3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix
rnhmjoj fedd7cd690
nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you
to think about what the wrapper ownership and permissions will be.
2021-09-13 13:48:13 +02:00

39 lines
1.1 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.chromiumSuidSandbox;
sandbox = pkgs.chromium.sandbox;
in
{
imports = [
(mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])
];
options.security.chromiumSuidSandbox.enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to install the Chromium SUID sandbox which is an executable that
Chromium may use in order to achieve sandboxing.
If you get the error "The SUID sandbox helper binary was found, but is not
configured correctly.", turning this on might help.
Also, if the URL chrome://sandbox tells you that "You are not adequately
sandboxed!", turning this on might resolve the issue.
'';
};
config = mkIf cfg.enable {
environment.systemPackages = [ sandbox ];
security.wrappers.${sandbox.passthru.sandboxExecutableName} =
{ setuid = true;
owner = "root";
group = "root";
source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
};
};
}