mirror of
https://github.com/LnL7/nix-darwin.git
synced 2025-03-16 13:28:16 +00:00
sandbox: add module for sandbox profiles
This could be used outside of nix-darwin, but this is mainly useful for services since all of the inputs are known there. { # $ /usr/bin/sandbox-exec -f $profile $coreutils/bin/ls / # ls: cannot access '/': Operation not permitted security.sandbox.profiles.example.closure = [ pkgs.coreutils ]; }
This commit is contained in:
parent
10c34f1277
commit
1e67f6a2bc
2 changed files with 132 additions and 0 deletions
|
@ -20,6 +20,7 @@ let
|
||||||
packages
|
packages
|
||||||
./modules/alias.nix
|
./modules/alias.nix
|
||||||
./modules/security/pki
|
./modules/security/pki
|
||||||
|
./modules/security/sandbox
|
||||||
./modules/system
|
./modules/system
|
||||||
./modules/system/checks.nix
|
./modules/system/checks.nix
|
||||||
./modules/system/activation-scripts.nix
|
./modules/system/activation-scripts.nix
|
||||||
|
|
131
modules/security/sandbox/default.nix
Normal file
131
modules/security/sandbox/default.nix
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.security.sandbox;
|
||||||
|
|
||||||
|
profile =
|
||||||
|
{ config, name, ... }:
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
profile = mkOption {
|
||||||
|
type = types.lines;
|
||||||
|
apply = text: pkgs.runCommandNoCC "sandbox.sb" {} ''
|
||||||
|
for f in $(< ${config.closure}/store-paths); do
|
||||||
|
storePaths+="(subpath \"$f\")"
|
||||||
|
done
|
||||||
|
|
||||||
|
cat <<-EOF > $out
|
||||||
|
${text}
|
||||||
|
EOF
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
closure = mkOption {
|
||||||
|
type = types.listOf types.package;
|
||||||
|
default = [];
|
||||||
|
apply = paths: pkgs.closureInfo { rootPaths = paths; };
|
||||||
|
description = "List of store paths to make accessible.";
|
||||||
|
};
|
||||||
|
|
||||||
|
readablePaths = mkOption {
|
||||||
|
type = types.listOf types.path;
|
||||||
|
default = [];
|
||||||
|
description = "List of paths that should be read-only inside the sandbox.";
|
||||||
|
};
|
||||||
|
|
||||||
|
writablePaths = mkOption {
|
||||||
|
type = types.listOf types.path;
|
||||||
|
default = [];
|
||||||
|
description = "List of paths that should be read/write inside the sandbox.";
|
||||||
|
};
|
||||||
|
|
||||||
|
allowSystemPaths = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
allowLocalNetworking = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = "Whether to allow localhost network access inside the sandbox.";
|
||||||
|
};
|
||||||
|
|
||||||
|
allowNetworking = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = "Whether to allow network access inside the sandbox.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
|
||||||
|
profile = mkOrder 0 ''
|
||||||
|
(version 1)
|
||||||
|
(deny default)
|
||||||
|
|
||||||
|
(allow file-read*
|
||||||
|
(subpath "/usr/lib")
|
||||||
|
(subpath "/System/Library/Frameworks")
|
||||||
|
(subpath "/System/Library/PrivateFrameworks"))
|
||||||
|
|
||||||
|
(allow file-read-metadata
|
||||||
|
(literal "/dev"))
|
||||||
|
(allow file*
|
||||||
|
(literal "/dev/null")
|
||||||
|
(literal "/dev/random")
|
||||||
|
(literal "/dev/stdin")
|
||||||
|
(literal "/dev/stdout")
|
||||||
|
(literal "/dev/tty")
|
||||||
|
(literal "/dev/urandom")
|
||||||
|
(literal "/dev/zero")
|
||||||
|
(subpath "/dev/fd"))
|
||||||
|
|
||||||
|
(allow process-fork)
|
||||||
|
(allow signal (target same-sandbox))
|
||||||
|
(deny file-write* (subpath "/nix/store"))
|
||||||
|
(allow file-read* process-exec
|
||||||
|
$storePaths)
|
||||||
|
|
||||||
|
${optionalString (config.readablePaths != []) ''
|
||||||
|
(allow file-read*
|
||||||
|
${concatMapStrings (x: ''(subpath "${x}")'') config.readablePaths})
|
||||||
|
''}
|
||||||
|
${optionalString (config.writablePaths != []) ''
|
||||||
|
(allow file*
|
||||||
|
${concatMapStrings (x: ''(subpath "${x}")'') config.writablePaths})
|
||||||
|
''}
|
||||||
|
${optionalString config.allowSystemPaths ''
|
||||||
|
(allow file-read* process-exec
|
||||||
|
(subpath "/bin")
|
||||||
|
(subpath "/usr/bin"))
|
||||||
|
''}
|
||||||
|
${optionalString config.allowLocalNetworking ''
|
||||||
|
(allow network* (local ip) (local tcp) (local udp))
|
||||||
|
''}
|
||||||
|
${optionalString config.allowNetworking ''
|
||||||
|
(allow network*
|
||||||
|
(local ip)
|
||||||
|
(remote ip))
|
||||||
|
(allow network-outbound
|
||||||
|
(remote unix-socket (path-literal "/private/var/run/mDNSResponder")))
|
||||||
|
''}
|
||||||
|
'';
|
||||||
|
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
security.sandbox.profiles = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule profile);
|
||||||
|
default = {};
|
||||||
|
description = "Definition of sandbox profiles.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
};
|
||||||
|
}
|
Loading…
Add table
Reference in a new issue