l xjails: switch from sudo to machinectl
This commit is contained in:
parent
a3e67719b9
commit
39d808829c
@ -41,10 +41,6 @@ with import <stockholm/lib>;
|
|||||||
type = types.path;
|
type = types.path;
|
||||||
default = pkgs.writeScript "echo_lol" "echo lol";
|
default = pkgs.writeScript "echo_lol" "echo lol";
|
||||||
};
|
};
|
||||||
vglrun = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
};
|
|
||||||
wm = mkOption {
|
wm = mkOption {
|
||||||
#TODO find type
|
#TODO find type
|
||||||
type = types.str;
|
type = types.str;
|
||||||
@ -122,21 +118,14 @@ with import <stockholm/lib>;
|
|||||||
${pkgs.coreutils}/bin/kill $XEPHYR_PID
|
${pkgs.coreutils}/bin/kill $XEPHYR_PID
|
||||||
'';
|
'';
|
||||||
# TODO fix xephyr which doesn't honor resizes anymore
|
# TODO fix xephyr which doesn't honor resizes anymore
|
||||||
sudo_ = pkgs.writeDash "${cfg.name}-sudo" (if cfg.vglrun then ''
|
sudo_ = pkgs.writeDash "${cfg.name}-sudo" ''
|
||||||
/var/run/wrappers/bin/sudo -u ${cfg.name} -i ${vglrun_} "$@"
|
|
||||||
'' else ''
|
|
||||||
#/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@"
|
#/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@"
|
||||||
/var/run/wrappers/bin/sudo -u ${cfg.name} -i ${cfg.script} "$@"
|
${pkgs.systemd}/bin/machinectl shell -E DISPLAY=:0 --uid=${cfg.name} .host ${cfg.script} "$@"
|
||||||
|
|
||||||
'');
|
|
||||||
vglrun_ = pkgs.writeDash "${cfg.name}-vglrun" ''
|
|
||||||
DISPLAY=:${cfg.display} ${pkgs.virtualgl}/bin/vglrun ${cfg.extraVglrunArgs} ${cfg.script} "$@"
|
|
||||||
'';
|
'';
|
||||||
in nameValuePair name {
|
in nameValuePair name {
|
||||||
existing = newOrExisting;
|
existing = newOrExisting;
|
||||||
xephyr = xephyr_;
|
xephyr = xephyr_;
|
||||||
sudo = sudo_;
|
sudo = sudo_;
|
||||||
vglrun = vglrun_;
|
|
||||||
}
|
}
|
||||||
) config.lass.xjail;
|
) config.lass.xjail;
|
||||||
in {
|
in {
|
||||||
@ -161,10 +150,19 @@ with import <stockholm/lib>;
|
|||||||
}
|
}
|
||||||
) config.lass.xjail;
|
) config.lass.xjail;
|
||||||
|
|
||||||
security.sudo.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg:
|
security.polkit.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: ''
|
||||||
# TODO allow just the right script with sudo
|
polkit.addRule(function(action, subject) {
|
||||||
"${cfg.from} ALL=(${cfg.name}) NOPASSWD: ALL"
|
if (
|
||||||
) config.lass.xjail));
|
subject.user == "${cfg.from}" &&
|
||||||
|
action.id == "org.freedesktop.machine1.host-shell" &&
|
||||||
|
action.lookup("user") == "${cfg.user}" &&
|
||||||
|
action.lookup("program") == "${cfg.script}" &&
|
||||||
|
true
|
||||||
|
) {
|
||||||
|
return polkit.Result.YES;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
'') config.lass.xjail));
|
||||||
|
|
||||||
lass.xjail-bins = mapAttrs' (name: cfg:
|
lass.xjail-bins = mapAttrs' (name: cfg:
|
||||||
nameValuePair name (pkgs.writeScriptBin cfg.name ''
|
nameValuePair name (pkgs.writeScriptBin cfg.name ''
|
||||||
|
Loading…
Reference in New Issue
Block a user