clash-verge-rev: move IPC path to /run/clash-verge-rev/service.sock for better security

2025-06-28 14:37:53 +08:00 · 2025-06-28 14:37:53 +08:00 · b222541e31
commit b222541e31
parent 6f7fdf8e4b
3 changed files with 41 additions and 2 deletions
--- a/pkgs/by-name/cl/clash-verge-rev/0003-IPC-move-path-to-run-clash-verge-rev-service.sock.patch
+++ b/pkgs/by-name/cl/clash-verge-rev/0003-IPC-move-path-to-run-clash-verge-rev-service.sock.patch
@ -0,0 +1,32 @@
+From 75296a3059419b91f638ee45215e56781bfda256 Mon Sep 17 00:00:00 2001
+From: wxt <3264117476@qq.com>
+Date: Sat, 28 Jun 2025 14:30:23 +0800
+Subject: [PATCH] IPC: move path to /run/clash-verge-rev/service.sock
+
+---
+ src/service/ipc.rs | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/service/ipc.rs b/src/service/ipc.rs
+index df39787..f441cd2 100644
+--- a/src/service/ipc.rs
+++ b/src/service/ipc.rs
+@@ -20,7 +20,7 @@ use std::ffi::OsStr;
+ const IPC_SOCKET_NAME: &str = if cfg!(windows) {
+     r"\\.\pipe\clash-verge-service"
+ } else {
+-    "/tmp/clash-verge-service.sock"
+    "/run/clash-verge-rev/service.sock"
+ };
+ 
+ /// 消息时间有效期(秒)
+@@ -660,4 +660,4 @@ fn handle_unix_connection_sync(mut stream: std::os::unix::net::UnixStream) -> Re
+         .context("写入响应内容失败")?;
+     
+     Ok(())
+-} 
+\ No newline at end of file
+} 
+-- 
+2.49.0
+
--- a/pkgs/by-name/cl/clash-verge-rev/service.nix
+++ b/pkgs/by-name/cl/clash-verge-rev/service.nix
@ -16,8 +16,7 @@ rustPlatform.buildRustPackage {
  sourceRoot = "${src-service.name}";

  patches = [
-    # FIXME: remove until upstream fix these
-    # https://github.com/clash-verge-rev/clash-verge-rev/issues/3428
+    # I want to keep these patches because it's not harmful.

    # Patch: Restrict bin_path in spawn_process to be under the clash-verge-service directory.
    # This prevents arbitrary code execution by ensuring only trusted binaries from the Nix store are allowed to run.
@ -26,6 +25,10 @@ rustPlatform.buildRustPackage {
    # Patch: Add validation to prevent overwriting existing files.
    # This mitigates arbitrary file overwrite risks by ensuring a file does not already exist before writing.
    ./0002-core-prevent-overwriting-existing-file-by-validating.patch
+
+    # Patch: move IPC directory from /tmp to /run/clash-verge-rev/service.lock
+    # This allows we enable ProtectSystem="strict" and PrivateTmp
+    ./0003-IPC-move-path-to-run-clash-verge-rev-service.sock.patch
  ];

  nativeBuildInputs = [
--- a/pkgs/by-name/cl/clash-verge-rev/unwrapped.nix
+++ b/pkgs/by-name/cl/clash-verge-rev/unwrapped.nix
@ -49,6 +49,10 @@ rustPlatform.buildRustPackage {
    # If you need a newer version, you can override the mihomo input of the wrapped package
    sed -i -e '/Mihomo Alpha/d' ./src/components/setting/mods/clash-core-viewer.tsx

+    # See service.nix for reasons
+    substituteInPlace src-tauri/src/core/service_ipc.rs \
+      --replace-fail "/tmp/clash-verge-service.sock" "/run/clash-verge-rev/service.sock"
+
    substituteInPlace $cargoDepsCopy/libappindicator-sys-*/src/lib.rs \
      --replace-fail "libayatana-appindicator3.so.1" "${libayatana-appindicator}/lib/libayatana-appindicator3.so.1"