krebs.setuid: init

This commit is contained in:
tv 2016-02-14 13:26:37 +01:00
parent c1a9a89c9a
commit e890eb244a
3 changed files with 90 additions and 30 deletions

View File

@ -27,6 +27,7 @@ let
./retiolum-bootstrap.nix ./retiolum-bootstrap.nix
./realwallpaper.nix ./realwallpaper.nix
./retiolum.nix ./retiolum.nix
./setuid.nix
./tinc_graphs.nix ./tinc_graphs.nix
./urlwatch.nix ./urlwatch.nix
]; ];

75
krebs/3modules/setuid.nix Normal file
View File

@ -0,0 +1,75 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.krebs.setuid;
out = {
options.krebs.setuid = api;
config = imp;
};
api = mkOption {
default = {};
type = let
# TODO make wrapperDir configurable
inherit (config.security) wrapperDir;
inherit (config.users) groups users;
in types.attrsOf (types.submodule ({ config, ... }: {
options = {
name = mkOption {
type = types.filename;
default = config._module.args.name;
};
filename = mkOption {
type = mkOptionType {
# TODO unyuck string and merge with toC
name = "derivation or string";
check = x:
isDerivation x ||
isString x;
};
apply = toString;
};
owner = mkOption {
default = "root";
type = types.enum (attrNames users);
};
group = mkOption {
default = "root";
type = types.enum (attrNames groups);
};
mode = mkOption {
default = "4710";
type = mkOptionType {
# TODO admit symbolic mode
name = "octal mode";
check = x:
isString x &&
match "[0-7][0-7][0-7][0-7]" x != null;
};
};
activate = mkOption {
type = types.str;
visible = false;
readOnly = true;
};
};
config.activate = let
src = pkgs.execve config.name {
inherit (config) filename;
};
dst = "${wrapperDir}/${config.name}";
in ''
cp ${src} ${dst}
chown ${config.owner}.${config.group} ${dst}
chmod ${config.mode} ${dst}
'';
}));
};
imp = {
system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ]
(concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg));
};
in out

View File

@ -79,7 +79,7 @@ with lib;
${pkgs.kvm}/bin/qemu-img create "$img" 10G ${pkgs.kvm}/bin/qemu-img create "$img" 10G
fi fi
exec ${pkgs.kvm}/bin/qemu-kvm \ exec ${pkgs.kvm}/bin/qemu-kvm \
-monitor unix:$HOME/tmp/xu-qemu0.sock,server,nowait \ -monitor unix:$HOME/tmp/xu-qemu0-monitor.sock,server,nowait \
-boot order=cd \ -boot order=cd \
-cdrom ${pkgs.fetchurl { -cdrom ${pkgs.fetchurl {
url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso; url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso;
@ -95,36 +95,20 @@ with lib;
}; };
}; };
system.activationScripts."krebs.setuid.xu-qemu0-monitor" = stringAfter [ "setuid" ] '' krebs.setuid.xu-qemu0-monitor = {
src=${pkgs.execve "xu-qemu0-monitor" { filename = pkgs.writeDash "xu-qemu0-monitor" ''
# TODO toC should handle derivation, then we don't have to "${...}" here exec ${pkgs.socat}/bin/socat \
filename = "${pkgs.writeDash "xu-qemu0-monitor" '' stdio \
exec ${pkgs.socat}/bin/socat \ UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0-monitor.sock \
stdio \ '';
UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0.sock \ owner = "xu-qemu0";
''}"; group = "tv";
}} };
dst=${config.security.wrapperDir}/xu-qemu0-monitor
cp "$src" "$dst"
chown xu-qemu0.tv "$dst"
chmod 4710 "$dst"
'';
#TODO krebs.setuid.qemu-bridge-helper = { krebs.setuid.qemu-bridge-helper = {
# filename = "${pkgs.qemu}/libexec/qemu-bridge-helper"; filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
# owner = "root"; group = "qemu-users";
# group = "qemu-users"; };
# mode = "4710";
#};
system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ] ''
src=${pkgs.execve "qemu-bridge-helper" {
filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
}}
dst=${config.security.wrapperDir}/qemu-bridge-helper
cp "$src" "$dst"
chown root.qemu-users "$dst"
chmod 4710 "$dst"
'';
users.users.qemu-dnsmasq.uid = genid "qemu-dnsmasq"; users.users.qemu-dnsmasq.uid = genid "qemu-dnsmasq";