mirror of
https://github.com/LnL7/nix-darwin.git
synced 2025-03-05 16:27:03 +00:00
141 lines
4.1 KiB
Nix
141 lines
4.1 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.security.sandbox;
|
|
|
|
profile =
|
|
{ config, name, ... }:
|
|
{
|
|
options = {
|
|
profile = mkOption {
|
|
type = types.lines;
|
|
internal = true;
|
|
apply = text: pkgs.runCommand "sandbox.sb" { } ''
|
|
for f in $(< ${config.closure}/store-paths); do
|
|
storePaths+="(subpath \"$f\")"
|
|
done
|
|
|
|
cat <<-EOF > $out
|
|
${text}
|
|
EOF
|
|
'';
|
|
};
|
|
|
|
closure = mkOption {
|
|
type = types.listOf types.package;
|
|
default = [ ];
|
|
apply = paths: pkgs.closureInfo { rootPaths = paths; };
|
|
description = "List of store paths to make accessible.";
|
|
};
|
|
|
|
readablePaths = mkOption {
|
|
type = types.listOf types.path;
|
|
default = [ ];
|
|
description = "List of paths that should be read-only inside the sandbox.";
|
|
};
|
|
|
|
writablePaths = mkOption {
|
|
type = types.listOf types.path;
|
|
default = [ ];
|
|
description = "List of paths that should be read/write inside the sandbox.";
|
|
};
|
|
|
|
allowSystemPaths = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = "Whether to allow read access to FHS paths like /etc and /var.";
|
|
};
|
|
|
|
allowLocalNetworking = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = "Whether to allow localhost network access inside the sandbox.";
|
|
};
|
|
|
|
allowNetworking = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = "Whether to allow network access inside the sandbox.";
|
|
};
|
|
};
|
|
|
|
config = {
|
|
|
|
allowSystemPaths = mkDefault (config.allowLocalNetworking || config.allowNetworking);
|
|
|
|
profile = mkOrder 0 ''
|
|
(version 1)
|
|
(deny default)
|
|
|
|
(allow file-read*
|
|
(subpath "/usr/lib")
|
|
(subpath "/System/Library/Frameworks")
|
|
(subpath "/System/Library/PrivateFrameworks"))
|
|
|
|
(allow file-read-metadata
|
|
(literal "/dev"))
|
|
(allow file*
|
|
(literal "/dev/null")
|
|
(literal "/dev/random")
|
|
(literal "/dev/stdin")
|
|
(literal "/dev/stdout")
|
|
(literal "/dev/tty")
|
|
(literal "/dev/urandom")
|
|
(literal "/dev/zero")
|
|
(subpath "/dev/fd"))
|
|
|
|
(allow process-fork)
|
|
(allow signal (target same-sandbox))
|
|
(allow file-read* process-exec
|
|
$storePaths)
|
|
|
|
${optionalString (config.readablePaths != []) ''
|
|
(allow file-read*
|
|
${concatMapStrings (x: ''(subpath "${x}")'') config.readablePaths})
|
|
''}
|
|
${optionalString (config.writablePaths != []) ''
|
|
(allow file*
|
|
${concatMapStrings (x: ''(subpath "${x}")'') config.writablePaths})
|
|
''}
|
|
${optionalString config.allowSystemPaths ''
|
|
(allow file-read-metadata
|
|
(literal "/")
|
|
(literal "/etc")
|
|
(literal "/run")
|
|
(literal "/tmp")
|
|
(literal "/var"))
|
|
(allow file-read*
|
|
(literal "/private/etc/group")
|
|
(literal "/private/etc/hosts")
|
|
(literal "/private/etc/passwd")
|
|
(literal "/private/var/run/resolv.conf"))
|
|
''}
|
|
${optionalString config.allowLocalNetworking ''
|
|
(allow network* (local ip) (local tcp) (local udp))
|
|
''}
|
|
${optionalString config.allowNetworking ''
|
|
(allow network*
|
|
(local ip)
|
|
(remote ip))
|
|
(allow network-outbound
|
|
(remote unix-socket (path-literal "/private/var/run/mDNSResponder")))
|
|
''}
|
|
'';
|
|
|
|
};
|
|
};
|
|
in
|
|
|
|
{
|
|
options = {
|
|
security.sandbox.profiles = mkOption {
|
|
type = types.attrsOf (types.submodule profile);
|
|
default = { };
|
|
description = "Definition of sandbox profiles.";
|
|
};
|
|
};
|
|
|
|
config = { };
|
|
}
|