pyrox.dev
lol
nixos/wrappers: add per-wrapper enable option
While it is possible to globally enable or disable security wrappers, it
isn't possible to disable only a subset of them. Consequently, users
will have to overwrite the security wrappers completely and re-add the
desired subset in case they want to disable a subset of those set up by
the NixOS modules.
Address this usecase by adding a new per-wrapper enable option.
+19
-1
+8
-1
nixos/modules/security/wrappers/default.nix
+8
-1
nixos/modules/security/wrappers/default.nix
···
1
1
{ config, lib, pkgs, ... }:
2
2
let
3
3
4
-
inherit (config.security) wrapperDir wrappers;
4
+
inherit (config.security) wrapperDir;
5
+
6
+
wrappers = lib.filterAttrs (name: value: value.enable) config.security.wrappers;
5
7
6
8
parentWrapperDir = dirOf wrapperDir;
7
9
···
41
43
// { description = "file mode string"; };
42
44
43
45
wrapperType = lib.types.submodule ({ name, config, ... }: {
46
+
options.enable = lib.mkOption
47
+
{ type = lib.types.bool;
48
+
default = true;
49
+
description = "Whether to enable the wrapper.";
50
+
};
44
51
options.source = lib.mkOption
45
52
{ type = lib.types.path;
46
53
description = "The absolute path to the program to be wrapped.";
+11
nixos/tests/wrappers.nix
+11
nixos/tests/wrappers.nix
···
29
29
security.apparmor.enable = true;
30
30
31
31
security.wrappers = {
32
+
disabled = {
33
+
enable = false;
34
+
owner = "root";
35
+
group = "root";
36
+
setuid = true;
37
+
source = "${busybox pkgs}/bin/busybox";
38
+
program = "disabled_busybox";
39
+
};
32
40
suidRoot = {
33
41
owner = "root";
34
42
group = "root";
···
112
120
# actually makes the apparmor policy for ping, but there's no convenient
113
121
# test for that one.
114
122
machine.succeed("ping -c 1 127.0.0.1")
123
+
124
+
# Test that the disabled wrapper is not present.
125
+
machine.fail("test -e /run/wrappers/bin/disabled_busybox")
115
126
'';
116
127
}
117
128
)