networkmanager: cleanup

2024-05-29 01:35:38 +00:00 · 2024-05-29 01:35:38 +00:00 · 0013e8305e
commit 0013e8305e
parent 7dedfcebb9
1 changed files with 3 additions and 76 deletions
--- a/hosts/common/programs/networkmanager.nix
+++ b/hosts/common/programs/networkmanager.nix
@ -24,97 +24,24 @@ in
          "net_admin"
          "net_raw"
          "net_bind_service"  #< TODO: is this needed? why? (DNS?)
-          # "setgid"
-          # "setuid"
-          # "sys_module"  #< TODO: is this needed?
+          # "sys_module"
          "audit_write"  #< allow writing to the audit log
          # "kill"
-          # "sys_chroot"
        ];
        sandbox.extraPaths = [
-          # "/proc"
-          # "/run"
-          # "/sys"
-          # "/var/lib"
-          #^ works
-
-          # "/dev"
-          # "/proc"
-          # "/run"
-          # "/sys"
-          # "/var/lib/NetworkManager"
-          # "/var/lib/trust-dns"  #< for trust-dns-nmhook
-          #^ works
-
-          # # "/dev/net"
-          # # "/dev/rfkill"
-          # # "/proc/sys/net"
-          # "/dev"
-          # "/proc"
-          # "/run/NetworkManager"
-          # "/run/dbus"
-          # "/run/log"
-          # "/run/resolvconf"
-          # "/run/secrets"
-          # "/run/systemd"
-          # "/run/udev"
-          # "/run/user"
-          # "/run/wg-home.priv"
-          # "/var/run/NetworkManager"  #< legacy symlinks, which NM wants to crawl
-          # "/var/run/dbus"
-          # "/var/run/log"
-          # "/var/run/resolvconf"
-          # "/var/run/systemd"
-          # "/var/run/udev"
-          # "/var/run/user"
-          # "/sys"
-          # # "/sys/class/net"
-          # # "/sys/devices"
-          # "/var/lib/NetworkManager"
-          # "/var/lib/trust-dns"  #< for trust-dns-nmhook
-          #^ works
-
-          # "/dev/net"
-          # "/dev/rfkill"  #< TODO: check if really necessary!
-          # "/proc"  #< TODO: specify this more precisely
-          # "/proc/acpi"
-          # "/proc/asound"
-          # "/proc/bus"
-          # "/proc/cpuinfo"
-          # "/proc/crypto"
-          # "/proc/devices"
-          # "/proc/driver"
-          # "/proc/fs"
-          # "/proc/irq"
-          # "/proc/modules"
-          # "/proc/net"
-          # "/proc/pressure"
          "/proc/net"
          "/proc/sys/net"
-          # "/proc/sysvipc"
-          # "/proc/tty"
          "/run/NetworkManager"
-          # "/run/dbus"
-          # "/run/secrets/net"
          "/run/systemd"  # for trust-dns-nmhook
          "/run/udev"
-          # "/run/wg-home.priv"  #< TODO: move this into /run/secrets?
+          # "/run/wg-home.priv"
          "/sys/class"  #< TODO: specify this more precisely
          "/sys/devices"
          "/var/lib/NetworkManager"
-          # "/var/lib/bluetooth"
-          # "/var/lib/cups"
-          # "/var/lib/etc_secrets"
-          # "/var/lib/machines"
-          # "/var/lib/nixos"
-          # "/var/lib/portables"
-          # "/var/lib/private"
-          # "/var/lib/systemd"  #< rfkill?
          "/var/lib/trust-dns"  #< for trust-dns-nmhook
-          # "/var/lib/udisks2"
        ];

-        # sandbox.whitelistDbus = [ "system" ];
+        sandbox.whitelistDbus = [ "system" ];  #< apparently not actually needed?
      };
    }