b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

nixos/captive-browser: drop setcap wrapper for captive-browser

Browse source 
Since Linux 5.7 it's possible to set `SO_BINDTODEVICE` via `setsockopt(2)`
as unprivileged user if this operation doesn't imply escaping a VRF
interface[1].

Dropping the wrapper is actually desirable because `captive-browser`
itself doesn't drop capabilities and as a result, the capabilities are
passed on to `chromium` itself[2].

For older kernels, this is still necessary, hence the wrapper will only
be added nowadays if the kernel is older than 5.7.

[1] c427bfec18
[2] 08450562e5/bind_device_linux.go (L11-L14)
    and because our setcap wrapper makes all capabilities
    inheritable.
This commit is contained in:
Maximilian Bosch 2023-08-09 13:06:10 +02:00
parent a140137693
commit 183be440fd
No known key found for this signature in database
GPG key ID: 9A6EEA275CA5BE0A
1 changed files with 18 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
nixos/modules/programs/captive-browser.nix
View file

@ -7,6 +7,8 @@ let
concatStringsSep escapeShellArgs optionalString
literalExpression mkEnableOption mkIf mkOption mkOptionDefault types;
requiresSetcapWrapper = config.boot.kernelPackages.kernelOlder "5.7" && cfg.bindInterface;
browserDefault = chromium: concatStringsSep " " [
''env XDG_CONFIG_HOME="$PREV_CONFIG_HOME"''
''${chromium}/bin/chromium''
@ -23,11 +25,23 @@ let
desktopItem = pkgs.makeDesktopItem {
name = "captive-browser";
desktopName = "Captive Portal Browser";
exec = "/run/wrappers/bin/captive-browser";
exec = "captive-browser";
icon = "nix-snowflake";
categories = [ "Network" ];
};
captive-browser-configured = pkgs.writeShellScriptBin "captive-browser" ''
export PREV_CONFIG_HOME="$XDG_CONFIG_HOME"
export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" ''
browser = """${cfg.browser}"""
dhcp-dns = """${cfg.dhcp-dns}"""
socks5-addr = """${cfg.socks5-addr}"""
${optionalString cfg.bindInterface ''
bind-device = """${cfg.interface}"""
''}
''}
exec ${cfg.package}/bin/captive-browser
'';
in
{
###### interface
@ -101,6 +115,7 @@ in
(pkgs.runCommand "captive-browser-desktop-item" { } ''
install -Dm444 -t $out/share/applications ${desktopItem}/share/applications/*.desktop
'')
captive-browser-configured
];
programs.captive-browser.dhcp-dns =
@ -131,22 +146,11 @@ in
source = "${pkgs.busybox}/bin/udhcpc";
};
security.wrappers.captive-browser = {
security.wrappers.captive-browser = mkIf requiresSetcapWrapper {
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = pkgs.writeShellScript "captive-browser" ''
export PREV_CONFIG_HOME="$XDG_CONFIG_HOME"
export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" ''
browser = """${cfg.browser}"""
dhcp-dns = """${cfg.dhcp-dns}"""
socks5-addr = """${cfg.socks5-addr}"""
${optionalString cfg.bindInterface ''
bind-device = """${cfg.interface}"""
''}
''}
exec ${cfg.package}/bin/captive-browser
'';
source = "${captive-browser-configured}/bin/captive-browser";
};
};
}