security.wrappers: copy source programs instead of wrapping in binaries

Copying the wrapper code from NixOS and hoping that I managed to catch all the relevant dyld environment variables was not particularly confidence-inducing, so this commit removes the wrappers entirely and simply copies the source programs before modifying permissions. This means that the given source programs must safely handle being setuid/setgid binaries and being located in `/run/wrappers/bin`. There's now only `default.nix` in `modules/security/wrappers`, so I could have removed the directory, but I have left it for now in anticipation of other files potentially ending up there.
LnL7 · Jan 20, 2025 · 216f2ce · 216f2ce
1 parent 374c57d
commit 216f2ce
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 170 deletions.
diff --git a/modules/security/wrappers/default.nix b/modules/security/wrappers/default.nix
@@ -52,10 +52,6 @@ let
       (opts: mkWrapper opts)
       (builtins.attrValues cfg.wrappers);
 
-  securityWrapper = sourceProg : pkgs.pkgsStatic.callPackage ./wrapper.nix {
-    inherit sourceProg;
-  };
-
   mkWrapper =
     { program
     , source
@@ -71,10 +67,10 @@ let
       codesigned = if codesign
         then ''
           # codesign ${source} to "$wrapperDir/${program}" INSTEAD OF the next line
-          cp ${securityWrapper source}/bin/security-wrapper "$wrapperDir/${program}"
+          cp ${source} "$wrapperDir/${program}"
         ''
         else ''
-          cp ${securityWrapper source}/bin/security-wrapper "$wrapperDir/${program}"
+          cp ${source} "$wrapperDir/${program}"
         '';
     in
     ''

diff --git a/modules/security/wrappers/wrapper.c b/modules/security/wrappers/wrapper.c
diff --git a/modules/security/wrappers/wrapper.nix b/modules/security/wrappers/wrapper.nix