Loading nixos/modules/security/wrappers/default.nix +8 −1 Original line number Diff line number Diff line { config, lib, pkgs, ... }: let inherit (config.security) wrapperDir wrappers; inherit (config.security) wrapperDir; wrappers = lib.filterAttrs (name: value: value.enable) config.security.wrappers; parentWrapperDir = dirOf wrapperDir; Loading Loading @@ -41,6 +43,11 @@ let // { description = "file mode string"; }; wrapperType = lib.types.submodule ({ name, config, ... }: { options.enable = lib.mkOption { type = lib.types.bool; default = true; description = "Whether to enable the wrapper."; }; options.source = lib.mkOption { type = lib.types.path; description = "The absolute path to the program to be wrapped."; Loading nixos/tests/wrappers.nix +11 −0 Original line number Diff line number Diff line Loading @@ -29,6 +29,14 @@ import ./make-test-python.nix ( security.apparmor.enable = true; security.wrappers = { disabled = { enable = false; owner = "root"; group = "root"; setuid = true; source = "${busybox pkgs}/bin/busybox"; program = "disabled_busybox"; }; suidRoot = { owner = "root"; group = "root"; Loading Loading @@ -112,6 +120,9 @@ import ./make-test-python.nix ( # actually makes the apparmor policy for ping, but there's no convenient # test for that one. machine.succeed("ping -c 1 127.0.0.1") # Test that the disabled wrapper is not present. machine.fail("test -e /run/wrappers/bin/disabled_busybox") ''; } ) Loading
nixos/modules/security/wrappers/default.nix +8 −1 Original line number Diff line number Diff line { config, lib, pkgs, ... }: let inherit (config.security) wrapperDir wrappers; inherit (config.security) wrapperDir; wrappers = lib.filterAttrs (name: value: value.enable) config.security.wrappers; parentWrapperDir = dirOf wrapperDir; Loading Loading @@ -41,6 +43,11 @@ let // { description = "file mode string"; }; wrapperType = lib.types.submodule ({ name, config, ... }: { options.enable = lib.mkOption { type = lib.types.bool; default = true; description = "Whether to enable the wrapper."; }; options.source = lib.mkOption { type = lib.types.path; description = "The absolute path to the program to be wrapped."; Loading
nixos/tests/wrappers.nix +11 −0 Original line number Diff line number Diff line Loading @@ -29,6 +29,14 @@ import ./make-test-python.nix ( security.apparmor.enable = true; security.wrappers = { disabled = { enable = false; owner = "root"; group = "root"; setuid = true; source = "${busybox pkgs}/bin/busybox"; program = "disabled_busybox"; }; suidRoot = { owner = "root"; group = "root"; Loading Loading @@ -112,6 +120,9 @@ import ./make-test-python.nix ( # actually makes the apparmor policy for ping, but there's no convenient # test for that one. machine.succeed("ping -c 1 127.0.0.1") # Test that the disabled wrapper is not present. machine.fail("test -e /run/wrappers/bin/disabled_busybox") ''; } )
