraArgs =
                  let
                    makeDbusProxyArgs = address: metadata:
-                      [ address metadata.path ] ++ metadata.extraArgs;
+                      [ address (builtins.toString metadata.path) ] ++ metadata.extraArgs;
                  in
                  lib.lists.flatten (lib.mapAttrsToList makeDbusProxyArgs submoduleCfg.dbus.filter.addresses);
+
+                sandboxing.bubblewrap.sharedNixPaths = [
+                  submoduleCfg.dbus.filter.package
+                ];
              };
            };
    in
--- a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
@ -248,6 +248,14 @@ in
              in
                builtins.map (p: "--ro-bind ${p} ${p}") closurePaths;
          })
+
+          (lib.mkIf submoduleCfg.dbus.enable {
+            sandboxing.bubblewrap.dbus.filter.bwrapArgs =
+              let
+                closurePaths = getClosurePaths submoduleCfg.sharedNixPaths;
+              in
+                builtins.map (p: "--ro-bind ${p} ${p}") closurePaths;
+          })
        ]);
      };
    in
--- a/modules/wrapper-manager/sandboxing/bubblewrap/launcher.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/launcher.nix
@ -48,13 +48,14 @@ in
              # We're just unsetting autoconfigure since we're configuring this
              # through the module system anyways and would allow the user to
              # have some more control over what can be enabled.
-              "${envSuffix "AUTOCONFIGURE"}".value = "";
+              "${envSuffix "AUTOCONFIGURE"}".value = "0";
            };
          }

          (lib.mkIf config.sandboxing.bubblewrap.dbus.enable {
            env.${envSuffix "DBUS_PROXY"}.value = lib.getExe' config.sandboxing.bubblewrap.dbus.filter.package "xdg-dbus-proxy";
            env.${envSuffix "DBUS_PROXY_ARGS"}.value = lib.concatStringsSep " " config.sandboxing.bubblewrap.dbus.filter.extraArgs;
+            env.${envSuffix "DBUS_PROXY_BWRAP_ARGS"}.value = lib.concatStringsSep " " config.sandboxing.bubblewrap.dbus.filter.bwrapArgs;
          })

          (lib.mkIf submoduleCfg.integrations.pulseaudio.enable {
--- a/modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/launcher/app.sh
@ -19,10 +19,10 @@
 # launcher. Let the user do it themselves if they want.

 declare -a additional_flags
-: "${XDG_RUNTIME_DIR:="/run/user/$(id -u)"}"
-: "${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP:="bwrap"}"
-: "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY:="xdg-dbus-proxy"}"
-: "${WRAPPER_MANAGER_BWRAP_LAUNCHER_AUTOCONFIGURE:="1"}"
+: "${XDG_RUNTIME_DIR:="/run/user/$(id -u)"}" \
+  "${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP:="bwrap"}" \
+  "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY:="xdg-dbus-proxy"}" \
+  "${WRAPPER_MANAGER_BWRAP_LAUNCHER_AUTOCONFIGURE:="1"}"

 is_autoconfigured_or() {
    local service="$1"
@ -85,10 +85,14 @@ fi

 # Fork the D-Bus proxy in case it is needed. We only need to know if its needed
 # if the *DBUS_PROXY_ARGS envvar is set.
-if [ -n "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY_ARGS}" ]; then
+if [ -n "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY_ARGS}" ] && [ -n "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY}" ]; then
    (
-        ${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP} "${additional_flags[@]}" \
-            -- "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY}" "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY_ARGS[@]}"
+        # shellcheck disable=2068
+        ${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP} \
+            ${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY_BWRAP_ARGS[@]} \
+            "${additional_flags[@]}" \
+            -- "${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY}" \
+               ${WRAPPER_MANAGER_BWRAP_LAUNCHER_DBUS_PROXY_ARGS[@]}
    ) &
 fi
 exec ${WRAPPER_MANAGER_BWRAP_LAUNCHER_BWRAP} "${additional_flags[@]}" "$@"