From d267ea8717977a757b705250205bb8801568dd63 Mon Sep 17 00:00:00 2001 From: Patrick Steinhardt Date: Thu, 23 Jan 2025 19:56:06 +0100 Subject: [PATCH] nixos/wrappers: add per-wrapper enable option While it is possible to globally enable or disable security wrappers, it isn't possible to disable only a subset of them. Consequently, users will have to overwrite the security wrappers completely and re-add the desired subset in case they want to disable a subset of those set up by the NixOS modules. Address this usecase by adding a new per-wrapper enable option. --- nixos/modules/security/wrappers/default.nix | 9 ++++++++- nixos/tests/wrappers.nix | 11 +++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index c885c25c2620..a5afe006266a 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -1,7 +1,9 @@ { config, lib, pkgs, ... }: let - inherit (config.security) wrapperDir wrappers; + inherit (config.security) wrapperDir; + + wrappers = lib.filterAttrs (name: value: value.enable) config.security.wrappers; parentWrapperDir = dirOf wrapperDir; @@ -41,6 +43,11 @@ let // { description = "file mode string"; }; wrapperType = lib.types.submodule ({ name, config, ... }: { + options.enable = lib.mkOption + { type = lib.types.bool; + default = true; + description = "Whether to enable the wrapper."; + }; options.source = lib.mkOption { type = lib.types.path; description = "The absolute path to the program to be wrapped."; diff --git a/nixos/tests/wrappers.nix b/nixos/tests/wrappers.nix index 8feb92b37927..4766051805c7 100644 --- a/nixos/tests/wrappers.nix +++ b/nixos/tests/wrappers.nix @@ -29,6 +29,14 @@ import ./make-test-python.nix ( security.apparmor.enable = true; security.wrappers = { + disabled = { + enable = false; + owner = "root"; + group = "root"; + setuid = true; + source = "${busybox pkgs}/bin/busybox"; + program = "disabled_busybox"; + }; suidRoot = { owner = "root"; group = "root"; @@ -112,6 +120,9 @@ import ./make-test-python.nix ( # actually makes the apparmor policy for ping, but there's no convenient # test for that one. machine.succeed("ping -c 1 127.0.0.1") + + # Test that the disabled wrapper is not present. + machine.fail("test -e /run/wrappers/bin/disabled_busybox") ''; } )