tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom

nixos/captive-browser: drop setcap wrapper for captive-browser

Since Linux 5.7 it's possible to set `SO_BINDTODEVICE` via `setsockopt(2)`
as unprivileged user if this operation doesn't imply escaping a VRF
interface[1].

Dropping the wrapper is actually desirable because `captive-browser`
itself doesn't drop capabilities and as a result, the capabilities are
passed on to `chromium` itself[2].

For older kernels, this is still necessary, hence the wrapper will only
be added nowadays if the kernel is older than 5.7.

[1] https://github.com/torvalds/linux/commit/c427bfec18f2190b8f4718785ee8ed2db4f84ee6
[2] https://github.com/FiloSottile/captive-browser/blob/08450562e58bf9564ee98ad64ef7b2800e53338f/bind_device_linux.go#L11-L14
and because our setcap wrapper makes all capabilities
inheritable.

Maximilian Bosch 183be440 a1401376

+18 -14
unified split
+18 -14
nixos/modules/programs/captive-browser.nix
··· 7 concatStringsSep escapeShellArgs optionalString 8 literalExpression mkEnableOption mkIf mkOption mkOptionDefault types; 9 10 browserDefault = chromium: concatStringsSep " " [ 11 ''env XDG_CONFIG_HOME="$PREV_CONFIG_HOME"'' 12 ''${chromium}/bin/chromium'' ··· 23 desktopItem = pkgs.makeDesktopItem { 24 name = "captive-browser"; 25 desktopName = "Captive Portal Browser"; 26 - exec = "/run/wrappers/bin/captive-browser"; 27 icon = "nix-snowflake"; 28 categories = [ "Network" ]; 29 }; 30 31 in 32 { 33 ###### interface ··· 101 (pkgs.runCommand "captive-browser-desktop-item" { } '' 102 install -Dm444 -t $out/share/applications ${desktopItem}/share/applications/*.desktop 103 '') 104 ]; 105 106 programs.captive-browser.dhcp-dns = ··· 131 source = "${pkgs.busybox}/bin/udhcpc"; 132 }; 133 134 - security.wrappers.captive-browser = { 135 owner = "root"; 136 group = "root"; 137 capabilities = "cap_net_raw+p"; 138 - source = pkgs.writeShellScript "captive-browser" '' 139 - export PREV_CONFIG_HOME="$XDG_CONFIG_HOME" 140 - export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" '' 141 - browser = """${cfg.browser}""" 142 - dhcp-dns = """${cfg.dhcp-dns}""" 143 - socks5-addr = """${cfg.socks5-addr}""" 144 - ${optionalString cfg.bindInterface '' 145 - bind-device = """${cfg.interface}""" 146 - ''} 147 - ''} 148 - exec ${cfg.package}/bin/captive-browser 149 - ''; 150 }; 151 }; 152 }
··· 7 concatStringsSep escapeShellArgs optionalString 8 literalExpression mkEnableOption mkIf mkOption mkOptionDefault types; 9 10 + requiresSetcapWrapper = config.boot.kernelPackages.kernelOlder "5.7" && cfg.bindInterface; 11 + 12 browserDefault = chromium: concatStringsSep " " [ 13 ''env XDG_CONFIG_HOME="$PREV_CONFIG_HOME"'' 14 ''${chromium}/bin/chromium'' ··· 25 desktopItem = pkgs.makeDesktopItem { 26 name = "captive-browser"; 27 desktopName = "Captive Portal Browser"; 28 + exec = "captive-browser"; 29 icon = "nix-snowflake"; 30 categories = [ "Network" ]; 31 }; 32 33 + captive-browser-configured = pkgs.writeShellScriptBin "captive-browser" '' 34 + export PREV_CONFIG_HOME="$XDG_CONFIG_HOME" 35 + export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" '' 36 + browser = """${cfg.browser}""" 37 + dhcp-dns = """${cfg.dhcp-dns}""" 38 + socks5-addr = """${cfg.socks5-addr}""" 39 + ${optionalString cfg.bindInterface '' 40 + bind-device = """${cfg.interface}""" 41 + ''} 42 + ''} 43 + exec ${cfg.package}/bin/captive-browser 44 + ''; 45 in 46 { 47 ###### interface ··· 115 (pkgs.runCommand "captive-browser-desktop-item" { } '' 116 install -Dm444 -t $out/share/applications ${desktopItem}/share/applications/*.desktop 117 '') 118 + captive-browser-configured 119 ]; 120 121 programs.captive-browser.dhcp-dns = ··· 146 source = "${pkgs.busybox}/bin/udhcpc"; 147 }; 148 149 + security.wrappers.captive-browser = mkIf requiresSetcapWrapper { 150 owner = "root"; 151 group = "root"; 152 capabilities = "cap_net_raw+p"; 153 + source = "${captive-browser-configured}/bin/captive-browser"; 154 }; 155 }; 156 }