From b222541e3178f07c7f6f65646bce3755f6fef9e3 Mon Sep 17 00:00:00 2001 From: wxt <3264117476@qq.com> Date: Sat, 28 Jun 2025 14:37:53 +0800 Subject: [PATCH] clash-verge-rev: move IPC path to /run/clash-verge-rev/service.sock for better security --- ...-to-run-clash-verge-rev-service.sock.patch | 32 +++++++++++++++++++ pkgs/by-name/cl/clash-verge-rev/service.nix | 7 ++-- pkgs/by-name/cl/clash-verge-rev/unwrapped.nix | 4 +++ 3 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 pkgs/by-name/cl/clash-verge-rev/0003-IPC-move-path-to-run-clash-verge-rev-service.sock.patch diff --git a/pkgs/by-name/cl/clash-verge-rev/0003-IPC-move-path-to-run-clash-verge-rev-service.sock.patch b/pkgs/by-name/cl/clash-verge-rev/0003-IPC-move-path-to-run-clash-verge-rev-service.sock.patch new file mode 100644 index 000000000000..6ea69735448d --- /dev/null +++ b/pkgs/by-name/cl/clash-verge-rev/0003-IPC-move-path-to-run-clash-verge-rev-service.sock.patch @@ -0,0 +1,32 @@ +From 75296a3059419b91f638ee45215e56781bfda256 Mon Sep 17 00:00:00 2001 +From: wxt <3264117476@qq.com> +Date: Sat, 28 Jun 2025 14:30:23 +0800 +Subject: [PATCH] IPC: move path to /run/clash-verge-rev/service.sock + +--- + src/service/ipc.rs | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/service/ipc.rs b/src/service/ipc.rs +index df39787..f441cd2 100644 +--- a/src/service/ipc.rs ++++ b/src/service/ipc.rs +@@ -20,7 +20,7 @@ use std::ffi::OsStr; + const IPC_SOCKET_NAME: &str = if cfg!(windows) { + r"\\.\pipe\clash-verge-service" + } else { +- "/tmp/clash-verge-service.sock" ++ "/run/clash-verge-rev/service.sock" + }; + + /// 消息时间有效期(秒) +@@ -660,4 +660,4 @@ fn handle_unix_connection_sync(mut stream: std::os::unix::net::UnixStream) -> Re + .context("写入响应内容失败")?; + + Ok(()) +-} +\ No newline at end of file ++} +-- +2.49.0 + diff --git a/pkgs/by-name/cl/clash-verge-rev/service.nix b/pkgs/by-name/cl/clash-verge-rev/service.nix index 60f2670efbc8..119131205a47 100644 --- a/pkgs/by-name/cl/clash-verge-rev/service.nix +++ b/pkgs/by-name/cl/clash-verge-rev/service.nix @@ -16,8 +16,7 @@ rustPlatform.buildRustPackage { sourceRoot = "${src-service.name}"; patches = [ - # FIXME: remove until upstream fix these - # https://github.com/clash-verge-rev/clash-verge-rev/issues/3428 + # I want to keep these patches because it's not harmful. # Patch: Restrict bin_path in spawn_process to be under the clash-verge-service directory. # This prevents arbitrary code execution by ensuring only trusted binaries from the Nix store are allowed to run. @@ -26,6 +25,10 @@ rustPlatform.buildRustPackage { # Patch: Add validation to prevent overwriting existing files. # This mitigates arbitrary file overwrite risks by ensuring a file does not already exist before writing. ./0002-core-prevent-overwriting-existing-file-by-validating.patch + + # Patch: move IPC directory from /tmp to /run/clash-verge-rev/service.lock + # This allows we enable ProtectSystem="strict" and PrivateTmp + ./0003-IPC-move-path-to-run-clash-verge-rev-service.sock.patch ]; nativeBuildInputs = [ diff --git a/pkgs/by-name/cl/clash-verge-rev/unwrapped.nix b/pkgs/by-name/cl/clash-verge-rev/unwrapped.nix index 97bac8b060f9..5c4f49447278 100644 --- a/pkgs/by-name/cl/clash-verge-rev/unwrapped.nix +++ b/pkgs/by-name/cl/clash-verge-rev/unwrapped.nix @@ -49,6 +49,10 @@ rustPlatform.buildRustPackage { # If you need a newer version, you can override the mihomo input of the wrapped package sed -i -e '/Mihomo Alpha/d' ./src/components/setting/mods/clash-core-viewer.tsx + # See service.nix for reasons + substituteInPlace src-tauri/src/core/service_ipc.rs \ + --replace-fail "/tmp/clash-verge-service.sock" "/run/clash-verge-rev/service.sock" + substituteInPlace $cargoDepsCopy/libappindicator-sys-*/src/lib.rs \ --replace-fail "libayatana-appindicator3.so.1" "${libayatana-appindicator}/lib/libayatana-appindicator3.so.1"