networkmanager/wpa_supplicant: switch user back to "networkmanager"
root gives too much power, even with bwrap/namespaces
This commit is contained in:
parent
a1181a10ea
commit
326bf045b0
|
@ -73,8 +73,8 @@ in
|
|||
path = [ "/run/current-system/sw" ]; #< so it can find `sanebox`
|
||||
serviceConfig.RuntimeDirectory = "NetworkManager"; #< tells systemd to create /run/NetworkManager
|
||||
serviceConfig.StateDirectory = "NetworkManager"; #< tells systemd to create /var/lib/NetworkManager
|
||||
# serviceConfig.User = "networkmanager";
|
||||
# serviceConfig.Group = "networkmanager";
|
||||
serviceConfig.User = "networkmanager";
|
||||
serviceConfig.Group = "networkmanager";
|
||||
serviceConfig.AmbientCapabilities = [
|
||||
# "CAP_DAC_OVERRIDE"
|
||||
"CAP_NET_ADMIN"
|
||||
|
@ -89,8 +89,8 @@ in
|
|||
systemd.services.NetworkManager-wait-online = {
|
||||
path = [ "/run/current-system/sw" ]; #< so `nm-online` can find `sanebox`
|
||||
wantedBy = [ "network-online.target" ];
|
||||
# serviceConfig.User = "networkmanager";
|
||||
# serviceConfig.Group = "networkmanager";
|
||||
serviceConfig.User = "networkmanager";
|
||||
serviceConfig.Group = "networkmanager";
|
||||
};
|
||||
|
||||
systemd.services.NetworkManager-dispatcher = {
|
||||
|
@ -104,8 +104,8 @@ in
|
|||
];
|
||||
serviceConfig.Restart = "always";
|
||||
serviceConfig.RestartSec = "1s";
|
||||
# serviceConfig.User = "networkmanager";
|
||||
# serviceConfig.Group = "networkmanager";
|
||||
serviceConfig.User = "networkmanager";
|
||||
serviceConfig.Group = "networkmanager";
|
||||
};
|
||||
|
||||
environment.etc = {
|
||||
|
|
|
@ -27,7 +27,11 @@ in
|
|||
rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
|
||||
'';
|
||||
});
|
||||
sandbox.method = "bwrap"; #< landlock works too, even allows us to be a different user than root if we want (bwrap probably requires root)
|
||||
# bwrap sandboxing works, but requires the real user to be root.
|
||||
# landlock sandboxing works, and allows the real user to be someone else (like `networkmanager`).
|
||||
# non-root is very important, because of how many things in e.g. /dev are r/w based on uid=0.
|
||||
# sandbox.method = "bwrap";
|
||||
sandbox.method = "landlock";
|
||||
sandbox.capabilities = [
|
||||
# see also: <https://github.com/NixOS/nixpkgs/pull/305722>
|
||||
"net_admin" "net_raw"
|
||||
|
@ -49,8 +53,8 @@ in
|
|||
systemd.packages = [ cfg.package ]; #< needs to be on systemd.packages so we get its service file
|
||||
systemd.services.wpa_supplicant = {
|
||||
path = [ "/run/current-system/sw" ]; #< so it can find `sanebox`
|
||||
# serviceConfig.User = "networkmanager";
|
||||
# serviceConfig.Group = "networkmanager";
|
||||
serviceConfig.User = "networkmanager";
|
||||
serviceConfig.Group = "networkmanager";
|
||||
serviceConfig.AmbientCapabilities = [
|
||||
"CAP_NET_ADMIN"
|
||||
"CAP_NET_RAW"
|
||||
|
|
Loading…
Reference in New Issue
Block a user