More fixes and improvements

nixos/doc/manual/release-notes/rl-1609.xml

@@ -202,7 +202,7 @@ following incompatible changes:</para>
 
   <listitem>
     <para>The directory container setuid wrapper programs,
-    <filename>/var/setuid-wrappers</filename>, <link
+    <filename>/var/permissions-wrappers</filename>, <link
     xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now
     updated atomically to prevent failures if the switch to a new
     configuration is interrupted.</link></para>

nixos/modules/installer/tools/nixos-install.sh

@@ -260,7 +260,7 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
 
 
 # Ask the user to set a root password.
-if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/setuid-wrappers/passwd ] && [ -t 0 ]; then
+if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/permissions-wrappers/passwd ] && [ -t 0 ]; then
     echo "setting root password..."
     chroot $mountPoint /var/permissions-wrappers/passwd
 fi

nixos/modules/security/permissions-wrappers/default.nix

@@ -154,6 +154,10 @@ in
     export PATH="${config.security.permissionsWrapperDir}:$PATH"
     '';
 
+    system.activationScripts.wrapper-dir = ''
+      mkdir -p "${config.security.permissionsWrapperDir}"
+    '';
+
     ###### setcap activation script
     system.activationScripts.setcap =
       lib.stringAfter [ "users" ]

nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix

@@ -5,17 +5,17 @@ let
 
      # Produce a shell-code splice intended to be stitched into one of
      # the build or install phases within the derivation.
-     mkSetcapWrapper = { program, source ? null, ...}:
-       ''
-         if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
-             # If we can't find the program, fall back to the
-             # system profile.
-             source=/nix/var/nix/profiles/default/bin/${program}
-         fi
+     mkSetcapWrapper = { program, source ? null, ...}: ''
+       if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
+         # If we can't find the program, fall back to the
+         # system profile.
+         source=/nix/var/nix/profiles/default/bin/${program}
+       fi
 
-         gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
-             -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper
-       '';
+       gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
+           -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
+           -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
+     '';
 in
 
 # This is only useful for Linux platforms and a kernel version of
@@ -26,7 +26,7 @@ assert lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.
 pkgs.stdenv.mkDerivation {
   name         = "setcap-wrapper";
   unpackPhase  = "true";
-  buildInputs  = [ pkgs.linuxHeaders pkgs.libcap pkgs.libcap_ng ];
+  buildInputs  = [ pkgs.linuxHeaders ];
   installPhase = ''
     mkdir -p $out/bin
 

nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix

@@ -13,8 +13,9 @@ let
              source=/nix/var/nix/profiles/default/bin/${program}
          fi
 
-         gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
-             -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper
+         gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.permissionsWrapperDir}\" \
+             -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
+             -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
        '';
 in
 

nixos/modules/services/networking/smokeping.nix

@@ -219,14 +219,14 @@ in
         type = types.string;
         default = ''
           + FPing
-          binary = ${config.security.wrapperDir}/fping
+          binary = ${config.security.permissionsWrapperDir}/fping
         '';
         description = "Probe configuration";
       };
       sendmail = mkOption {
         type = types.nullOr types.path;
         default = null;
-        example = "/var/setuid-wrappers/sendmail";
+        example = "/var/permissions-wrappers/sendmail";
         description = "Use this sendmail compatible script to deliver alerts";
       };
       smokeMailTemplate = mkOption {
@@ -273,7 +273,14 @@ in
         message = "services.smokeping: sendmail and Mailhost cannot both be enabled.";
       }
     ];
-    security.setuidPrograms = [ "fping" ];
+    security.permissionsWrappers.setuid = [
+      { program = "fping";
+        source  = "${e.enlightenment.out}/bin/fping";
+        owner   = "root";
+        group   = "root";
+        setuid  = true;
+      }
+    ];
     environment.systemPackages = [ pkgs.fping ];
     users.extraUsers = singleton {
       name = cfg.user;

nixos/tests/smokeping.nix

@@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ...} : {
           mailHost = "127.0.0.2";
           probeConfig = ''
             + FPing
-            binary = /var/setuid-wrappers/fping
+            binary = /var/permissions-wrappers/fping
             offset = 0%
           '';
         };

pkgs/applications/networking/browsers/chromium/default.nix

@@ -83,9 +83,9 @@ in stdenv.mkDerivation {
     ed -v -s "$out/bin/chromium" << EOF
     2i
 
-    if [ -x "/var/setuid-wrappers/${sandboxExecutableName}" ]
+    if [ -x "/var/permissions-wrappers/${sandboxExecutableName}" ]
     then
-      export CHROME_DEVEL_SANDBOX="/var/setuid-wrappers/${sandboxExecutableName}"
+      export CHROME_DEVEL_SANDBOX="/var/permissions-wrappers/${sandboxExecutableName}"
     else
       export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}"
     fi

pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch

@@ -7,7 +7,7 @@ Index: kinit-5.24.0/src/start_kdeinit/start_kdeinit_wrapper.c
  #include <unistd.h>
  
 -#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit"
-+#define EXECUTE "/var/setuid-wrappers/start_kdeinit"
++#define EXECUTE "/var/permissions-wrappers/start_kdeinit"
  
  #if KDEINIT_OOM_PROTECT
  

pkgs/os-specific/linux/mdadm/4.nix

@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
   preConfigure = ''
     sed -e 's@/lib/udev@''${out}/lib/udev@' \
         -e 's@ -Werror @ @' \
-        -e 's@/usr/sbin/sendmail@/var/setuid-wrappers/sendmail@' -i Makefile
+        -e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile
   '';
 
   meta = {

pkgs/tools/security/ecryptfs/helper.nix

@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ makeWrapper ];
 
-  # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /var/setuid-wrappers
+  # Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /var/permissions-wrappers
   installPhase = ''
     mkdir -p $out/bin $out/libexec
     cp $src $out/libexec/ecryptfs-helper.py

pkgs/tools/system/cron/default.nix

@@ -23,7 +23,7 @@ stdenv.mkDerivation {
     #define _PATH_SENDMAIL "${sendmailPath}"
 
     #undef _PATH_DEFPATH
-    #define _PATH_DEFPATH "/var/setuid-wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"
+    #define _PATH_DEFPATH "/var/permissions-wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"
     __EOT__
 
     # Implicit saved uids do not work here due to way NixOS uses setuid wrappers