mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-20 12:29:02 +02:00
nixos/captive-browser: drop setcap wrapper for captive-browser
Since Linux 5.7 it's possible to set `SO_BINDTODEVICE` via `setsockopt(2)` as unprivileged user if this operation doesn't imply escaping a VRF interface[1]. Dropping the wrapper is actually desirable because `captive-browser` itself doesn't drop capabilities and as a result, the capabilities are passed on to `chromium` itself[2]. For older kernels, this is still necessary, hence the wrapper will only be added nowadays if the kernel is older than 5.7. [1]c427bfec18
[2]08450562e5/bind_device_linux.go (L11-L14)
and because our setcap wrapper makes all capabilities inheritable.
This commit is contained in:
parent
a140137693
commit
183be440fd
|
@ -7,6 +7,8 @@ let
|
||||||
concatStringsSep escapeShellArgs optionalString
|
concatStringsSep escapeShellArgs optionalString
|
||||||
literalExpression mkEnableOption mkIf mkOption mkOptionDefault types;
|
literalExpression mkEnableOption mkIf mkOption mkOptionDefault types;
|
||||||
|
|
||||||
|
requiresSetcapWrapper = config.boot.kernelPackages.kernelOlder "5.7" && cfg.bindInterface;
|
||||||
|
|
||||||
browserDefault = chromium: concatStringsSep " " [
|
browserDefault = chromium: concatStringsSep " " [
|
||||||
''env XDG_CONFIG_HOME="$PREV_CONFIG_HOME"''
|
''env XDG_CONFIG_HOME="$PREV_CONFIG_HOME"''
|
||||||
''${chromium}/bin/chromium''
|
''${chromium}/bin/chromium''
|
||||||
|
@ -23,11 +25,23 @@ let
|
||||||
desktopItem = pkgs.makeDesktopItem {
|
desktopItem = pkgs.makeDesktopItem {
|
||||||
name = "captive-browser";
|
name = "captive-browser";
|
||||||
desktopName = "Captive Portal Browser";
|
desktopName = "Captive Portal Browser";
|
||||||
exec = "/run/wrappers/bin/captive-browser";
|
exec = "captive-browser";
|
||||||
icon = "nix-snowflake";
|
icon = "nix-snowflake";
|
||||||
categories = [ "Network" ];
|
categories = [ "Network" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
captive-browser-configured = pkgs.writeShellScriptBin "captive-browser" ''
|
||||||
|
export PREV_CONFIG_HOME="$XDG_CONFIG_HOME"
|
||||||
|
export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" ''
|
||||||
|
browser = """${cfg.browser}"""
|
||||||
|
dhcp-dns = """${cfg.dhcp-dns}"""
|
||||||
|
socks5-addr = """${cfg.socks5-addr}"""
|
||||||
|
${optionalString cfg.bindInterface ''
|
||||||
|
bind-device = """${cfg.interface}"""
|
||||||
|
''}
|
||||||
|
''}
|
||||||
|
exec ${cfg.package}/bin/captive-browser
|
||||||
|
'';
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
###### interface
|
###### interface
|
||||||
|
@ -101,6 +115,7 @@ in
|
||||||
(pkgs.runCommand "captive-browser-desktop-item" { } ''
|
(pkgs.runCommand "captive-browser-desktop-item" { } ''
|
||||||
install -Dm444 -t $out/share/applications ${desktopItem}/share/applications/*.desktop
|
install -Dm444 -t $out/share/applications ${desktopItem}/share/applications/*.desktop
|
||||||
'')
|
'')
|
||||||
|
captive-browser-configured
|
||||||
];
|
];
|
||||||
|
|
||||||
programs.captive-browser.dhcp-dns =
|
programs.captive-browser.dhcp-dns =
|
||||||
|
@ -131,22 +146,11 @@ in
|
||||||
source = "${pkgs.busybox}/bin/udhcpc";
|
source = "${pkgs.busybox}/bin/udhcpc";
|
||||||
};
|
};
|
||||||
|
|
||||||
security.wrappers.captive-browser = {
|
security.wrappers.captive-browser = mkIf requiresSetcapWrapper {
|
||||||
owner = "root";
|
owner = "root";
|
||||||
group = "root";
|
group = "root";
|
||||||
capabilities = "cap_net_raw+p";
|
capabilities = "cap_net_raw+p";
|
||||||
source = pkgs.writeShellScript "captive-browser" ''
|
source = "${captive-browser-configured}/bin/captive-browser";
|
||||||
export PREV_CONFIG_HOME="$XDG_CONFIG_HOME"
|
|
||||||
export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" ''
|
|
||||||
browser = """${cfg.browser}"""
|
|
||||||
dhcp-dns = """${cfg.dhcp-dns}"""
|
|
||||||
socks5-addr = """${cfg.socks5-addr}"""
|
|
||||||
${optionalString cfg.bindInterface ''
|
|
||||||
bind-device = """${cfg.interface}"""
|
|
||||||
''}
|
|
||||||
''}
|
|
||||||
exec ${cfg.package}/bin/captive-browser
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue