Adding a capability to an executable and using that executable in a flake

rbozan · December 16, 2022, 10:26am

I currently have a flake that uses cloud-hypervisor (package: nixpkgs/default.nix at b8ce7fd59dcf28cccabfcf5f6407ea042b30fc1a · NixOS/nixpkgs · GitHub). The package has the possibility to open a network interface (TAP interface), and I want to do that without root. For this I would need the CAP_NET_ADMIN capability. I see there’s the security.wrappers.<name>.capabilities option to wrap an executable with the added capability:
nixpkgs/default.nix at 0152de25d49dc16883b65f3e29cfea8d32f68956 · NixOS/nixpkgs · GitHub

The question is, how would I use this wrapped executable in my flake? For example, I would assume using "${pkgs.cloud-hypervisor}/bin/cloud-hypervisor" in my flake would still not have that capability as it does not use the wrapped executable.

NobbZ · December 16, 2022, 10:37am

Flake or not, you can not use that wrapped binary in your builds.

I’m not sure if you can do anything within a derivation that would require CAP_NET_ADMIN.

rbozan · December 16, 2022, 10:40am

No I won’t use the wrapped binary directly in the build.

github.com

astro/microvm.nix/blob/86dd0b6d05ef349f06906e6e5e7f62e710c1bc26/lib/runners/cloud-hypervisor.nix#L25

    
      
              # stumbling over a preexisting socket
              rm -f '${socket}'
            ''}
          '';
          
          
command =
            if user != null
            then throw "cloud-hypervisor will not change user"
            else lib.escapeShellArgs (
              [
                "${pkgs.cloud-hypervisor}/bin/cloud-hypervisor"
                "--cpus" "boot=${toString vcpu}"
                "--watchdog"
                "--console" "tty"
                "--serial" "pty"
                "--kernel" "${kernel.dev}/vmlinux"
                "--cmdline" "console=hvc0 console=ttyS0 reboot=t panic=-1 ${toString microvmConfig.kernelParams}"
                "--seccomp" "true"
              ]
              ++
              (if balloonMem > 0

On this line I would like to use the wrapped binary instead of cloud-hypervisor. The only thing it would do at build time is create a script with :

exec '/nix/store/cpg38s7n7znz239zdxnviv1wb1m5ri4d-cloud-hypervisor-28.0/bin/cloud-hypervisor' '--cpus' 'boot=1'  (..... more options)

however I would like it to use the /nix/store/ path of my wrapped binary instead.

NobbZ · December 16, 2022, 11:00am

So if you want to generate some string or path that uses the wrapped binary, there is sadly nothing but hardcoding /run/wrappers/bin

It is really sad, that you can not properly have this declared in a runtime closure and always need to make sure that the runtime requirements are fullfilled by other means

rbozan · December 17, 2022, 11:37am

Alright well, thanks for your time!