networkmanager: run all services as root instead of networkmanager user
i believe this may allow using bwrap instead of landlock
This commit is contained in:
parent
c7eb4b66a5
commit
214f963d89
|
@ -13,10 +13,10 @@ in
|
|||
{
|
||||
sane.programs.networkmanager = {
|
||||
packageUnwrapped = pkgs.networkmanager.overrideAttrs (upstream: {
|
||||
postPatch = (upstream.postPatch or "") + ''
|
||||
substituteInPlace src/{core/org.freedesktop.NetworkManager,nm-dispatcher/nm-dispatcher}.conf --replace-fail \
|
||||
'user="root"' 'user="networkmanager"'
|
||||
'';
|
||||
# postPatch = (upstream.postPatch or "") + ''
|
||||
# substituteInPlace src/{core/org.freedesktop.NetworkManager,nm-dispatcher/nm-dispatcher}.conf --replace-fail \
|
||||
# 'user="root"' 'user="networkmanager"'
|
||||
# '';
|
||||
# remove unused services to prevent any unexpected interactions
|
||||
postFixup = (upstream.postFixup or "") + ''
|
||||
rm $out/etc/systemd/system/{nm-cloud-setup.service,nm-cloud-setup.timer,nm-priv-helper.service}
|
||||
|
@ -66,8 +66,8 @@ in
|
|||
path = [ "/run/current-system/sw" ]; #< so it can find `sanebox`
|
||||
serviceConfig.RuntimeDirectory = "NetworkManager"; #< tells systemd to create /run/NetworkManager
|
||||
serviceConfig.StateDirectory = "NetworkManager"; #< tells systemd to create /var/lib/NetworkManager
|
||||
serviceConfig.User = "networkmanager";
|
||||
serviceConfig.Group = "networkmanager";
|
||||
# serviceConfig.User = "networkmanager";
|
||||
# serviceConfig.Group = "networkmanager";
|
||||
serviceConfig.AmbientCapabilities = [
|
||||
# "CAP_DAC_OVERRIDE"
|
||||
"CAP_NET_ADMIN"
|
||||
|
@ -82,8 +82,8 @@ in
|
|||
systemd.services.NetworkManager-wait-online = {
|
||||
path = [ "/run/current-system/sw" ]; #< so `nm-online` can find `sanebox`
|
||||
wantedBy = [ "network-online.target" ];
|
||||
serviceConfig.User = "networkmanager";
|
||||
serviceConfig.Group = "networkmanager";
|
||||
# serviceConfig.User = "networkmanager";
|
||||
# serviceConfig.Group = "networkmanager";
|
||||
};
|
||||
|
||||
systemd.services.NetworkManager-dispatcher = {
|
||||
|
@ -97,8 +97,8 @@ in
|
|||
];
|
||||
serviceConfig.Restart = "always";
|
||||
serviceConfig.RestartSec = "1s";
|
||||
serviceConfig.User = "networkmanager";
|
||||
serviceConfig.Group = "networkmanager";
|
||||
# serviceConfig.User = "networkmanager";
|
||||
# serviceConfig.Group = "networkmanager";
|
||||
};
|
||||
|
||||
environment.etc = {
|
||||
|
|
|
@ -7,10 +7,10 @@ in
|
|||
{
|
||||
sane.programs.wpa_supplicant = {
|
||||
packageUnwrapped = pkgs.wpa_supplicant.overrideAttrs (upstream: {
|
||||
postPatch = (upstream.postPatch or "") + ''
|
||||
substituteInPlace wpa_supplicant/dbus/dbus-wpa_supplicant.conf --replace-fail \
|
||||
'user="root"' 'user="networkmanager"'
|
||||
'';
|
||||
# postPatch = (upstream.postPatch or "") + ''
|
||||
# substituteInPlace wpa_supplicant/dbus/dbus-wpa_supplicant.conf --replace-fail \
|
||||
# 'user="root"' 'user="networkmanager"'
|
||||
# '';
|
||||
# nixpkgs wpa_supplicant generates a dbus file which has a path like
|
||||
# /nix/store/abc-wpa_supplicant/nix/store/abc-wpa_supplicant/sbin/...
|
||||
# upstreaming status: <https://github.com/NixOS/nixpkgs/pull/315346>
|
||||
|
@ -43,8 +43,8 @@ in
|
|||
systemd.packages = [ cfg.package ]; #< needs to be on systemd.packages so we get its service file
|
||||
systemd.services.wpa_supplicant = {
|
||||
path = [ "/run/current-system/sw" ]; #< so it can find `sanebox`
|
||||
serviceConfig.User = "networkmanager";
|
||||
serviceConfig.Group = "networkmanager";
|
||||
# serviceConfig.User = "networkmanager";
|
||||
# serviceConfig.Group = "networkmanager";
|
||||
serviceConfig.AmbientCapabilities = [
|
||||
"CAP_NET_ADMIN"
|
||||
"CAP_NET_RAW"
|
||||
|
|
Loading…
Reference in New Issue
Block a user