New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/usbguard: create package and module #28363
Conversation
@tnias, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @bjornfor and @offlinehacker to be potential reviewers. |
meta = { | ||
description = "The USBGuard software framework helps to protect your computer against BadUSB."; | ||
homepage = "https://dkopecek.github.io/usbguard/"; | ||
license = licenses.gpl2; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want to maintain this package?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, why not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you add yourself as a maintainer then to maintainers.nix
and add a reference here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
void ConfigFilePrivate::open(const std::string& path) | ||
{ | ||
- _stream.open(path, std::ios::in|std::ios::out); | ||
+ _stream.open(path, std::ios::in); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the daemon ever attempt to write to this file? Otherwise it seems like upstream could apply this patch as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does attempt to write the file, when the user tries to do save daemon settings from the applet. In order to be able to maintain the config inside the nixstore I did not see a better way. (if this tries to open rw the daemon just exists)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the daemon continues (i.e no crash), if the applet attempt to save settings?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Neither the daemon nor the applet crash when you try to save rules.
applet writes edit: editing failed
to stdout
pkgs/top-level/all-packages.nix
Outdated
usbguard = usbguard_libgcrypt; | ||
|
||
usbguard_libgcrypt = libsForQt5.callPackage ../os-specific/linux/usbguard { | ||
libsodium = null; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the advantage for having both versions in nixpkgs? Do both variants provide the same features?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only advantage I saw was to be able to choose. One of them can be removed without loosing any functionality. IIRC they are only used for hashing.
xor = a: b: (a || b) && (!(a && b)); | ||
in | ||
|
||
assert xor (libgcrypt != null) (libsodium != null); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have the ->
operator for that:
assert libgcrypt != null -> libsodium == null;
No usbguard module or package existed for NixOS previously. USBGuard will protect you from BadUSB attacks. (assuming configuration is done correctly)
Users can override this by themselves.
Thanks! |
Motivation for this change
No usbguard module or package existed for NixOS previously. USBGuard
will protect you from BadUSB attacks. (assuming configuration is done
correctly)
Things done
I build and tested the libsodium and libgcrypt variants on my nixos-unstable system. Specifying rules for devices works.
Using the qt-applet did not work for my normal user due to the
Cannot mix incompatible Qt library ...
, but runningusbguard-applet-qt
as root works fine. (found out about by accident, can someone explain why?)As noted in
description
-fields of the nixos-module options, editing the rules or daemon configuration is not possible via GUI since they are inside the nixstore. (I did not see a better way to solve this. Please let me know if I missed something)(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)