programs: host/iproute2/iw/nettools/wirelesstools: sandbox

2024-02-17 03:05:58 +00:00 · 2024-02-17 03:05:58 +00:00 · 31fa21bd20
commit 31fa21bd20
parent 9510817604
1 changed files with 37 additions and 1 deletions
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@ -22,7 +22,7 @@ in
        "iproute2"
        "iputils"
        "nettools"
-        # if config.networking.wireless.enable:
+        # if config.networking.wireless.enable (TODO: don't ship these on desko/servo!)
        "wirelesstools"
        "iw"
      ];
@ -475,6 +475,10 @@ in
    hdparm.sandbox.wrapperType = "wrappedDerivation";
    hdparm.sandbox.autodetectCliPaths = true;

+    host.sandbox.method = "landlock";
+    host.sandbox.wrapperType = "wrappedDerivation";
+    host.sandbox.net = "all";  #< technically, only needs to contact localhost's DNS server
+
    htop.sandbox.method = "landlock";
    htop.sandbox.wrapperType = "wrappedDerivation";
    htop.sandbox.extraPaths = [
@ -510,11 +514,29 @@ in
    ];
    iotop.sandbox.capabilities = [ "net_admin" ];

+    # provides `ip`, `routel`, others
+    iproute2.sandbox.method = "landlock";
+    iproute2.sandbox.wrapperType = "wrappedDerivation";
+    iproute2.sandbox.net = "all";
+    iproute2.sandbox.capabilities = [ "net_admin" ];
+
    iptables.sandbox.method = "landlock";
    iptables.sandbox.wrapperType = "wrappedDerivation";
    iptables.sandbox.net = "all";
    iptables.sandbox.capabilities = [ "net_admin" ];

+    # iputils provides `ping` (and arping, clockdiff, tracepath)
+    # TODO: still being shadowed by non-sandboxed iputils
+    # iputils.sandbox.method = "landlock";
+    # iputils.sandbox.wrapperType = "wrappedDerivation";
+    # iputils.sandbox.net = "all";
+    # iputils.sandbox.capabilities = [ "net_raw" ];
+
+    iw.sandbox.method = "landlock";
+    iw.sandbox.wrapperType = "wrappedDerivation";
+    iw.sandbox.net = "all";
+    iw.sandbox.capabilities = [ "net_admin" ];
+
    # jq.sandbox.autodetectCliPaths = true;  # liable to over-detect

    killall.sandbox.method = "landlock";
@ -594,6 +616,15 @@ in
    nethogs.sandbox.wrapperType = "wrappedDerivation";
    nethogs.sandbox.capabilities = [ "net_admin" "net_raw" ];

+    # provides `arp`, `hostname`, `route`, `ifconfig`
+    nettools.sandbox.method = "landlock";
+    nettools.sandbox.wrapperType = "wrappedDerivation";
+    nettools.sandbox.net = "all";
+    nettools.sandbox.capabilities = [ "net_admin" "net_raw" ];
+    nettools.sandbox.extraPaths = [
+      "/proc"
+    ];
+
    networkmanagerapplet.sandbox.method = "bwrap";
    networkmanagerapplet.sandbox.wrapperType = "wrappedDerivation";
    networkmanagerapplet.sandbox.whitelistWayland = true;
@ -812,6 +843,11 @@ in

    whalebird.persist.byStore.private = [ ".config/Whalebird" ];

+    # provides `iwconfig`, `iwlist`, `iwpriv`, ...
+    wirelesstools.sandbox.method = "landlock";
+    wirelesstools.sandbox.wrapperType = "wrappedDerivation";
+    wirelesstools.sandbox.capabilities = [ "net_admin" ];
+
    wl-clipboard.sandbox.method = "bwrap";
    wl-clipboard.sandbox.wrapperType = "wrappedDerivation";
    wl-clipboard.sandbox.whitelistWayland = true;