2024-01-22 13:12:10 +00:00
|
|
|
{ config, lib, ... }:
|
|
|
|
|
let
|
|
|
|
|
cfg = config.sane.programs.wireshark;
|
|
|
|
|
in
|
2023-05-10 04:52:12 +00:00
|
|
|
{
|
2024-01-22 13:12:10 +00:00
|
|
|
sane.programs.wireshark = {
|
|
|
|
|
sandbox.method = "firejail";
|
2024-01-23 14:30:42 +00:00
|
|
|
sandbox.extraConfig = [
|
2024-01-22 13:12:10 +00:00
|
|
|
# somehow needs `setpcap` (makes these bounding capabilities also be inherited?)
|
|
|
|
|
# else no interfaces appear on the main page
|
2024-01-23 14:30:42 +00:00
|
|
|
"--sane-sandbox-firejail-arg"
|
|
|
|
|
"--ignore=caps.keep dac_override,dac_read_search,net_admin,net_raw"
|
|
|
|
|
"--sane-sandbox-firejail-arg"
|
|
|
|
|
"--caps.keep=dac_override,dac_read_search,net_admin,net_raw,setpcap"
|
|
|
|
|
];
|
2024-01-22 13:12:10 +00:00
|
|
|
slowToBuild = true;
|
|
|
|
|
};
|
2023-11-18 22:06:08 +00:00
|
|
|
|
2024-01-22 13:12:10 +00:00
|
|
|
programs.wireshark = lib.mkIf cfg.enabled {
|
|
|
|
|
# adds a SUID wrapper for wireshark's `dumpcap` program
|
|
|
|
|
enable = true;
|
|
|
|
|
package = cfg.package;
|
|
|
|
|
};
|
|
|
|
|
# the SUID wrapper can't also be a firejail (idk why? it might be that the binary's already *too* restricted).
|
2024-01-22 23:58:04 +00:00
|
|
|
security.wrappers = lib.mkIf cfg.enabled {
|
2024-01-23 14:30:42 +00:00
|
|
|
dumpcap.source = lib.mkForce "${cfg.package}/bin/.dumpcap-sandboxed";
|
2024-01-22 23:58:04 +00:00
|
|
|
};
|
2023-05-10 04:52:12 +00:00
|
|
|
}
|
