security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 36 Wiki Activity

nix: improve common usability
Some checks failed
Test / Fpkg (push) Failing after 16s
Details
Test / Create distribution (push) Successful in 28s
Details
Test / Flake checks (push) Has been cancelled
Details
Test / Fortify (push) Has been cancelled
Details
Test / Fortify (race detector) (push) Has been cancelled
Details
Test / Sandbox (race detector) (push) Has been cancelled
Details
Test / Sandbox (push) Has been cancelled
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-05-16 04:38:08 +09:00
parent 008e9e7fc5
commit 027254b253
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
9 changed files with 104 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nixos.nix
View File

@ -146,7 +146,6 @@ in
] ]
++ optionals app.nix [ ++ optionals app.nix [
(mustBind "/nix/var") (mustBind "/nix/var")
(bind "/var/db/nix-channels")
] ]
++ optionals isGraphical [ ++ optionals isGraphical [
(devBind "/dev/dri") (devBind "/dev/dri")
@ -156,6 +155,7 @@ in
(devBind "/dev/nvidia-uvm-tools") (devBind "/dev/nvidia-uvm-tools")
(devBind "/dev/nvidia0") (devBind "/dev/nvidia0")
] ]
++ optionals app.useCommonPaths cfg.commonPaths
++ app.extraPaths; ++ app.extraPaths;
auto_etc = true; auto_etc = true;
cover = [ "/var/run/nscd" ]; cover = [ "/var/run/nscd" ];
@ -225,13 +225,13 @@ in
# aid 0 is reserved # aid 0 is reserved
imap1 (aid: app: { imap1 (aid: app: {
${getsubname fid aid} = mkMerge [ ${getsubname fid aid} = mkMerge [
(cfg.home-manager (getsubname fid aid) (getsubuid fid aid)) cfg.extraHomeConfig
app.extraConfig app.extraConfig
{ home.packages = app.packages; } { home.packages = app.packages; }
]; ];
}) cfg.apps }) cfg.apps
)) ))
{ ${getsubname fid 0} = cfg.home-manager (getsubname fid 0) (getsubuid fid 0); } { ${getsubname fid 0} = cfg.extraHomeConfig; }
acc acc
] ]
) privPackages cfg.users; ) privPackages cfg.users;

62
options.nix
View File

@ -3,6 +3,38 @@ packages:
let let
inherit (lib) types mkOption mkEnableOption; inherit (lib) types mkOption mkEnableOption;
mountPoint =
let
inherit (types)
str
submodule
nullOr
listOf
;
in
listOf (submodule {
options = {
dst = mkOption {
type = nullOr str;
default = null;
description = ''
Mount point in container, same as src if null.
'';
};
src = mkOption {
type = str;
description = ''
Host filesystem path to make available to the container.
'';
};
write = mkEnableOption "mounting path as writable";
dev = mkEnableOption "use of device files";
require = mkEnableOption "start failure if the bind mount cannot be established for any reason";
};
});
in in
{ {
@ -33,14 +65,10 @@ in
''; '';
}; };
home-manager = mkOption { extraHomeConfig = mkOption {
type = type = types.anything;
let
inherit (types) functionTo attrsOf anything;
in
functionTo (functionTo (attrsOf anything));
description = '' description = ''
Target user shared home-manager configuration. Extra home-manager configuration to merge with all target users.
''; '';
}; };
@ -189,11 +217,15 @@ in
''; '';
}; };
useCommonPaths = mkEnableOption "common extra paths" // {
default = true;
};
extraPaths = mkOption { extraPaths = mkOption {
type = listOf anything; type = mountPoint;
default = [ ]; default = [ ];
description = '' description = ''
Extra paths to make available to the sandbox. Extra paths to make available to the container.
''; '';
}; };
@ -242,7 +274,17 @@ in
}; };
}); });
default = [ ]; default = [ ];
description = "Declarative fortify apps."; description = ''
Declaratively configured fortify apps.
'';
};
commonPaths = mkOption {
type = mountPoint;
default = [ ];
description = ''
Common extra paths to make available to the container.
'';
}; };
stateDir = mkOption { stateDir = mkOption {

32
test/configuration.nix
View File

@ -30,13 +30,9 @@
environment = { environment = {
systemPackages = with pkgs; [ systemPackages = with pkgs; [
# For glinfo and wayland-info:
mesa-demos
wayland-utils
# For D-Bus tests: # For D-Bus tests:
libnotify
mako mako
libnotify
]; ];
variables = { variables = {
@ -99,14 +95,21 @@
stateDir = "/var/lib/fortify"; stateDir = "/var/lib/fortify";
users.alice = 0; users.alice = 0;
home-manager = _: _: { home.stateVersion = "23.05"; }; extraHomeConfig = {
home.stateVersion = "23.05";
};
apps = [ apps = [
{ {
name = "ne-foot"; name = "ne-foot";
verbose = true; verbose = true;
share = pkgs.foot; share = pkgs.foot;
packages = [ pkgs.foot ]; packages = with pkgs; [
foot
# For wayland-info:
wayland-utils
];
command = "foot"; command = "foot";
capability = { capability = {
dbus = false; dbus = false;
@ -125,7 +128,13 @@
name = "x11-alacritty"; name = "x11-alacritty";
verbose = true; verbose = true;
share = pkgs.alacritty; share = pkgs.alacritty;
packages = [ pkgs.alacritty ]; packages = with pkgs; [
# For X11 terminal emulator:
alacritty
# For glinfo:
mesa-demos
];
command = "alacritty"; command = "alacritty";
capability = { capability = {
wayland = false; wayland = false;
@ -139,7 +148,12 @@
verbose = true; verbose = true;
insecureWayland = true; insecureWayland = true;
share = pkgs.foot; share = pkgs.foot;
packages = [ pkgs.foot ]; packages = with pkgs; [
foot
# For wayland-info:
wayland-utils
];
command = "foot"; command = "foot";
capability = { capability = {
dbus = false; dbus = false;

7
test/sandbox/case/default.nix
View File

@ -37,7 +37,12 @@ let
{ {
name = "check-sandbox-${tc.name}"; name = "check-sandbox-${tc.name}";
verbose = true; verbose = true;
inherit (tc) tty device mapRealUid; inherit (tc)
tty
device
mapRealUid
useCommonPaths
;
share = testProgram; share = testProgram;
packages = [ ]; packages = [ ];
path = "${testProgram}/bin/fortify-test"; path = "${testProgram}/bin/fortify-test";

3
test/sandbox/case/device.nix
View File

@ -8,6 +8,7 @@
tty = false; tty = false;
device = true; device = true;
mapRealUid = false; mapRealUid = false;
useCommonPaths = true;
want = { want = {
env = [ env = [
@ -169,6 +170,7 @@
} null; } null;
} null; } null;
run = fs "800001ed" { nscd = fs "800001ed" { } null; } null; run = fs "800001ed" { nscd = fs "800001ed" { } null; } null;
cache = fs "800001ed" { private = fs "800001c0" null null; } null;
} null; } null;
} null; } null;
@ -190,6 +192,7 @@
(ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000004,gid=1000004") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000004,gid=1000004")
(ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000004,gid=1000004") (ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000004,gid=1000004")

3
test/sandbox/case/mapuid.nix
View File

@ -8,6 +8,7 @@
tty = false; tty = false;
device = false; device = false;
mapRealUid = true; mapRealUid = true;
useCommonPaths = true;
want = { want = {
env = [ env = [
@ -193,6 +194,7 @@
} null; } null;
} null; } null;
run = fs "800001ed" { nscd = fs "800001ed" { } null; } null; run = fs "800001ed" { nscd = fs "800001ed" { } null; } null;
cache = fs "800001ed" { private = fs "800001c0" null null; } null;
} null; } null;
} null; } null;
@ -218,6 +220,7 @@
(ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000003,gid=1000003")
(ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000003,gid=1000003") (ent "/" "/run/user/1000" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000003,gid=1000003")

1
test/sandbox/case/preset.nix
View File

@ -8,6 +8,7 @@
tty = false; tty = false;
device = false; device = false;
mapRealUid = false; mapRealUid = false;
useCommonPaths = false;
want = { want = {
env = [ env = [

3
test/sandbox/case/tty.nix
View File

@ -8,6 +8,7 @@
tty = true; tty = true;
device = false; device = false;
mapRealUid = false; mapRealUid = false;
useCommonPaths = true;
want = { want = {
env = [ env = [
@ -194,6 +195,7 @@
} null; } null;
} null; } null;
run = fs "800001ed" { nscd = fs "800001ed" { } null; } null; run = fs "800001ed" { nscd = fs "800001ed" { } null; } null;
cache = fs "800001ed" { private = fs "800001c0" null null; } null;
} null; } null;
} null; } null;
@ -220,6 +222,7 @@
(ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/dev" "/sys/dev" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw") (ent "/devices" "/sys/devices" "ro,nosuid,nodev,noexec,relatime" "sysfs" "sysfs" "rw")
(ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore) (ent "/dri" "/dev/dri" "rw,nosuid" "devtmpfs" "devtmpfs" ignore)
(ent "/var/cache" "/var/cache" "rw,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw") (ent "/etc" ignore "ro,nosuid,nodev,relatime" "ext4" "/dev/disk/by-label/nixos" "rw")
(ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002") (ent "/" "/run/user" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=4k,mode=755,uid=1000002,gid=1000002")
(ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000002,gid=1000002") (ent "/" "/run/user/65534" "rw,nosuid,nodev,relatime" "tmpfs" "tmpfs" "rw,size=8192k,mode=700,uid=1000002,gid=1000002")

11
test/sandbox/configuration.nix
View File

@ -65,7 +65,16 @@ in
stateDir = "/var/lib/fortify"; stateDir = "/var/lib/fortify";
users.alice = 0; users.alice = 0;
home-manager = _: _: { home.stateVersion = "23.05"; }; extraHomeConfig = {
home.stateVersion = "23.05";
};
commonPaths = [
{
src = "/var/cache";
write = true;
}
];
apps = with testCases; [ apps = with testCases; [
preset preset