movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-14 13:39:15 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/services.usbguard: remove with lib;

Browse source
This commit is contained in:
Felix Buehler 2024-12-29 21:50:38 +01:00
parent ee9d6cd0d3
commit 4bcc603cd8
1 changed files with 32 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

66
nixos/modules/services/security/usbguard.nix
View file

@ -4,14 +4,12 @@
pkgs, pkgs,
... ...
}: }:
with lib;
let let
cfg = config.services.usbguard; cfg = config.services.usbguard;
# valid policy options # valid policy options
policy = ( policy = (
types.enum [ lib.types.enum [
"allow" "allow"
"block" "block"
"reject" "reject"
@ -30,13 +28,13 @@ let
PresentDevicePolicy=${cfg.presentDevicePolicy} PresentDevicePolicy=${cfg.presentDevicePolicy}
PresentControllerPolicy=${cfg.presentControllerPolicy} PresentControllerPolicy=${cfg.presentControllerPolicy}
InsertedDevicePolicy=${cfg.insertedDevicePolicy} InsertedDevicePolicy=${cfg.insertedDevicePolicy}
RestoreControllerDeviceState=${boolToString cfg.restoreControllerDeviceState} RestoreControllerDeviceState=${lib.boolToString cfg.restoreControllerDeviceState}
# this does not seem useful for endusers to change # this does not seem useful for endusers to change
DeviceManagerBackend=uevent DeviceManagerBackend=uevent
IPCAllowedUsers=${concatStringsSep " " cfg.IPCAllowedUsers} IPCAllowedUsers=${lib.concatStringsSep " " cfg.IPCAllowedUsers}
IPCAllowedGroups=${concatStringsSep " " cfg.IPCAllowedGroups} IPCAllowedGroups=${lib.concatStringsSep " " cfg.IPCAllowedGroups}
IPCAccessControlFiles=/var/lib/usbguard/IPCAccessControl.d/ IPCAccessControlFiles=/var/lib/usbguard/IPCAccessControl.d/
DeviceRulesWithPort=${boolToString cfg.deviceRulesWithPort} DeviceRulesWithPort=${lib.boolToString cfg.deviceRulesWithPort}
# HACK: that way audit logs still land in the journal # HACK: that way audit logs still land in the journal
AuditFilePath=/dev/null AuditFilePath=/dev/null
''; '';
@ -50,16 +48,16 @@ in
options = { options = {
services.usbguard = { services.usbguard = {
enable = mkEnableOption "USBGuard daemon"; enable = lib.mkEnableOption "USBGuard daemon";
package = mkPackageOption pkgs "usbguard" { package = lib.mkPackageOption pkgs "usbguard" {
extraDescription = '' extraDescription = ''
If you do not need the Qt GUI, use `pkgs.usbguard-nox` to save disk space. If you do not need the Qt GUI, use `pkgs.usbguard-nox` to save disk space.
''; '';
}; };
ruleFile = mkOption { ruleFile = lib.mkOption {
type = types.nullOr types.path; type = lib.types.nullOr lib.types.path;
default = "/var/lib/usbguard/rules.conf"; default = "/var/lib/usbguard/rules.conf";
example = "/run/secrets/usbguard-rules"; example = "/run/secrets/usbguard-rules";
description = '' description = ''
@ -71,8 +69,8 @@ in
''; '';
}; };
rules = mkOption { rules = lib.mkOption {
type = types.nullOr types.lines; type = lib.types.nullOr lib.types.lines;
default = null; default = null;
example = '' example = ''
allow with-interface equals { 08:*:* } allow with-interface equals { 08:*:* }
@ -92,8 +90,8 @@ in
''; '';
}; };
implicitPolicyTarget = mkOption { implicitPolicyTarget = lib.mkOption {
type = types.enum [ type = lib.types.enum [
"allow" "allow"
"block" "block"
"reject" "reject"
@ -106,7 +104,7 @@ in
''; '';
}; };
presentDevicePolicy = mkOption { presentDevicePolicy = lib.mkOption {
type = policy; type = policy;
default = "apply-policy"; default = "apply-policy";
description = '' description = ''
@ -117,7 +115,7 @@ in
''; '';
}; };
presentControllerPolicy = mkOption { presentControllerPolicy = lib.mkOption {
type = policy; type = policy;
default = "keep"; default = "keep";
description = '' description = ''
@ -126,8 +124,8 @@ in
''; '';
}; };
insertedDevicePolicy = mkOption { insertedDevicePolicy = lib.mkOption {
type = types.enum [ type = lib.types.enum [
"block" "block"
"reject" "reject"
"apply-policy" "apply-policy"
@ -139,8 +137,8 @@ in
''; '';
}; };
restoreControllerDeviceState = mkOption { restoreControllerDeviceState = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = false; default = false;
description = '' description = ''
The USBGuard daemon modifies some attributes of controller The USBGuard daemon modifies some attributes of controller
@ -151,8 +149,8 @@ in
''; '';
}; };
IPCAllowedUsers = mkOption { IPCAllowedUsers = lib.mkOption {
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
default = [ "root" ]; default = [ "root" ];
example = [ example = [
"root" "root"
@ -163,8 +161,8 @@ in
''; '';
}; };
IPCAllowedGroups = mkOption { IPCAllowedGroups = lib.mkOption {
type = types.listOf types.str; type = lib.types.listOf lib.types.str;
default = [ ]; default = [ ];
example = [ "wheel" ]; example = [ "wheel" ];
description = '' description = ''
@ -173,21 +171,21 @@ in
''; '';
}; };
deviceRulesWithPort = mkOption { deviceRulesWithPort = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = false; default = false;
description = '' description = ''
Generate device specific rules including the "via-port" attribute. Generate device specific rules including the "via-port" attribute.
''; '';
}; };
dbus.enable = mkEnableOption "USBGuard dbus daemon"; dbus.enable = lib.mkEnableOption "USBGuard dbus daemon";
}; };
}; };
###### implementation ###### implementation
config = mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
@ -239,7 +237,7 @@ in
}; };
}; };
usbguard-dbus = mkIf cfg.dbus.enable { usbguard-dbus = lib.mkIf cfg.dbus.enable {
description = "USBGuard D-Bus Service"; description = "USBGuard D-Bus Service";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -261,7 +259,7 @@ in
groupCheck = groupCheck =
(lib.concatStrings (map (g: "subject.isInGroup(\"${g}\") || ") cfg.IPCAllowedGroups)) + "false"; (lib.concatStrings (map (g: "subject.isInGroup(\"${g}\") || ") cfg.IPCAllowedGroups)) + "false";
in in
optionalString cfg.dbus.enable '' lib.optionalString cfg.dbus.enable ''
polkit.addRule(function(action, subject) { polkit.addRule(function(action, subject) {
if ((action.id == "org.usbguard.Policy1.listRules" || if ((action.id == "org.usbguard.Policy1.listRules" ||
action.id == "org.usbguard.Policy1.appendRule" || action.id == "org.usbguard.Policy1.appendRule" ||
@ -278,15 +276,15 @@ in
''; '';
}; };
imports = [ imports = [
(mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ] (lib.mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ]
"The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d." "The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d."
) )
(mkRemovedOptionModule [ (lib.mkRemovedOptionModule [
"services" "services"
"usbguard" "usbguard"
"auditFilePath" "auditFilePath"
] "Removed usbguard module audit log files. Audit logs can be found in the systemd journal.") ] "Removed usbguard module audit log files. Audit logs can be found in the systemd journal.")
(mkRenamedOptionModule (lib.mkRenamedOptionModule
[ "services" "usbguard" "implictPolicyTarget" ] [ "services" "usbguard" "implictPolicyTarget" ]
[ "services" "usbguard" "implicitPolicyTarget" ] [ "services" "usbguard" "implicitPolicyTarget" ]
) )