Luke Granger-Brown
57725ef3ec
git-subtree-dir: third_party/nixpkgs git-subtree-split: 76612b17c0ce71689921ca12d9ffdc9c23ce40b2
351 lines
11 KiB
Nix
351 lines
11 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
|
|
inherit (config.security) wrapperDir wrappers;
|
|
|
|
parentWrapperDir = dirOf wrapperDir;
|
|
|
|
# This is security-sensitive code, and glibc vulns happen from time to time.
|
|
# musl is security-focused and generally more minimal, so it's a better choice here.
|
|
# The dynamic linker is still a fairly complex piece of code, and the wrappers are
|
|
# quite small, so linking it statically is more appropriate.
|
|
securityWrapper = sourceProg : pkgs.pkgsStatic.callPackage ./wrapper.nix {
|
|
inherit sourceProg;
|
|
|
|
# glibc definitions of insecure environment variables
|
|
#
|
|
# We extract the single header file we need into its own derivation,
|
|
# so that we don't have to pull full glibc sources to build wrappers.
|
|
#
|
|
# They're taken from pkgs.glibc so that we don't have to keep as close
|
|
# an eye on glibc changes. Not every relevant variable is in this header,
|
|
# so we maintain a slightly stricter list in wrapper.c itself as well.
|
|
unsecvars = lib.overrideDerivation (pkgs.srcOnly pkgs.glibc)
|
|
({ name, ... }: {
|
|
name = "${name}-unsecvars";
|
|
installPhase = ''
|
|
mkdir $out
|
|
cp sysdeps/generic/unsecvars.h $out
|
|
'';
|
|
});
|
|
};
|
|
|
|
fileModeType =
|
|
let
|
|
# taken from the chmod(1) man page
|
|
symbolic = "[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+";
|
|
numeric = "[-+=]?[0-7]{0,4}";
|
|
mode = "((${symbolic})(,${symbolic})*)|(${numeric})";
|
|
in
|
|
lib.types.strMatching mode
|
|
// { description = "file mode string"; };
|
|
|
|
wrapperType = lib.types.submodule ({ name, config, ... }: {
|
|
options.source = lib.mkOption
|
|
{ type = lib.types.path;
|
|
description = "The absolute path to the program to be wrapped.";
|
|
};
|
|
options.program = lib.mkOption
|
|
{ type = with lib.types; nullOr str;
|
|
default = name;
|
|
description = ''
|
|
The name of the wrapper program. Defaults to the attribute name.
|
|
'';
|
|
};
|
|
options.owner = lib.mkOption
|
|
{ type = lib.types.str;
|
|
description = "The owner of the wrapper program.";
|
|
};
|
|
options.group = lib.mkOption
|
|
{ type = lib.types.str;
|
|
description = "The group of the wrapper program.";
|
|
};
|
|
options.permissions = lib.mkOption
|
|
{ type = fileModeType;
|
|
default = "u+rx,g+x,o+x";
|
|
example = "a+rx";
|
|
description = ''
|
|
The permissions of the wrapper program. The format is that of a
|
|
symbolic or numeric file mode understood by {command}`chmod`.
|
|
'';
|
|
};
|
|
options.capabilities = lib.mkOption
|
|
{ type = lib.types.commas;
|
|
default = "";
|
|
description = ''
|
|
A comma-separated list of capability clauses to be given to the
|
|
wrapper program. The format for capability clauses is described in the
|
|
“TEXTUAL REPRESENTATION” section of the {manpage}`cap_from_text(3)`
|
|
manual page. For a list of capabilities supported by the system, check
|
|
the {manpage}`capabilities(7)` manual page.
|
|
|
|
::: {.note}
|
|
`cap_setpcap`, which is required for the wrapper
|
|
program to be able to raise caps into the Ambient set is NOT raised
|
|
to the Ambient set so that the real program cannot modify its own
|
|
capabilities!! This may be too restrictive for cases in which the
|
|
real program needs cap_setpcap but it at least leans on the side
|
|
security paranoid vs. too relaxed.
|
|
:::
|
|
'';
|
|
};
|
|
options.setuid = lib.mkOption
|
|
{ type = lib.types.bool;
|
|
default = false;
|
|
description = "Whether to add the setuid bit the wrapper program.";
|
|
};
|
|
options.setgid = lib.mkOption
|
|
{ type = lib.types.bool;
|
|
default = false;
|
|
description = "Whether to add the setgid bit the wrapper program.";
|
|
};
|
|
});
|
|
|
|
###### Activation script for the setcap wrappers
|
|
mkSetcapProgram =
|
|
{ program
|
|
, capabilities
|
|
, source
|
|
, owner
|
|
, group
|
|
, permissions
|
|
, ...
|
|
}:
|
|
''
|
|
cp ${securityWrapper source}/bin/security-wrapper "$wrapperDir/${program}"
|
|
|
|
# Prevent races
|
|
chmod 0000 "$wrapperDir/${program}"
|
|
chown ${owner}:${group} "$wrapperDir/${program}"
|
|
|
|
# Set desired capabilities on the file plus cap_setpcap so
|
|
# the wrapper program can elevate the capabilities set on
|
|
# its file into the Ambient set.
|
|
${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" "$wrapperDir/${program}"
|
|
|
|
# Set the executable bit
|
|
chmod ${permissions} "$wrapperDir/${program}"
|
|
'';
|
|
|
|
###### Activation script for the setuid wrappers
|
|
mkSetuidProgram =
|
|
{ program
|
|
, source
|
|
, owner
|
|
, group
|
|
, setuid
|
|
, setgid
|
|
, permissions
|
|
, ...
|
|
}:
|
|
''
|
|
cp ${securityWrapper source}/bin/security-wrapper "$wrapperDir/${program}"
|
|
|
|
# Prevent races
|
|
chmod 0000 "$wrapperDir/${program}"
|
|
chown ${owner}:${group} "$wrapperDir/${program}"
|
|
|
|
chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" "$wrapperDir/${program}"
|
|
'';
|
|
|
|
mkWrappedPrograms =
|
|
builtins.map
|
|
(opts:
|
|
if opts.capabilities != ""
|
|
then mkSetcapProgram opts
|
|
else mkSetuidProgram opts
|
|
) (lib.attrValues wrappers);
|
|
in
|
|
{
|
|
imports = [
|
|
(lib.mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead")
|
|
(lib.mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead")
|
|
];
|
|
|
|
###### interface
|
|
|
|
options = {
|
|
security.enableWrappers = lib.mkEnableOption "SUID/SGID wrappers" // {
|
|
default = true;
|
|
};
|
|
|
|
security.wrappers = lib.mkOption {
|
|
type = lib.types.attrsOf wrapperType;
|
|
default = {};
|
|
example = lib.literalExpression
|
|
''
|
|
{
|
|
# a setuid root program
|
|
doas =
|
|
{ setuid = true;
|
|
owner = "root";
|
|
group = "root";
|
|
source = "''${pkgs.doas}/bin/doas";
|
|
};
|
|
|
|
# a setgid program
|
|
locate =
|
|
{ setgid = true;
|
|
owner = "root";
|
|
group = "mlocate";
|
|
source = "''${pkgs.locate}/bin/locate";
|
|
};
|
|
|
|
# a program with the CAP_NET_RAW capability
|
|
ping =
|
|
{ owner = "root";
|
|
group = "root";
|
|
capabilities = "cap_net_raw+ep";
|
|
source = "''${pkgs.iputils.out}/bin/ping";
|
|
};
|
|
}
|
|
'';
|
|
description = ''
|
|
This option effectively allows adding setuid/setgid bits, capabilities,
|
|
changing file ownership and permissions of a program without directly
|
|
modifying it. This works by creating a wrapper program under the
|
|
{option}`security.wrapperDir` directory, which is then added to
|
|
the shell `PATH`.
|
|
'';
|
|
};
|
|
|
|
security.wrapperDirSize = lib.mkOption {
|
|
default = "50%";
|
|
example = "10G";
|
|
type = lib.types.str;
|
|
description = ''
|
|
Size limit for the /run/wrappers tmpfs. Look at mount(8), tmpfs size option,
|
|
for the accepted syntax. WARNING: don't set to less than 64MB.
|
|
'';
|
|
};
|
|
|
|
security.wrapperDir = lib.mkOption {
|
|
type = lib.types.path;
|
|
default = "/run/wrappers/bin";
|
|
internal = true;
|
|
description = ''
|
|
This option defines the path to the wrapper programs. It
|
|
should not be overridden.
|
|
'';
|
|
};
|
|
};
|
|
|
|
###### implementation
|
|
config = lib.mkIf config.security.enableWrappers {
|
|
|
|
assertions = lib.mapAttrsToList
|
|
(name: opts:
|
|
{ assertion = opts.setuid || opts.setgid -> opts.capabilities == "";
|
|
message = ''
|
|
The security.wrappers.${name} wrapper is not valid:
|
|
setuid/setgid and capabilities are mutually exclusive.
|
|
'';
|
|
}
|
|
) wrappers;
|
|
|
|
security.wrappers =
|
|
let
|
|
mkSetuidRoot = source:
|
|
{ setuid = true;
|
|
owner = "root";
|
|
group = "root";
|
|
inherit source;
|
|
};
|
|
in
|
|
{ # These are mount related wrappers that require the +s permission.
|
|
fusermount = mkSetuidRoot "${lib.getBin pkgs.fuse}/bin/fusermount";
|
|
fusermount3 = mkSetuidRoot "${lib.getBin pkgs.fuse3}/bin/fusermount3";
|
|
mount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount";
|
|
umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount";
|
|
};
|
|
|
|
# Make sure our wrapperDir exports to the PATH env variable when
|
|
# initializing the shell
|
|
environment.extraInit = ''
|
|
# Wrappers override other bin directories.
|
|
export PATH="${wrapperDir}:$PATH"
|
|
'';
|
|
|
|
security.apparmor.includes = lib.mapAttrs' (wrapName: wrap: lib.nameValuePair
|
|
"nixos/security.wrappers/${wrapName}" ''
|
|
include "${pkgs.apparmorRulesFromClosure { name="security.wrappers.${wrapName}"; } [
|
|
(securityWrapper wrap.source)
|
|
]}"
|
|
mrpx ${wrap.source},
|
|
'') wrappers;
|
|
|
|
systemd.mounts = [{
|
|
where = parentWrapperDir;
|
|
what = "tmpfs";
|
|
type = "tmpfs";
|
|
options = lib.concatStringsSep "," ([
|
|
"nodev"
|
|
"mode=755"
|
|
"size=${config.security.wrapperDirSize}"
|
|
]);
|
|
}];
|
|
|
|
systemd.services.suid-sgid-wrappers = {
|
|
description = "Create SUID/SGID Wrappers";
|
|
wantedBy = [ "sysinit.target" ];
|
|
before = [ "sysinit.target" "shutdown.target" ];
|
|
conflicts = [ "shutdown.target" ];
|
|
after = [ "systemd-sysusers.service" ];
|
|
unitConfig.DefaultDependencies = false;
|
|
unitConfig.RequiresMountsFor = [ "/nix/store" "/run/wrappers" ];
|
|
serviceConfig.Type = "oneshot";
|
|
script = ''
|
|
chmod 755 "${parentWrapperDir}"
|
|
|
|
# We want to place the tmpdirs for the wrappers to the parent dir.
|
|
wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)
|
|
chmod a+rx "$wrapperDir"
|
|
|
|
${lib.concatStringsSep "\n" mkWrappedPrograms}
|
|
|
|
if [ -L ${wrapperDir} ]; then
|
|
# Atomically replace the symlink
|
|
# See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
|
|
old=$(readlink -f ${wrapperDir})
|
|
if [ -e "${wrapperDir}-tmp" ]; then
|
|
rm --force --recursive "${wrapperDir}-tmp"
|
|
fi
|
|
ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp"
|
|
mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}"
|
|
rm --force --recursive "$old"
|
|
else
|
|
# For initial setup
|
|
ln --symbolic "$wrapperDir" "${wrapperDir}"
|
|
fi
|
|
'';
|
|
};
|
|
|
|
###### wrappers consistency checks
|
|
system.checks = lib.singleton (pkgs.runCommandLocal
|
|
"ensure-all-wrappers-paths-exist" { }
|
|
''
|
|
# make sure we produce output
|
|
mkdir -p $out
|
|
|
|
echo -n "Checking that Nix store paths of all wrapped programs exist... "
|
|
|
|
declare -A wrappers
|
|
${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v:
|
|
"wrappers['${n}']='${v.source}'") wrappers)}
|
|
|
|
for name in "''${!wrappers[@]}"; do
|
|
path="''${wrappers[$name]}"
|
|
if [[ "$path" =~ /nix/store ]] && [ ! -e "$path" ]; then
|
|
test -t 1 && echo -ne '\033[1;31m'
|
|
echo "FAIL"
|
|
echo "The path $path does not exist!"
|
|
echo 'Please, check the value of `security.wrappers."'$name'".source`.'
|
|
test -t 1 && echo -ne '\033[0m'
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
echo "OK"
|
|
'');
|
|
};
|
|
}
|