users: launch entire systemd --user namespace with cap_net_admin, cap_net_raw
this should make sandboxing wireshark *much* easier, and same with things which require net namespaces, in the future
This commit is contained in:
parent
7f002b8718
commit
563a75e9b2
|
@ -53,6 +53,64 @@
|
||||||
|
|
||||||
security.pam.mount.enable = true;
|
security.pam.mount.enable = true;
|
||||||
|
|
||||||
|
# in the future, may add this to sshd/login/sudo
|
||||||
|
# security.pam.services.systemd-user.rules = {
|
||||||
|
# auth.pam_cap = {
|
||||||
|
# order = 11500;
|
||||||
|
# # order = 12500; # before pam_unix but after all the others
|
||||||
|
# control = "required"; # ?
|
||||||
|
# modulePath = "${pkgs.libcap.pam}/lib/security/pam_cap.so";
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
# security.pam.services.greetd.rules = {
|
||||||
|
# auth.pam_cap = {
|
||||||
|
# order = 12500; # before pam_unix but after all the others
|
||||||
|
# control = "required"; # ?
|
||||||
|
# modulePath = "${pkgs.libcap.pam}/lib/security/pam_cap.so";
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
# environment.etc."/security/capability.conf".text = ''
|
||||||
|
# # The pam_cap.so module accepts the following arguments:
|
||||||
|
# #
|
||||||
|
# # debug - be more verbose logging things (unused by pam_cap for now)
|
||||||
|
# # config=<file> - override the default config for the module with file
|
||||||
|
# # keepcaps - workaround for applications that setuid without this
|
||||||
|
# # autoauth - if you want pam_cap.so to always succeed for the auth phase
|
||||||
|
# # default=<iab> - provide a fallback IAB value if there is no '*' rule
|
||||||
|
# #
|
||||||
|
# # format:
|
||||||
|
# # <CAP>[,<CAP>...] USER|@GROUP|*
|
||||||
|
# #
|
||||||
|
# # the part of each line before the delimiter (" \t\n") is parsed with `cap_iab_from_text`.
|
||||||
|
# # so each CAP can be prefixed to indicate which set it applies to:
|
||||||
|
# # [!][^][%]<CAP>
|
||||||
|
# # where ! adds to the NB set
|
||||||
|
# # ^ for AI
|
||||||
|
# # % (or empty) for I
|
||||||
|
|
||||||
|
# ^cap_net_admin,^cap_new_raw colin
|
||||||
|
# # include this `none *` line otherwise non-matching users get maximum inheritable capabilities
|
||||||
|
# none *
|
||||||
|
# '';
|
||||||
|
|
||||||
|
# grant myself extra capabilities so that i can e.g.:
|
||||||
|
# - run wireshark without root/setuid
|
||||||
|
# - (incidentally) create new network devices/routes without root/setuid, which ought to be useful for sandboxing if i deploy that right.
|
||||||
|
# default systemd includes cap_wake_alarm unless we specify our own capabilityAmbientSet; might be helpful for things like rtcwake?
|
||||||
|
#
|
||||||
|
# userName and uid have to be explicitly set here, to pass systemd's sanity checks.
|
||||||
|
# other values like `home`, `shell` can be omitted and systemd will grab those from other sources (/etc/passwd)
|
||||||
|
environment.etc."userdb/colin.user".text = ''
|
||||||
|
{
|
||||||
|
"userName" : "colin",
|
||||||
|
"uid": ${builtins.toString config.users.users.colin.uid},
|
||||||
|
"capabilityAmbientSet": [
|
||||||
|
"cap_net_admin",
|
||||||
|
"cap_net_raw"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
sane.users.colin = {
|
sane.users.colin = {
|
||||||
default = true;
|
default = true;
|
||||||
|
|
||||||
|
@ -72,6 +130,7 @@
|
||||||
# these are persisted simply to save on RAM.
|
# these are persisted simply to save on RAM.
|
||||||
# ~/.cache/nix can become several GB.
|
# ~/.cache/nix can become several GB.
|
||||||
# fontconfig and mesa_shader_cache are < 10 MB.
|
# fontconfig and mesa_shader_cache are < 10 MB.
|
||||||
|
# TODO: integrate with sane.programs.sandbox?
|
||||||
".cache/fontconfig"
|
".cache/fontconfig"
|
||||||
".cache/mesa_shader_cache"
|
".cache/mesa_shader_cache"
|
||||||
".cache/nix"
|
".cache/nix"
|
||||||
|
|
|
@ -222,7 +222,14 @@ in
|
||||||
sway.gtkgreet = {
|
sway.gtkgreet = {
|
||||||
enable = true;
|
enable = true;
|
||||||
session.name = "sway-on-gtkgreet";
|
session.name = "sway-on-gtkgreet";
|
||||||
session.command = "${cfg.package}/bin/sway";
|
# session.command = "${cfg.package}/bin/sway"; #< works, simplest way to run sway
|
||||||
|
|
||||||
|
# instead, want to run sway as a systemd user service.
|
||||||
|
# this seems silly, but it allows the launched sway to access any linux capabilities which the systemd --user manager is granted.
|
||||||
|
# notably, that means CAP_NET_ADMIN, CAP_NET_RAW; necessary for wireshark.
|
||||||
|
# these capabilities are granted to systemd --user by pam. see the user definition in hosts/common/users/colin.nix for more.
|
||||||
|
# session.command = "${pkgs.systemd}/bin/systemd-run --user --wait --collect --service-type=exec ${cfg.package}/bin/sway"; #< works, but can't launch terminals, etc ("exec: no such file" (sh))
|
||||||
|
session.command = ''${pkgs.systemd}/bin/systemd-run --user --wait --collect --service-type=exec -E "PATH=$PATH" -p AmbientCapabilities="cap_net_admin cap_net_raw" ${cfg.package}/bin/sway'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user