sanebox: fix missing dependency on iptables/iproute2
This commit is contained in:
@@ -18,8 +18,10 @@ in
|
|||||||
sane.programs.sanebox = {
|
sane.programs.sanebox = {
|
||||||
packageUnwrapped = (pkgs.sanebox.override {
|
packageUnwrapped = (pkgs.sanebox.override {
|
||||||
bubblewrap = cfg.bubblewrap.package;
|
bubblewrap = cfg.bubblewrap.package;
|
||||||
passt = cfg.passt.package;
|
iproute2 = cfg.iproute2.package;
|
||||||
|
iptables = cfg.iptables.package;
|
||||||
libcap = cfg.libcap.package;
|
libcap = cfg.libcap.package;
|
||||||
|
passt = cfg.passt.package;
|
||||||
landlock-sandboxer = pkgs.landlock-sandboxer.override {
|
landlock-sandboxer = pkgs.landlock-sandboxer.override {
|
||||||
# not strictly necessary (landlock ABI is versioned), however when sandboxer version != kernel version,
|
# not strictly necessary (landlock ABI is versioned), however when sandboxer version != kernel version,
|
||||||
# the sandboxer may nag about one or the other wanting to be updated.
|
# the sandboxer may nag about one or the other wanting to be updated.
|
||||||
|
@@ -469,9 +469,9 @@ let
|
|||||||
wrapPkg name config config.packageUnwrapped
|
wrapPkg name config config.packageUnwrapped
|
||||||
;
|
;
|
||||||
suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [
|
suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [
|
||||||
"bubblewrap" "passt"
|
"bubblewrap" "passt" "iproute2" "iptables"
|
||||||
] ++ lib.optionals (config.sandbox.method == "pastaonly") [
|
] ++ lib.optionals (config.sandbox.method == "pastaonly") [
|
||||||
"passt"
|
"passt" "iproute2" "iptables"
|
||||||
] ++ lib.optionals (config.sandbox.method == "capshonly") [
|
] ++ lib.optionals (config.sandbox.method == "capshonly") [
|
||||||
"libcap"
|
"libcap"
|
||||||
];
|
];
|
||||||
|
@@ -2,9 +2,11 @@
|
|||||||
, bash
|
, bash
|
||||||
, bubblewrap
|
, bubblewrap
|
||||||
, coreutils
|
, coreutils
|
||||||
, passt
|
, iproute2
|
||||||
|
, iptables
|
||||||
, landlock-sandboxer
|
, landlock-sandboxer
|
||||||
, libcap
|
, libcap
|
||||||
|
, passt
|
||||||
, substituteAll
|
, substituteAll
|
||||||
, profileDir ? "/share/sanebox/profiles"
|
, profileDir ? "/share/sanebox/profiles"
|
||||||
}:
|
}:
|
||||||
@@ -23,10 +25,13 @@ stdenv.mkDerivation {
|
|||||||
runHook preBuild
|
runHook preBuild
|
||||||
substitute $src sanebox \
|
substitute $src sanebox \
|
||||||
--replace-fail '@bwrap@' '${lib.getExe bubblewrap}' \
|
--replace-fail '@bwrap@' '${lib.getExe bubblewrap}' \
|
||||||
--replace-fail '@landlockSandboxer@' '${lib.getExe landlock-sandboxer}' \
|
|
||||||
--replace-fail '@capsh@' '${lib.getExe' libcap "capsh"}' \
|
--replace-fail '@capsh@' '${lib.getExe' libcap "capsh"}' \
|
||||||
|
--replace-fail '@env@' '${lib.getExe' coreutils "env"}' \
|
||||||
|
--replace-fail '@ip@' '${lib.getExe' iproute2 "ip"}' \
|
||||||
|
--replace-fail '@iptables@' '${lib.getExe' iptables "iptables"}' \
|
||||||
|
--replace-fail '@landlockSandboxer@' '${lib.getExe landlock-sandboxer}' \
|
||||||
--replace-fail '@pasta@' '${lib.getExe' passt "pasta"}' \
|
--replace-fail '@pasta@' '${lib.getExe' passt "pasta"}' \
|
||||||
--replace-fail '@env@' '${lib.getExe' coreutils "env"}'
|
|
||||||
runHook postBuild
|
runHook postBuild
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
@@ -3,10 +3,12 @@
|
|||||||
## BUILD-TIME SUBSTITUTIONS
|
## BUILD-TIME SUBSTITUTIONS
|
||||||
### <bin>_FALLBACK: if `<bin>` isn't on PATH, then use this instead
|
### <bin>_FALLBACK: if `<bin>` isn't on PATH, then use this instead
|
||||||
BWRAP_FALLBACK='@bwrap@'
|
BWRAP_FALLBACK='@bwrap@'
|
||||||
LANDLOCK_SANDBOXER_FALLBACK='@landlockSandboxer@'
|
|
||||||
CAPSH_FALLBACK='@capsh@'
|
CAPSH_FALLBACK='@capsh@'
|
||||||
PASTA_FALLBACK='@pasta@'
|
|
||||||
ENV_FALLBACK='@env@'
|
ENV_FALLBACK='@env@'
|
||||||
|
IP_FALLBACK='@ip@'
|
||||||
|
IPTABLES_FALLBACK='@iptables@'
|
||||||
|
LANDLOCK_SANDBOXER_FALLBACK='@landlockSandboxer@'
|
||||||
|
PASTA_FALLBACK='@pasta@'
|
||||||
|
|
||||||
|
|
||||||
## EARLY DEBUG HOOKS
|
## EARLY DEBUG HOOKS
|
||||||
@@ -888,10 +890,12 @@ pastaonlyIngestDns() {
|
|||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
(*)
|
(*)
|
||||||
|
locate _iptables "iptables" "$IPTABLES_FALLBACK"
|
||||||
|
locate _ip "ip" "$IP_FALLBACK"
|
||||||
# NAT DNS requests to localhost to the VPN's DNS resolver
|
# NAT DNS requests to localhost to the VPN's DNS resolver
|
||||||
# claim the whole 127.0.0.x space, because some setups place the DNS on a different address of localhost.
|
# claim the whole 127.0.0.x space, because some setups place the DNS on a different address of localhost.
|
||||||
pastaNetSetup="iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1-127.0.0.255 -j DNAT --to-destination $1:53; $pastaNetSetup"
|
pastaNetSetup="$_iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1-127.0.0.255 -j DNAT --to-destination $1:53; $pastaNetSetup"
|
||||||
pastaNetSetup="ip addr del 127.0.0.1/8 dev lo; $pastaNetSetup"
|
pastaNetSetup="$_ip addr del 127.0.0.1/8 dev lo; $pastaNetSetup"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user