diff --git a/flake.nix b/flake.nix index 943e1b3..ded5dfd 100644 --- a/flake.nix +++ b/flake.nix @@ -46,11 +46,9 @@ sys = pkgs.stdenv.hostPlatform.system; in { - config = { - imports = [ ./nix/module.nix ]; - wrapperPkg = self.packages.${sys}.yoke-lite; - environment.systemPackages = [ self.packages.${sys}.yoke ]; - }; + imports = [ ./nix/module.nix ]; + security.wrapperPkg = self.packages.${sys}.yoke-lite; + environment.systemPackages = [ self.packages.${sys}.yoke ]; }; }; } diff --git a/nix/module.nix b/nix/module.nix index 11bfa6f..205367e 100644 --- a/nix/module.nix +++ b/nix/module.nix @@ -32,19 +32,35 @@ let type = types.bool; default = false; }; - additionalPaths = mkOption { + pathRules = mkOption { type = types.listOf types.str; default = [ ]; }; + tcpRules = mkOption { + type = types.listOf types.str; + default = [ ]; + }; + unrestrictTcp = mkOption { + type = types.bool; + default = false; + }; + unrestrictSockets = mkOption { + type = types.bool; + default = false; + }; + unrestrictSignals = mkOption { + type = types.bool; + default = false; + }; }; }; in { options = { - wrappers = mkOption { + security.wrappers = mkOption { type = types.attrsOf wrapperType; }; - wrapperPkg = mkPackageOption "wrapper" { } { nullable = false; }; + security.wrapperPkg = mkPackageOption "wrapper" { } { nullable = false; }; }; config = let @@ -54,7 +70,8 @@ in envs = lib.concatStringsSep " " ( lib.mapAttrsToList (n: v: "${n}=${lib.concatStringsSep ":" v}") opts.env ); - extra = lib.concatStringsSep " " opts.additionalPaths; + extraPaths = lib.concatStringsSep " " opts.pathRules; + tcpRules = lib.concatStringsSep " " opts.tcpRules; sandboxArgs = pkgs.stdenvNoCC.mkDerivation { name = "${name}-opts"; __structuredAttrs = true; @@ -68,8 +85,9 @@ in echo -n "--fs rx=" > $out jq -r '.closure[].path' < "$NIX_ATTRS_JSON_FILE" \ | tr '\n' ':' | sed 's/:$//' >> $out - ${if (lib.length opts.additionalPaths != 0) then "echo -n ' ${extra}' >> $out" else ""} - ${if (strNotEmpty envs) then "echo -n ' --env ${envs}' >> $out" else ""} + ${lib.optionalString (lib.length opts.pathRules != 0) "echo -n ' ${extraPaths}' >> $out"} + ${lib.optionalString (lib.length opts.tcpRules != 0) "echo -n ' --tcp ${tcpRules}' >> $out"} + ${lib.optionalString (strNotEmpty envs) "echo -n ' --env ${envs}' >> $out"} ''; }; command = lib.getExe' opts.package ( @@ -78,9 +96,12 @@ in wrappedArgs = lib.concatStringsSep " " opts.args; script = '' #! /usr/bin/env bash - ${lib.getExe' config.wrapperPkg "yoke"} \ - ${if opts.addPwd then "--fs rwx=$PWD" else ""} \ - ${if opts.retainEnv then "--retain-env" else ""} \ + ${lib.getExe' config.security.wrapperPkg "yoke"} \ + ${lib.optionalString opts.addPwd "--fs rwx=$PWD"} \ + ${lib.optionalString opts.retainEnv "--retain-env"} \ + ${lib.optionalString opts.unrestrictTcp "--no-tcp"} \ + ${lib.optionalString opts.unrestrictSockets "--sockets"} \ + ${lib.optionalString opts.unrestrictSignals "--signals"} \ --fd-args -- \ ${command} \ ${wrappedArgs} $@ \ @@ -90,6 +111,6 @@ in pkgs.writeScriptBin "${name}" script; in { - environment.systemPackages = lib.mapAttrsToList wrap config.wrappers; + environment.systemPackages = lib.mapAttrsToList wrap config.security.wrappers; }; }