nixos/isolate: init module
This commit is contained in:
parent
6eb807eef0
commit
4ca92fb6ec
@ -191,6 +191,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
|
||||
|
||||
- [prometheus-nats-exporter](https://github.com/nats-io/prometheus-nats-exporter), a Prometheus exporter for NATS. Available as [services.prometheus.exporters.nats](#opt-services.prometheus.exporters.nats.enable).
|
||||
|
||||
- [isolate](https://github.com/ioi/isolate), a sandbox for securely executing untrusted programs. Available as [security.isolate](#opt-security.isolate.enable).
|
||||
|
||||
## Backward Incompatibilities {#sec-release-24.05-incompatibilities}
|
||||
|
||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||
|
@ -325,6 +325,7 @@
|
||||
./security/duosec.nix
|
||||
./security/google_oslogin.nix
|
||||
./security/ipa.nix
|
||||
./security/isolate.nix
|
||||
./security/krb5
|
||||
./security/lock-kernel-modules.nix
|
||||
./security/misc.nix
|
||||
|
133
nixos/modules/security/isolate.nix
Normal file
133
nixos/modules/security/isolate.nix
Normal file
@ -0,0 +1,133 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mkEnableOption mkPackageOption mkOption types mkIf maintainers;
|
||||
|
||||
cfg = config.security.isolate;
|
||||
configFile = pkgs.writeText "isolate-config.cf" ''
|
||||
box_root=${cfg.boxRoot}
|
||||
lock_root=${cfg.lockRoot}
|
||||
cg_root=${cfg.cgRoot}
|
||||
first_uid=${toString cfg.firstUid}
|
||||
first_gid=${toString cfg.firstGid}
|
||||
num_boxes=${toString cfg.numBoxes}
|
||||
restricted_init=${if cfg.restrictedInit then "1" else "0"}
|
||||
${cfg.extraConfig}
|
||||
'';
|
||||
isolate = pkgs.symlinkJoin {
|
||||
name = "isolate-wrapped-${pkgs.isolate.version}";
|
||||
|
||||
paths = [ pkgs.isolate ];
|
||||
|
||||
nativeBuildInputs = [ pkgs.makeWrapper ];
|
||||
|
||||
postBuild = ''
|
||||
wrapProgram $out/bin/isolate \
|
||||
--set ISOLATE_CONFIG_FILE ${configFile}
|
||||
|
||||
wrapProgram $out/bin/isolate-cg-keeper \
|
||||
--set ISOLATE_CONFIG_FILE ${configFile}
|
||||
'';
|
||||
};
|
||||
in
|
||||
{
|
||||
options.security.isolate = {
|
||||
enable = mkEnableOption ''
|
||||
Sandbox for securely executing untrusted programs
|
||||
'';
|
||||
|
||||
package = mkPackageOption pkgs "isolate-unwrapped" { };
|
||||
|
||||
boxRoot = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/lib/isolate/boxes";
|
||||
description = ''
|
||||
All sandboxes are created under this directory.
|
||||
To avoid symlink attacks, this directory and all its ancestors
|
||||
must be writeable only by root.
|
||||
'';
|
||||
};
|
||||
|
||||
lockRoot = mkOption {
|
||||
type = types.path;
|
||||
default = "/run/isolate/locks";
|
||||
description = ''
|
||||
Directory where lock files are created.
|
||||
'';
|
||||
};
|
||||
|
||||
cgRoot = mkOption {
|
||||
type = types.str;
|
||||
default = "auto:/run/isolate/cgroup";
|
||||
description = ''
|
||||
Control group which subgroups are placed under.
|
||||
Either an explicit path to a subdirectory in cgroupfs, or "auto:file" to read
|
||||
the path from "file", where it is put by `isolate-cg-helper`.
|
||||
'';
|
||||
};
|
||||
|
||||
firstUid = mkOption {
|
||||
type = types.numbers.between 1000 65533;
|
||||
default = 60000;
|
||||
description = ''
|
||||
Start of block of UIDs reserved for sandboxes.
|
||||
'';
|
||||
};
|
||||
|
||||
firstGid = mkOption {
|
||||
type = types.numbers.between 1000 65533;
|
||||
default = 60000;
|
||||
description = ''
|
||||
Start of block of GIDs reserved for sandboxes.
|
||||
'';
|
||||
};
|
||||
|
||||
numBoxes = mkOption {
|
||||
type = types.numbers.between 1000 65533;
|
||||
default = 1000;
|
||||
description = ''
|
||||
Number of UIDs and GIDs to reserve, starting from
|
||||
{option}`firstUid` and {option}`firstGid`.
|
||||
'';
|
||||
};
|
||||
|
||||
restrictedInit = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
If true, only root can create sandboxes.
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = ''
|
||||
Extra configuration to append to the configuration file.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [
|
||||
isolate
|
||||
];
|
||||
|
||||
systemd.services.isolate = {
|
||||
description = "Isolate control group hierarchy daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Type = "notify";
|
||||
ExecStart = "${isolate}/bin/isolate-cg-keeper";
|
||||
Slice = "isolate.slice";
|
||||
Delegate = true;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.slices.isolate = {
|
||||
description = "Isolate sandbox slice";
|
||||
};
|
||||
|
||||
meta.maintainers = with maintainers; [ virchau13 ];
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue
Block a user