mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-20 12:29:02 +02:00
nixos/captive-browser: drop setcap wrapper for captive-browser
Since Linux 5.7 it's possible to set `SO_BINDTODEVICE` via `setsockopt(2)` as unprivileged user if this operation doesn't imply escaping a VRF interface[1]. Dropping the wrapper is actually desirable because `captive-browser` itself doesn't drop capabilities and as a result, the capabilities are passed on to `chromium` itself[2]. For older kernels, this is still necessary, hence the wrapper will only be added nowadays if the kernel is older than 5.7. [1]c427bfec18
[2]08450562e5/bind_device_linux.go (L11-L14)
and because our setcap wrapper makes all capabilities inheritable.
This commit is contained in:
parent
a140137693
commit
183be440fd
|
@ -7,6 +7,8 @@ let
|
|||
concatStringsSep escapeShellArgs optionalString
|
||||
literalExpression mkEnableOption mkIf mkOption mkOptionDefault types;
|
||||
|
||||
requiresSetcapWrapper = config.boot.kernelPackages.kernelOlder "5.7" && cfg.bindInterface;
|
||||
|
||||
browserDefault = chromium: concatStringsSep " " [
|
||||
''env XDG_CONFIG_HOME="$PREV_CONFIG_HOME"''
|
||||
''${chromium}/bin/chromium''
|
||||
|
@ -23,11 +25,23 @@ let
|
|||
desktopItem = pkgs.makeDesktopItem {
|
||||
name = "captive-browser";
|
||||
desktopName = "Captive Portal Browser";
|
||||
exec = "/run/wrappers/bin/captive-browser";
|
||||
exec = "captive-browser";
|
||||
icon = "nix-snowflake";
|
||||
categories = [ "Network" ];
|
||||
};
|
||||
|
||||
captive-browser-configured = pkgs.writeShellScriptBin "captive-browser" ''
|
||||
export PREV_CONFIG_HOME="$XDG_CONFIG_HOME"
|
||||
export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" ''
|
||||
browser = """${cfg.browser}"""
|
||||
dhcp-dns = """${cfg.dhcp-dns}"""
|
||||
socks5-addr = """${cfg.socks5-addr}"""
|
||||
${optionalString cfg.bindInterface ''
|
||||
bind-device = """${cfg.interface}"""
|
||||
''}
|
||||
''}
|
||||
exec ${cfg.package}/bin/captive-browser
|
||||
'';
|
||||
in
|
||||
{
|
||||
###### interface
|
||||
|
@ -101,6 +115,7 @@ in
|
|||
(pkgs.runCommand "captive-browser-desktop-item" { } ''
|
||||
install -Dm444 -t $out/share/applications ${desktopItem}/share/applications/*.desktop
|
||||
'')
|
||||
captive-browser-configured
|
||||
];
|
||||
|
||||
programs.captive-browser.dhcp-dns =
|
||||
|
@ -131,22 +146,11 @@ in
|
|||
source = "${pkgs.busybox}/bin/udhcpc";
|
||||
};
|
||||
|
||||
security.wrappers.captive-browser = {
|
||||
security.wrappers.captive-browser = mkIf requiresSetcapWrapper {
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_net_raw+p";
|
||||
source = pkgs.writeShellScript "captive-browser" ''
|
||||
export PREV_CONFIG_HOME="$XDG_CONFIG_HOME"
|
||||
export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" ''
|
||||
browser = """${cfg.browser}"""
|
||||
dhcp-dns = """${cfg.dhcp-dns}"""
|
||||
socks5-addr = """${cfg.socks5-addr}"""
|
||||
${optionalString cfg.bindInterface ''
|
||||
bind-device = """${cfg.interface}"""
|
||||
''}
|
||||
''}
|
||||
exec ${cfg.package}/bin/captive-browser
|
||||
'';
|
||||
source = "${captive-browser-configured}/bin/captive-browser";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue