l xjails: switch from sudo to machinectl

2022-01-24 14:34:18 +01:00 · 2022-01-24 14:34:18 +01:00 · 39d808829c
commit 39d808829c
parent a3e67719b9
1 changed files with 15 additions and 17 deletions
--- a/lass/3modules/xjail.nix
+++ b/lass/3modules/xjail.nix
@ -41,10 +41,6 @@ with import <stockholm/lib>;
          type = types.path;
          default = pkgs.writeScript "echo_lol" "echo lol";
        };
-        vglrun = mkOption {
-          type = types.bool;
-          default = false;
-        };
        wm = mkOption {
          #TODO find type
          type = types.str;
@ -122,21 +118,14 @@ with import <stockholm/lib>;
          ${pkgs.coreutils}/bin/kill $XEPHYR_PID
        '';
        # TODO fix xephyr which doesn't honor resizes anymore
-        sudo_ = pkgs.writeDash "${cfg.name}-sudo" (if cfg.vglrun then ''
-          /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${vglrun_} "$@"
-        '' else ''
+        sudo_ = pkgs.writeDash "${cfg.name}-sudo" ''
          #/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@"
-          /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${cfg.script} "$@"
-
-        '');
-        vglrun_ = pkgs.writeDash "${cfg.name}-vglrun" ''
-          DISPLAY=:${cfg.display} ${pkgs.virtualgl}/bin/vglrun ${cfg.extraVglrunArgs} ${cfg.script} "$@"
+          ${pkgs.systemd}/bin/machinectl shell -E DISPLAY=:0 --uid=${cfg.name} .host ${cfg.script} "$@"
        '';
      in nameValuePair name {
        existing = newOrExisting;
        xephyr = xephyr_;
        sudo = sudo_;
-        vglrun = vglrun_;
      }
    ) config.lass.xjail;
  in {
@ -161,10 +150,19 @@ with import <stockholm/lib>;
      }
    ) config.lass.xjail;

-    security.sudo.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg:
-      # TODO allow just the right script with sudo
-      "${cfg.from} ALL=(${cfg.name}) NOPASSWD: ALL"
-    ) config.lass.xjail));
+    security.polkit.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: ''
+    polkit.addRule(function(action, subject) {
+      if (
+        subject.user == "${cfg.from}" &&
+        action.id == "org.freedesktop.machine1.host-shell" &&
+        action.lookup("user") == "${cfg.user}" &&
+        action.lookup("program") == "${cfg.script}" &&
+        true
+      ) {
+        return polkit.Result.YES;
+      }
+    });
+    '') config.lass.xjail));

    lass.xjail-bins = mapAttrs' (name: cfg:
      nameValuePair name (pkgs.writeScriptBin cfg.name ''