networkmanager/wpa_supplicant: switch user back to "networkmanager"

root gives too much power, even with bwrap/namespaces
2024-05-31 20:48:20 +00:00 · 2024-05-31 20:48:20 +00:00 · 326bf045b0
commit 326bf045b0
parent a1181a10ea
2 changed files with 13 additions and 9 deletions
--- a/hosts/common/programs/networkmanager.nix
+++ b/hosts/common/programs/networkmanager.nix
@ -73,8 +73,8 @@ in
        path = [ "/run/current-system/sw" ];  #< so it can find `sanebox`
        serviceConfig.RuntimeDirectory = "NetworkManager";  #< tells systemd to create /run/NetworkManager
        serviceConfig.StateDirectory = "NetworkManager";  #< tells systemd to create /var/lib/NetworkManager
-        # serviceConfig.User = "networkmanager";
-        # serviceConfig.Group = "networkmanager";
+        serviceConfig.User = "networkmanager";
+        serviceConfig.Group = "networkmanager";
        serviceConfig.AmbientCapabilities = [
          # "CAP_DAC_OVERRIDE"
          "CAP_NET_ADMIN"
@ -89,8 +89,8 @@ in
      systemd.services.NetworkManager-wait-online = {
        path = [ "/run/current-system/sw" ];  #< so `nm-online` can find `sanebox`
        wantedBy = [ "network-online.target" ];
-        # serviceConfig.User = "networkmanager";
-        # serviceConfig.Group = "networkmanager";
+        serviceConfig.User = "networkmanager";
+        serviceConfig.Group = "networkmanager";
      };

      systemd.services.NetworkManager-dispatcher = {
@ -104,8 +104,8 @@ in
        ];
        serviceConfig.Restart = "always";
        serviceConfig.RestartSec = "1s";
-        # serviceConfig.User = "networkmanager";
-        # serviceConfig.Group = "networkmanager";
+        serviceConfig.User = "networkmanager";
+        serviceConfig.Group = "networkmanager";
      };

      environment.etc = {
--- a/hosts/common/programs/wpa_supplicant.nix
+++ b/hosts/common/programs/wpa_supplicant.nix
@ -27,7 +27,11 @@ in
            rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
          '';
        });
-        sandbox.method = "bwrap";  #< landlock works too, even allows us to be a different user than root if we want (bwrap probably requires root)
+        # bwrap sandboxing works, but requires the real user to be root.
+        # landlock sandboxing works, and allows the real user to be someone else (like `networkmanager`).
+        # non-root is very important, because of how many things in e.g. /dev are r/w based on uid=0.
+        # sandbox.method = "bwrap";
+        sandbox.method = "landlock";
        sandbox.capabilities = [
          # see also: <https://github.com/NixOS/nixpkgs/pull/305722>
          "net_admin" "net_raw"
@ -49,8 +53,8 @@ in
      systemd.packages = [ cfg.package ];  #< needs to be on systemd.packages so we get its service file
      systemd.services.wpa_supplicant = {
        path = [ "/run/current-system/sw" ];  #< so it can find `sanebox`
-        # serviceConfig.User = "networkmanager";
-        # serviceConfig.Group = "networkmanager";
+        serviceConfig.User = "networkmanager";
+        serviceConfig.Group = "networkmanager";
        serviceConfig.AmbientCapabilities = [
          "CAP_NET_ADMIN"
          "CAP_NET_RAW"