mirrors/nix-darwin
mirrors/nix-darwin
1
0
Fork 0
mirror of https://github.com/LnL7/nix-darwin.git synced 2025-03-06 16:57:08 +00:00
Code Activity
nix-darwin/modules/security/sandbox/default.nix
Emily e65131e69c treewide: convert all option docs to Markdown 
This process was automated by [my fork of `nix-doc-munge`]; thanks
to @pennae for writing this tool! It automatically checks that the
resulting documentation doesn't change, although my fork loosens
this a little to ignore some irrelevant whitespace and typographical
differences.

As of this commit there is no DocBook remaining in the options
documentation.

You can play along at home if you want to reproduce this commit:

    $ NIX_PATH=nixpkgs=flake:nixpkgs/c1bca7fe84c646cfd4ebf3482c0e6317a0b13f22 \
      nix shell nixpkgs#coreutils \
      -c find . -name '*.nix' \
      -exec nix run github:emilazy/nix-doc-munge/0a7190f600027bf7baf6cb7139e4d69ac2f51062 \
      {} +

[my fork of `nix-doc-munge`]: https://github.com/emilazy/nix-doc-munge
2023-06-24 10:48:55 +01:00

141 lines
4.2 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.sandbox;
profile =
{ config, name, ... }:
{
options = {
profile = mkOption {
type = types.lines;
internal = true;
apply = text: pkgs.runCommand "sandbox.sb" { } ''
for f in $(< ${config.closure}/store-paths); do
storePaths+="(subpath \"$f\")"
done
cat <<-EOF > $out
${text}
EOF
'';
};
closure = mkOption {
type = types.listOf types.package;
default = [ ];
apply = paths: pkgs.closureInfo { rootPaths = paths; };
description = lib.mdDoc "List of store paths to make accessible.";
};
readablePaths = mkOption {
type = types.listOf types.path;
default = [ ];
description = lib.mdDoc "List of paths that should be read-only inside the sandbox.";
};
writablePaths = mkOption {
type = types.listOf types.path;
default = [ ];
description = lib.mdDoc "List of paths that should be read/write inside the sandbox.";
};
allowSystemPaths = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether to allow read access to FHS paths like /etc and /var.";
};
allowLocalNetworking = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether to allow localhost network access inside the sandbox.";
};
allowNetworking = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether to allow network access inside the sandbox.";
};
};
config = {
allowSystemPaths = mkDefault (config.allowLocalNetworking || config.allowNetworking);
profile = mkOrder 0 ''
(version 1)
(deny default)
(allow file-read*
(subpath "/usr/lib")
(subpath "/System/Library/Frameworks")
(subpath "/System/Library/PrivateFrameworks"))
(allow file-read-metadata
(literal "/dev"))
(allow file*
(literal "/dev/null")
(literal "/dev/random")
(literal "/dev/stdin")
(literal "/dev/stdout")
(literal "/dev/tty")
(literal "/dev/urandom")
(literal "/dev/zero")
(subpath "/dev/fd"))
(allow process-fork)
(allow signal (target same-sandbox))
(allow file-read* process-exec
$storePaths)
${optionalString (config.readablePaths != []) ''
(allow file-read*
${concatMapStrings (x: ''(subpath "${x}")'') config.readablePaths})
''}
${optionalString (config.writablePaths != []) ''
(allow file*
${concatMapStrings (x: ''(subpath "${x}")'') config.writablePaths})
''}
${optionalString config.allowSystemPaths ''
(allow file-read-metadata
(literal "/")
(literal "/etc")
(literal "/run")
(literal "/tmp")
(literal "/var"))
(allow file-read*
(literal "/private/etc/group")
(literal "/private/etc/hosts")
(literal "/private/etc/passwd")
(literal "/private/var/run/resolv.conf"))
''}
${optionalString config.allowLocalNetworking ''
(allow network* (local ip) (local tcp) (local udp))
''}
${optionalString config.allowNetworking ''
(allow network*
(local ip)
(remote ip))
(allow network-outbound
(remote unix-socket (path-literal "/private/var/run/mDNSResponder")))
''}
'';
};
};
in
{
options = {
security.sandbox.profiles = mkOption {
type = types.attrsOf (types.submodule profile);
default = { };
description = lib.mdDoc "Definition of sandbox profiles.";
};
};
config = { };
}
View git blame Copy permalink