l xjails: switch from sudo to machinectl

This commit is contained in:
lassulus 2022-01-24 14:34:18 +01:00
parent a3e67719b9
commit 39d808829c

View File

@ -41,10 +41,6 @@ with import <stockholm/lib>;
type = types.path; type = types.path;
default = pkgs.writeScript "echo_lol" "echo lol"; default = pkgs.writeScript "echo_lol" "echo lol";
}; };
vglrun = mkOption {
type = types.bool;
default = false;
};
wm = mkOption { wm = mkOption {
#TODO find type #TODO find type
type = types.str; type = types.str;
@ -122,21 +118,14 @@ with import <stockholm/lib>;
${pkgs.coreutils}/bin/kill $XEPHYR_PID ${pkgs.coreutils}/bin/kill $XEPHYR_PID
''; '';
# TODO fix xephyr which doesn't honor resizes anymore # TODO fix xephyr which doesn't honor resizes anymore
sudo_ = pkgs.writeDash "${cfg.name}-sudo" (if cfg.vglrun then '' sudo_ = pkgs.writeDash "${cfg.name}-sudo" ''
/var/run/wrappers/bin/sudo -u ${cfg.name} -i ${vglrun_} "$@"
'' else ''
#/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@" #/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@"
/var/run/wrappers/bin/sudo -u ${cfg.name} -i ${cfg.script} "$@" ${pkgs.systemd}/bin/machinectl shell -E DISPLAY=:0 --uid=${cfg.name} .host ${cfg.script} "$@"
'');
vglrun_ = pkgs.writeDash "${cfg.name}-vglrun" ''
DISPLAY=:${cfg.display} ${pkgs.virtualgl}/bin/vglrun ${cfg.extraVglrunArgs} ${cfg.script} "$@"
''; '';
in nameValuePair name { in nameValuePair name {
existing = newOrExisting; existing = newOrExisting;
xephyr = xephyr_; xephyr = xephyr_;
sudo = sudo_; sudo = sudo_;
vglrun = vglrun_;
} }
) config.lass.xjail; ) config.lass.xjail;
in { in {
@ -161,10 +150,19 @@ with import <stockholm/lib>;
} }
) config.lass.xjail; ) config.lass.xjail;
security.sudo.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: security.polkit.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: ''
# TODO allow just the right script with sudo polkit.addRule(function(action, subject) {
"${cfg.from} ALL=(${cfg.name}) NOPASSWD: ALL" if (
) config.lass.xjail)); subject.user == "${cfg.from}" &&
action.id == "org.freedesktop.machine1.host-shell" &&
action.lookup("user") == "${cfg.user}" &&
action.lookup("program") == "${cfg.script}" &&
true
) {
return polkit.Result.YES;
}
});
'') config.lass.xjail));
lass.xjail-bins = mapAttrs' (name: cfg: lass.xjail-bins = mapAttrs' (name: cfg:
nameValuePair name (pkgs.writeScriptBin cfg.name '' nameValuePair name (pkgs.writeScriptBin cfg.name ''