wireshark: sandbox with landlock instead of firejail

and remove the SUID wrapper, yay!
This commit is contained in:
2024-01-27 04:44:21 +00:00
parent a66b257644
commit 3e6278fa21

View File

@@ -4,25 +4,63 @@ let
in in
{ {
sane.programs.wireshark = { sane.programs.wireshark = {
sandbox.method = "firejail"; sandbox.method = "landlock";
sandbox.extraConfig = [ # sandbox.extraHomePaths = [
# somehow needs `setpcap` (makes these bounding capabilities also be inherited?) # ".wireshark/config"
# else no interfaces appear on the main page # ];
"--sane-sandbox-firejail-arg" sandbox.extraPaths = [
"--ignore=caps.keep dac_override,dac_read_search,net_admin,net_raw" "/proc/net"
"--sane-sandbox-firejail-arg"
"--caps.keep=dac_override,dac_read_search,net_admin,net_raw,setpcap"
]; ];
fs.".config/wireshark".dir = {};
# sandbox.extraConfig = [
# # "--sane-sandbox-path" "/"
# # "--sane-sandbox-cap" "dac_override"
# # "--sane-sandbox-cap" "dac_read_search"
# "--sane-sandbox-cap" "net_admin"
# "--sane-sandbox-cap" "net_raw"
# # "--sane-sandbox-cap" "setpcap"
# ];
# sandbox.extraPaths = [ "/" ];
# sandbox.method = "firejail";
# sandbox.extraConfig = [
# # somehow needs `setpcap` (makes these bounding capabilities also be inherited?)
# # else no interfaces appear on the main page
# "--sane-sandbox-firejail-arg"
# "--ignore=caps.keep dac_override,dac_read_search,net_admin,net_raw"
# "--sane-sandbox-firejail-arg"
# "--caps.keep=dac_override,dac_read_search,net_admin,net_raw,setpcap"
# ];
slowToBuild = true; slowToBuild = true;
}; };
programs.wireshark = lib.mkIf cfg.enabled { # users.groups.wireshark = {};
# adds a SUID wrapper for wireshark's `dumpcap` program
enable = true; # security.wrappers = lib.mkIf cfg.enabled {
package = cfg.package; # wireshark = {
}; # source = "${cfg.package}/bin/wireshark";
# the SUID wrapper can't also be a firejail (idk why? it might be that the binary's already *too* restricted). # capabilities = "cap_dac_override,cap_dac_read_search,cap_net_raw,cap_net_admin,cap_setpcap+eip"; #< can probably be just `+p`
security.wrappers = lib.mkIf cfg.enabled { # owner = "root";
dumpcap.source = lib.mkForce "${cfg.package}/bin/.dumpcap-sandboxed"; # group = "wireshark";
}; # permissions = "u+rx,g+x";
# };
# dumpcap = {
# source = "${cfg.package}/bin/.dumpcap-sandboxed";
# capabilities = "cap_net_raw,cap_net_admin+eip"; #< can probably be just `+p`
# owner = "root";
# group = "wireshark";
# permissions = "u+rx,g+x";
# };
# };
# programs.wireshark = lib.mkIf cfg.enabled {
# # adds a SUID* wrapper for wireshark's `dumpcap` program
# # *actually a setcap wrapper, which sets CAP_NET_ADMIN, CAP_NET_RAW
# # when executed by a member of the wireshark group.
# enable = true;
# package = cfg.package;
# };
# # the SUID wrapper can't also be a firejail (idk why? it might be that the binary's already *too* restricted).
# security.wrappers = lib.mkIf cfg.enabled {
# dumpcap.source = lib.mkForce "${cfg.package}/bin/.dumpcap-sandboxed";
# };
} }