krebs.setuid: add support for capabilities

2022-01-26 12:48:24 +01:00 · 2022-01-26 12:48:24 +01:00 · f4e35a7312
commit f4e35a7312
parent c5c0caa4c1
1 changed files with 7 additions and 0 deletions
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@ -30,6 +30,10 @@ with import <stockholm/lib>;
          };
          apply = toString;
        };
+        capabilities = mkOption {
+          default = [];
+          type = types.listOf types.str;
+        };
        owner = mkOption {
          default = "root";
          type = types.enum (attrNames users);
@ -67,6 +71,9 @@ with import <stockholm/lib>;
        cp ${src} ${dst}
        chown ${cfg.owner}.${cfg.group} ${dst}
        chmod ${cfg.mode} ${dst}
+        ${optionalString (cfg.capabilities != []) /* sh */ ''
+          ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst}
+        ''}
      '';
    }));
  };