nixos/wrappers: add per-wrapper enable option (#376196)

Aleksanaa · web-flow · commit ece0ac9a7fda · 2025-02-12T20:02:52.000+08:00
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
@@ -1,7 +1,9 @@
 { config, lib, pkgs, ... }:
 let
 
-  inherit (config.security) wrapperDir wrappers;
+  inherit (config.security) wrapperDir;
+
+  wrappers = lib.filterAttrs (name: value: value.enable) config.security.wrappers;
 
   parentWrapperDir = dirOf wrapperDir;
 
@@ -41,6 +43,11 @@ let
      // { description = "file mode string"; };
 
   wrapperType = lib.types.submodule ({ name, config, ... }: {
+    options.enable = lib.mkOption
+      { type = lib.types.bool;
+        default = true;
+        description = "Whether to enable the wrapper.";
+      };
     options.source = lib.mkOption
       { type = lib.types.path;
         description = "The absolute path to the program to be wrapped.";
diff --git a/nixos/tests/wrappers.nix b/nixos/tests/wrappers.nix
@@ -29,6 +29,14 @@ import ./make-test-python.nix (
         security.apparmor.enable = true;
 
         security.wrappers = {
+          disabled = {
+            enable = false;
+            owner = "root";
+            group = "root";
+            setuid = true;
+            source = "${busybox pkgs}/bin/busybox";
+            program = "disabled_busybox";
+          };
           suidRoot = {
             owner = "root";
             group = "root";
@@ -112,6 +120,9 @@ import ./make-test-python.nix (
       # actually makes the apparmor policy for ping, but there's no convenient
       # test for that one.
       machine.succeed("ping -c 1 127.0.0.1")
+
+      # Test that the disabled wrapper is not present.
+      machine.fail("test -e /run/wrappers/bin/disabled_busybox")
     '';
   }
 )
