nixos/usbguard: create package and module #28363
Conversation
|
@tnias, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @bjornfor and @offlinehacker to be potential reviewers. |
| meta = { | ||
| description = "The USBGuard software framework helps to protect your computer against BadUSB."; | ||
| homepage = "https://dkopecek.github.io/usbguard/"; | ||
| license = licenses.gpl2; |
There was a problem hiding this comment.
Do you want to maintain this package?
There was a problem hiding this comment.
can you add yourself as a maintainer then to maintainers.nix and add a reference here?
| void ConfigFilePrivate::open(const std::string& path) | ||
| { | ||
| - _stream.open(path, std::ios::in|std::ios::out); | ||
| + _stream.open(path, std::ios::in); |
There was a problem hiding this comment.
Does the daemon ever attempt to write to this file? Otherwise it seems like upstream could apply this patch as well.
There was a problem hiding this comment.
It does attempt to write the file, when the user tries to do save daemon settings from the applet. In order to be able to maintain the config inside the nixstore I did not see a better way. (if this tries to open rw the daemon just exists)
There was a problem hiding this comment.
Does the daemon continues (i.e no crash), if the applet attempt to save settings?
There was a problem hiding this comment.
Neither the daemon nor the applet crash when you try to save rules.
applet writes edit: editing failed to stdout
pkgs/top-level/all-packages.nix
Outdated
| usbguard = usbguard_libgcrypt; | ||
|
|
||
| usbguard_libgcrypt = libsForQt5.callPackage ../os-specific/linux/usbguard { | ||
| libsodium = null; |
There was a problem hiding this comment.
What is the advantage for having both versions in nixpkgs? Do both variants provide the same features?
There was a problem hiding this comment.
The only advantage I saw was to be able to choose. One of them can be removed without loosing any functionality. IIRC they are only used for hashing.
| xor = a: b: (a || b) && (!(a && b)); | ||
| in | ||
|
|
||
| assert xor (libgcrypt != null) (libsodium != null); |
There was a problem hiding this comment.
We have the -> operator for that:
assert libgcrypt != null -> libsodium == null;
No usbguard module or package existed for NixOS previously. USBGuard will protect you from BadUSB attacks. (assuming configuration is done correctly)
Users can override this by themselves.
|
Thanks! |
Motivation for this change
No usbguard module or package existed for NixOS previously. USBGuard
will protect you from BadUSB attacks. (assuming configuration is done
correctly)
Things done
I build and tested the libsodium and libgcrypt variants on my nixos-unstable system. Specifying rules for devices works.
Using the qt-applet did not work for my normal user due to the
Cannot mix incompatible Qt library ..., but runningusbguard-applet-qtas root works fine. (found out about by accident, can someone explain why?)As noted in
description-fields of the nixos-module options, editing the rules or daemon configuration is not possible via GUI since they are inside the nixstore. (I did not see a better way to solve this. Please let me know if I missed something)(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)