security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 36 Wiki Activity

nix: improve common usability
Some checks failed
Test / Fpkg (push) Failing after 16s
Details
Test / Create distribution (push) Successful in 28s
Details
Test / Flake checks (push) Has been cancelled
Details
Test / Fortify (push) Has been cancelled
Details
Test / Fortify (race detector) (push) Has been cancelled
Details
Test / Sandbox (race detector) (push) Has been cancelled
Details
Test / Sandbox (push) Has been cancelled
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-05-16 04:38:08 +09:00
parent 008e9e7fc5
commit 027254b253
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
9 changed files with 104 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nixos.nix
View File

@ -146,7 +146,6 @@ in
]
++ optionals app.nix [
(mustBind "/nix/var")
(bind "/var/db/nix-channels")
]
++ optionals isGraphical [
(devBind "/dev/dri")
@ -156,6 +155,7 @@ in
(devBind "/dev/nvidia-uvm-tools")
(devBind "/dev/nvidia0")
]
++ optionals app.useCommonPaths cfg.commonPaths
++ app.extraPaths;
auto_etc = true;
cover = [ "/var/run/nscd" ];
@ -225,13 +225,13 @@ in
# aid 0 is reserved
imap1 (aid: app: {
${getsubname fid aid} = mkMerge [
(cfg.home-manager (getsubname fid aid) (getsubuid fid aid))
cfg.extraHomeConfig
app.extraConfig
{ home.packages = app.packages; }
];
}) cfg.apps
))
{ ${getsubname fid 0} = cfg.home-manager (getsubname fid 0) (getsubuid fid 0); }
{ ${getsubname fid 0} = cfg.extraHomeConfig; }
acc
]
) privPackages cfg.users;

62
options.nix
View File

@ -3,6 +3,38 @@ packages:
let
inherit (lib) types mkOption mkEnableOption;
mountPoint =
let
inherit (types)
str
submodule
nullOr
listOf
;
in
listOf (submodule {
options = {
dst = mkOption {
type = nullOr str;
default = null;
description = ''
Mount point in container, same as src if null.
'';
};
src = mkOption {
type = str;
description = ''
Host filesystem path to make available to the container.
'';
};
write = mkEnableOption "mounting path as writable";
dev = mkEnableOption "use of device files";
require = mkEnableOption "start failure if the bind mount cannot be established for any reason";
};
});
in
{
@ -33,14 +65,10 @@ in
'';
};
home-manager = mkOption {
type =
let
inherit (types) functionTo attrsOf anything;
in
functionTo (functionTo (attrsOf anything));
extraHomeConfig = mkOption {
type = types.anything;
description = ''
Target user shared home-manager configuration.
Extra home-manager configuration to merge with all target users.
'';
};
@ -189,11 +217,15 @@ in
'';
};
useCommonPaths = mkEnableOption "common extra paths" // {
default = true;
};
extraPaths = mkOption {
type = listOf anything;
type = mountPoint;
default = [ ];
description = ''
Extra paths to make available to the sandbox.
Extra paths to make available to the container.
'';
};
@ -242,7 +274,17 @@ in
};
});
default = [ ];
description = "Declarative fortify apps.";
description = ''
Declaratively configured fortify apps.
'';
};
commonPaths = mkOption {
type = mountPoint;
default = [ ];
description = ''
Common extra paths to make available to the container.
'';
};
stateDir = mkOption {

32
test/configuration.nix
View File

@ -30,13 +30,9 @@
environment = {
systemPackages = with pkgs; [
# For glinfo and wayland-info:
mesa-demos
wayland-utils
# For D-Bus tests:
libnotify
mako
libnotify
];
variables = {
@ -99,14 +95,21 @@
stateDir = "/var/lib/fortify";
users.alice = 0;
home-manager = _: _: { home.stateVersion = "23.05"; };
extraHomeConfig = {
home.stateVersion = "23.05";
};
apps = [
{
name = "ne-foot";
verbose = true;
share = pkgs.foot;
packages = [ pkgs.foot ];
packages = with pkgs; [
foot
# For wayland-info:
wayland-utils
];
command = "foot";
capability = {
dbus = false;
@ -125,7 +128,13 @@
name = "x11-alacritty";
verbose = true;
share = pkgs.alacritty;
packages = [ pkgs.alacritty ];
packages = with pkgs; [
# For X11 terminal emulator:
alacritty
# For glinfo:
mesa-demos
];
command = "alacritty";
capability = {
wayland = false;
@ -139,7 +148,12 @@
verbose = true;
insecureWayland = true;
share = pkgs.foot;
packages = [ pkgs.foot ];
packages = with pkgs; [
foot
# For wayland-info:
wayland-utils
];
command = "foot";
capability = {
dbus = false;

7
test/sandbox/case/default.nix
View File

@ -37,7 +37,12 @@ let
{
name = "check-sandbox-${tc.name}";
verbose = true;
inherit (tc) tty device mapRealUid;
inherit (tc)
tty
device
mapRealUid
useCommonPaths
;
share = testProgram;
packages = [ ];
path = "${testProgram}/bin/fortify-test";

3
test/sandbox/case/device.nix
View File

@ -8,6 +8,7 @@
tty = false;
device = true;
mapRealUid = false;
useCommonPaths = true;
want = {
env = [
@ -169,6 +170,7 @@
} null;
} null;
run = fs "800001ed" { nscd = fs "800001ed" { } null; } null;
cache = fs "800001ed" { private = fs "800001c0" null null; } null;
} null;
} null;
@ -190,6 +192,7 @@
(ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000004,gid=1000004")
(ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000004,gid=1000004")

3
test/sandbox/case/mapuid.nix
View File

@ -8,6 +8,7 @@
tty = false;
device = false;
mapRealUid = true;
useCommonPaths = true;
want = {
env = [
@ -193,6 +194,7 @@
} null;
} null;
run = fs "800001ed" { nscd = fs "800001ed" { } null; } null;
cache = fs "800001ed" { private = fs "800001c0" null null; } null;
} null;
} null;
@ -218,6 +220,7 @@
(ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
(ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000003,gid=1000003")

1
test/sandbox/case/preset.nix
View File

@ -8,6 +8,7 @@
tty = false;
device = false;
mapRealUid = false;
useCommonPaths = false;
want = {
env = [

3
test/sandbox/case/tty.nix
View File

@ -8,6 +8,7 @@
tty = true;
device = false;
mapRealUid = false;
useCommonPaths = true;
want = {
env = [
@ -194,6 +195,7 @@
} null;
} null;
run = fs "800001ed" { nscd = fs "800001ed" { } null; } null;
cache = fs "800001ed" { private = fs "800001c0" null null; } null;
} null;
} null;
@ -220,6 +222,7 @@
(ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
(ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000002,gid=1000002")

11
test/sandbox/configuration.nix
View File

@ -65,7 +65,16 @@ in
stateDir = "/var/lib/fortify";
users.alice = 0;
home-manager = _: _: { home.stateVersion = "23.05"; };
extraHomeConfig = {
home.stateVersion = "23.05";
};
commonPaths = [
{
src = "/var/cache";
write = true;
}
];
apps = with testCases; [
preset