commit 183be440fd08476354ef35a1203cf0fcd511d2f2 · tjh.dev/nixpkgs

tjh.dev / nixpkgs

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

nixos/captive-browser: drop setcap wrapper for captive-browser

Since Linux 5.7 it's possible to set `SO_BINDTODEVICE` via `setsockopt(2)`
as unprivileged user if this operation doesn't imply escaping a VRF
interface[1].

Dropping the wrapper is actually desirable because `captive-browser`
itself doesn't drop capabilities and as a result, the capabilities are
passed on to `chromium` itself[2].

For older kernels, this is still necessary, hence the wrapper will only
be added nowadays if the kernel is older than 5.7.

[1] https://github.com/torvalds/linux/commit/c427bfec18f2190b8f4718785ee8ed2db4f84ee6
[2] https://github.com/FiloSottile/captive-browser/blob/08450562e58bf9564ee98ad64ef7b2800e53338f/bind_device_linux.go#L11-L14
and because our setcap wrapper makes all capabilities
inheritable.

Maximilian Bosch 2 years ago 183be440 a1401376

+18 -14

1 changed file

expand all

unified split

nixos

modules

programs

captive-browser.nix

+18 -14

nixos/modules/programs/captive-browser.nix

··· 7 7 concatStringsSep escapeShellArgs optionalString 8 8 literalExpression mkEnableOption mkIf mkOption mkOptionDefault types; 9 9 10 + requiresSetcapWrapper = config.boot.kernelPackages.kernelOlder "5.7" && cfg.bindInterface; 11 + 10 12 browserDefault = chromium: concatStringsSep " " [ 11 13 ''env XDG_CONFIG_HOME="$PREV_CONFIG_HOME"'' 12 14 ''${chromium}/bin/chromium'' ··· 23 25 desktopItem = pkgs.makeDesktopItem { 24 26 name = "captive-browser"; 25 27 desktopName = "Captive Portal Browser"; 26 - exec = "/run/wrappers/bin/captive-browser"; 28 + exec = "captive-browser"; 27 29 icon = "nix-snowflake"; 28 30 categories = [ "Network" ]; 29 31 }; 30 32 33 + captive-browser-configured = pkgs.writeShellScriptBin "captive-browser" '' 34 + export PREV_CONFIG_HOME="$XDG_CONFIG_HOME" 35 + export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" '' 36 + browser = """${cfg.browser}""" 37 + dhcp-dns = """${cfg.dhcp-dns}""" 38 + socks5-addr = """${cfg.socks5-addr}""" 39 + ${optionalString cfg.bindInterface '' 40 + bind-device = """${cfg.interface}""" 41 + ''} 42 + ''} 43 + exec ${cfg.package}/bin/captive-browser 44 + ''; 31 45 in 32 46 { 33 47 ###### interface ··· 101 115 (pkgs.runCommand "captive-browser-desktop-item" { } '' 102 116 install -Dm444 -t $out/share/applications ${desktopItem}/share/applications/*.desktop 103 117 '') 118 + captive-browser-configured 104 119 ]; 105 120 106 121 programs.captive-browser.dhcp-dns = ··· 131 146 source = "${pkgs.busybox}/bin/udhcpc"; 132 147 }; 133 148 134 - security.wrappers.captive-browser = { 149 + security.wrappers.captive-browser = mkIf requiresSetcapWrapper { 135 150 owner = "root"; 136 151 group = "root"; 137 152 capabilities = "cap_net_raw+p"; 138 - source = pkgs.writeShellScript "captive-browser" '' 139 - export PREV_CONFIG_HOME="$XDG_CONFIG_HOME" 140 - export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" '' 141 - browser = """${cfg.browser}""" 142 - dhcp-dns = """${cfg.dhcp-dns}""" 143 - socks5-addr = """${cfg.socks5-addr}""" 144 - ${optionalString cfg.bindInterface '' 145 - bind-device = """${cfg.interface}""" 146 - ''} 147 - ''} 148 - exec ${cfg.package}/bin/captive-browser 149 - ''; 153 + source = "${captive-browser-configured}/bin/captive-browser"; 150 154 }; 151 155 }; 152 156 }