networkmanager/wpa_supplicant: switch user back to "networkmanager"
root gives too much power, even with bwrap/namespaces
This commit is contained in:
parent
a1181a10ea
commit
326bf045b0
|
@ -73,8 +73,8 @@ in
|
||||||
path = [ "/run/current-system/sw" ]; #< so it can find `sanebox`
|
path = [ "/run/current-system/sw" ]; #< so it can find `sanebox`
|
||||||
serviceConfig.RuntimeDirectory = "NetworkManager"; #< tells systemd to create /run/NetworkManager
|
serviceConfig.RuntimeDirectory = "NetworkManager"; #< tells systemd to create /run/NetworkManager
|
||||||
serviceConfig.StateDirectory = "NetworkManager"; #< tells systemd to create /var/lib/NetworkManager
|
serviceConfig.StateDirectory = "NetworkManager"; #< tells systemd to create /var/lib/NetworkManager
|
||||||
# serviceConfig.User = "networkmanager";
|
serviceConfig.User = "networkmanager";
|
||||||
# serviceConfig.Group = "networkmanager";
|
serviceConfig.Group = "networkmanager";
|
||||||
serviceConfig.AmbientCapabilities = [
|
serviceConfig.AmbientCapabilities = [
|
||||||
# "CAP_DAC_OVERRIDE"
|
# "CAP_DAC_OVERRIDE"
|
||||||
"CAP_NET_ADMIN"
|
"CAP_NET_ADMIN"
|
||||||
|
@ -89,8 +89,8 @@ in
|
||||||
systemd.services.NetworkManager-wait-online = {
|
systemd.services.NetworkManager-wait-online = {
|
||||||
path = [ "/run/current-system/sw" ]; #< so `nm-online` can find `sanebox`
|
path = [ "/run/current-system/sw" ]; #< so `nm-online` can find `sanebox`
|
||||||
wantedBy = [ "network-online.target" ];
|
wantedBy = [ "network-online.target" ];
|
||||||
# serviceConfig.User = "networkmanager";
|
serviceConfig.User = "networkmanager";
|
||||||
# serviceConfig.Group = "networkmanager";
|
serviceConfig.Group = "networkmanager";
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.NetworkManager-dispatcher = {
|
systemd.services.NetworkManager-dispatcher = {
|
||||||
|
@ -104,8 +104,8 @@ in
|
||||||
];
|
];
|
||||||
serviceConfig.Restart = "always";
|
serviceConfig.Restart = "always";
|
||||||
serviceConfig.RestartSec = "1s";
|
serviceConfig.RestartSec = "1s";
|
||||||
# serviceConfig.User = "networkmanager";
|
serviceConfig.User = "networkmanager";
|
||||||
# serviceConfig.Group = "networkmanager";
|
serviceConfig.Group = "networkmanager";
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.etc = {
|
environment.etc = {
|
||||||
|
|
|
@ -27,7 +27,11 @@ in
|
||||||
rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
|
rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
|
||||||
'';
|
'';
|
||||||
});
|
});
|
||||||
sandbox.method = "bwrap"; #< landlock works too, even allows us to be a different user than root if we want (bwrap probably requires root)
|
# bwrap sandboxing works, but requires the real user to be root.
|
||||||
|
# landlock sandboxing works, and allows the real user to be someone else (like `networkmanager`).
|
||||||
|
# non-root is very important, because of how many things in e.g. /dev are r/w based on uid=0.
|
||||||
|
# sandbox.method = "bwrap";
|
||||||
|
sandbox.method = "landlock";
|
||||||
sandbox.capabilities = [
|
sandbox.capabilities = [
|
||||||
# see also: <https://github.com/NixOS/nixpkgs/pull/305722>
|
# see also: <https://github.com/NixOS/nixpkgs/pull/305722>
|
||||||
"net_admin" "net_raw"
|
"net_admin" "net_raw"
|
||||||
|
@ -49,8 +53,8 @@ in
|
||||||
systemd.packages = [ cfg.package ]; #< needs to be on systemd.packages so we get its service file
|
systemd.packages = [ cfg.package ]; #< needs to be on systemd.packages so we get its service file
|
||||||
systemd.services.wpa_supplicant = {
|
systemd.services.wpa_supplicant = {
|
||||||
path = [ "/run/current-system/sw" ]; #< so it can find `sanebox`
|
path = [ "/run/current-system/sw" ]; #< so it can find `sanebox`
|
||||||
# serviceConfig.User = "networkmanager";
|
serviceConfig.User = "networkmanager";
|
||||||
# serviceConfig.Group = "networkmanager";
|
serviceConfig.Group = "networkmanager";
|
||||||
serviceConfig.AmbientCapabilities = [
|
serviceConfig.AmbientCapabilities = [
|
||||||
"CAP_NET_ADMIN"
|
"CAP_NET_ADMIN"
|
||||||
"CAP_NET_RAW"
|
"CAP_NET_RAW"
|
||||||
|
|
Loading…
Reference in New Issue
Block a user