1 files changed, 35 insertions, 0 deletions

diff --git a/nixos/modules/security/wrappers/setuid-wrapper-drv.nix b/nixos/modules/security/wrappers/setuid-wrapper-drv.nix
new file mode 100644
index 00000000000..e08ae799bf4
--- /dev/null
+++ b/nixos/modules/security/wrappers/setuid-wrapper-drv.nix
@@ -0,0 +1,35 @@
+{ config, lib, pkgs, ... }:
+
+let  
+     cfg = config.security.wrappers;
+
+     # Produce a shell-code splice intended to be stitched into one of
+     # the build or install phases within the derivation.
+     mkSetuidWrapper = { program, source ? null, ...}: ''
+       if ! source=${if source != null then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then
+           # If we can't find the program, fall back to the
+           # system profile.
+           source=/nix/var/nix/profiles/default/bin/${program}
+       fi
+
+       gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-wrapperDir}\" \
+           -lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
+           -I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
+     '';
+in
+
+# This is only useful for Linux platforms and a kernel version of
+# 4.3 or greater
+assert pkgs.stdenv.isLinux;
+
+pkgs.stdenv.mkDerivation {
+  name         = "setuid-wrapper";
+  unpackPhase  = "true";
+  installPhase = ''
+    mkdir -p $out/bin
+
+    # Concat together all of our shell splices to compile
+    # binary wrapper programs for all configured setcap programs.
+    ${lib.concatMapStrings mkSetuidWrapper cfg.setuid}
+  '';
+}