summaryrefslogtreecommitdiffstats
path: root/lass/3modules/xjail.nix
diff options
context:
space:
mode:
authorlassulus <lassulus@lassul.us>2022-01-24 14:34:18 +0100
committerlassulus <lassulus@lassul.us>2022-01-24 14:34:30 +0100
commit39d808829c185db7f3393a86b12cb04a8ba24050 (patch)
tree502259d2c4ea16283bdebca80fd8d7f61ba8631f /lass/3modules/xjail.nix
parenta3e67719b9da74e208c4058c42c0bd555c56b049 (diff)
l xjails: switch from sudo to machinectl
Diffstat (limited to 'lass/3modules/xjail.nix')
-rw-r--r--lass/3modules/xjail.nix32
1 files changed, 15 insertions, 17 deletions
diff --git a/lass/3modules/xjail.nix b/lass/3modules/xjail.nix
index f94e7ebbf..08a28b8e3 100644
--- a/lass/3modules/xjail.nix
+++ b/lass/3modules/xjail.nix
@@ -41,10 +41,6 @@ with import <stockholm/lib>;
type = types.path;
default = pkgs.writeScript "echo_lol" "echo lol";
};
- vglrun = mkOption {
- type = types.bool;
- default = false;
- };
wm = mkOption {
#TODO find type
type = types.str;
@@ -122,21 +118,14 @@ with import <stockholm/lib>;
${pkgs.coreutils}/bin/kill $XEPHYR_PID
'';
# TODO fix xephyr which doesn't honor resizes anymore
- sudo_ = pkgs.writeDash "${cfg.name}-sudo" (if cfg.vglrun then ''
- /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${vglrun_} "$@"
- '' else ''
+ sudo_ = pkgs.writeDash "${cfg.name}-sudo" ''
#/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@"
- /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${cfg.script} "$@"
-
- '');
- vglrun_ = pkgs.writeDash "${cfg.name}-vglrun" ''
- DISPLAY=:${cfg.display} ${pkgs.virtualgl}/bin/vglrun ${cfg.extraVglrunArgs} ${cfg.script} "$@"
+ ${pkgs.systemd}/bin/machinectl shell -E DISPLAY=:0 --uid=${cfg.name} .host ${cfg.script} "$@"
'';
in nameValuePair name {
existing = newOrExisting;
xephyr = xephyr_;
sudo = sudo_;
- vglrun = vglrun_;
}
) config.lass.xjail;
in {
@@ -161,10 +150,19 @@ with import <stockholm/lib>;
}
) config.lass.xjail;
- security.sudo.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg:
- # TODO allow just the right script with sudo
- "${cfg.from} ALL=(${cfg.name}) NOPASSWD: ALL"
- ) config.lass.xjail));
+ security.polkit.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: ''
+ polkit.addRule(function(action, subject) {
+ if (
+ subject.user == "${cfg.from}" &&
+ action.id == "org.freedesktop.machine1.host-shell" &&
+ action.lookup("user") == "${cfg.user}" &&
+ action.lookup("program") == "${cfg.script}" &&
+ true
+ ) {
+ return polkit.Result.YES;
+ }
+ });
+ '') config.lass.xjail));
lass.xjail-bins = mapAttrs' (name: cfg:
nameValuePair name (pkgs.writeScriptBin cfg.name ''