networkmanager: sandbox
This commit is contained in:
parent
753b97ffb4
commit
7dedfcebb9
1
TODO.md
1
TODO.md
|
@ -1,4 +1,5 @@
|
|||
## BUGS
|
||||
- moby: landlock sandboxer prints extra garbage when starting (kernel 6.9-specific thing)
|
||||
- `rmDbusServices` may break sandboxing
|
||||
- e.g. if the package ships a systemd unit which references $out, then make-sandboxed won't properly update that unit.
|
||||
- `rmDbusServicesInPlace` is not affected
|
||||
|
|
|
@ -14,6 +14,107 @@ in
|
|||
sane.programs.networkmanager = {
|
||||
suggestedPrograms = [ "wpa_supplicant" ];
|
||||
enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;
|
||||
|
||||
# TODO: this contains both the NetworkManager service and the NetworkManager-dispatcher service
|
||||
# the latter of which calls a lot of user code.
|
||||
# as a result, this needs all the perms which my hook in modules/services/trust-dns/trust-dns-nmhook needs
|
||||
sandbox.method = "landlock";
|
||||
sandbox.capabilities = [
|
||||
"dac_override" #< TODO: remove this! it's needed so that trust-dns-nmhook can write to trust-dns's state; instead i should add networkmanager to the trust-dns group.
|
||||
"net_admin"
|
||||
"net_raw"
|
||||
"net_bind_service" #< TODO: is this needed? why? (DNS?)
|
||||
# "setgid"
|
||||
# "setuid"
|
||||
# "sys_module" #< TODO: is this needed?
|
||||
"audit_write" #< allow writing to the audit log
|
||||
# "kill"
|
||||
# "sys_chroot"
|
||||
];
|
||||
sandbox.extraPaths = [
|
||||
# "/proc"
|
||||
# "/run"
|
||||
# "/sys"
|
||||
# "/var/lib"
|
||||
#^ works
|
||||
|
||||
# "/dev"
|
||||
# "/proc"
|
||||
# "/run"
|
||||
# "/sys"
|
||||
# "/var/lib/NetworkManager"
|
||||
# "/var/lib/trust-dns" #< for trust-dns-nmhook
|
||||
#^ works
|
||||
|
||||
# # "/dev/net"
|
||||
# # "/dev/rfkill"
|
||||
# # "/proc/sys/net"
|
||||
# "/dev"
|
||||
# "/proc"
|
||||
# "/run/NetworkManager"
|
||||
# "/run/dbus"
|
||||
# "/run/log"
|
||||
# "/run/resolvconf"
|
||||
# "/run/secrets"
|
||||
# "/run/systemd"
|
||||
# "/run/udev"
|
||||
# "/run/user"
|
||||
# "/run/wg-home.priv"
|
||||
# "/var/run/NetworkManager" #< legacy symlinks, which NM wants to crawl
|
||||
# "/var/run/dbus"
|
||||
# "/var/run/log"
|
||||
# "/var/run/resolvconf"
|
||||
# "/var/run/systemd"
|
||||
# "/var/run/udev"
|
||||
# "/var/run/user"
|
||||
# "/sys"
|
||||
# # "/sys/class/net"
|
||||
# # "/sys/devices"
|
||||
# "/var/lib/NetworkManager"
|
||||
# "/var/lib/trust-dns" #< for trust-dns-nmhook
|
||||
#^ works
|
||||
|
||||
# "/dev/net"
|
||||
# "/dev/rfkill" #< TODO: check if really necessary!
|
||||
# "/proc" #< TODO: specify this more precisely
|
||||
# "/proc/acpi"
|
||||
# "/proc/asound"
|
||||
# "/proc/bus"
|
||||
# "/proc/cpuinfo"
|
||||
# "/proc/crypto"
|
||||
# "/proc/devices"
|
||||
# "/proc/driver"
|
||||
# "/proc/fs"
|
||||
# "/proc/irq"
|
||||
# "/proc/modules"
|
||||
# "/proc/net"
|
||||
# "/proc/pressure"
|
||||
"/proc/net"
|
||||
"/proc/sys/net"
|
||||
# "/proc/sysvipc"
|
||||
# "/proc/tty"
|
||||
"/run/NetworkManager"
|
||||
# "/run/dbus"
|
||||
# "/run/secrets/net"
|
||||
"/run/systemd" # for trust-dns-nmhook
|
||||
"/run/udev"
|
||||
# "/run/wg-home.priv" #< TODO: move this into /run/secrets?
|
||||
"/sys/class" #< TODO: specify this more precisely
|
||||
"/sys/devices"
|
||||
"/var/lib/NetworkManager"
|
||||
# "/var/lib/bluetooth"
|
||||
# "/var/lib/cups"
|
||||
# "/var/lib/etc_secrets"
|
||||
# "/var/lib/machines"
|
||||
# "/var/lib/nixos"
|
||||
# "/var/lib/portables"
|
||||
# "/var/lib/private"
|
||||
# "/var/lib/systemd" #< rfkill?
|
||||
"/var/lib/trust-dns" #< for trust-dns-nmhook
|
||||
# "/var/lib/udisks2"
|
||||
];
|
||||
|
||||
# sandbox.whitelistDbus = [ "system" ];
|
||||
};
|
||||
}
|
||||
|
||||
|
@ -24,7 +125,11 @@ in
|
|||
wantedBy = [ "network.target" ];
|
||||
aliases = [ "dbus-org.freedesktop.NetworkManager.service" ];
|
||||
|
||||
path = [ "/run/current-system/sw" ]; #< so it can find `sanebox`
|
||||
serviceConfig = {
|
||||
ExecStartPre = [
|
||||
"${pkgs.coreutils}/bin/mkdir -p /run/NetworkManager"
|
||||
];
|
||||
StateDirectory = "NetworkManager";
|
||||
StateDirectoryMode = 755; # not sure if this really needs to be 755
|
||||
};
|
||||
|
@ -34,11 +139,16 @@ in
|
|||
|
||||
systemd.services.NetworkManager-dispatcher = {
|
||||
wantedBy = [ "NetworkManager.service" ];
|
||||
path = [ "/run/current-system/sw" ]; #< so it can find `sanebox`
|
||||
# to debug, add NM_DISPATCHER_DEBUG_LOG=1
|
||||
serviceConfig.ExecStart = [
|
||||
"" # first blank line is to clear the upstream `ExecStart` field.
|
||||
"${cfg.package}/libexec/nm-dispatcher --persist" # --persist is needed for it to actually run as a daemon
|
||||
];
|
||||
serviceConfig.ExecStartPre = [
|
||||
# TODO: establish the trust-dns dependency more idiomatically than this
|
||||
"${pkgs.coreutils}/bin/mkdir -p /var/lib/trust-dns && chown trust-dns:trust-dns /var/lib/trust-dns"
|
||||
];
|
||||
serviceConfig.Restart = "always";
|
||||
serviceConfig.RestartSec = "1s";
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue
Block a user