networkmanager: sandbox

TODO.md

@@ -1,4 +1,5 @@
 ## BUGS
+- moby: landlock sandboxer prints extra garbage when starting (kernel 6.9-specific thing)
 - `rmDbusServices` may break sandboxing
   - e.g. if the package ships a systemd unit which references $out, then make-sandboxed won't properly update that unit.
   - `rmDbusServicesInPlace` is not affected

hosts/common/programs/networkmanager.nix

@@ -14,6 +14,107 @@ in
       sane.programs.networkmanager = {
         suggestedPrograms = [ "wpa_supplicant" ];
         enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;
+
+        # TODO: this contains both the NetworkManager service and the NetworkManager-dispatcher service
+        # the latter of which calls a lot of user code.
+        # as a result, this needs all the perms which my hook in modules/services/trust-dns/trust-dns-nmhook needs
+        sandbox.method = "landlock";
+        sandbox.capabilities = [
+          "dac_override"  #< TODO: remove this! it's needed so that trust-dns-nmhook can write to trust-dns's state; instead i should add networkmanager to the trust-dns group.
+          "net_admin"
+          "net_raw"
+          "net_bind_service"  #< TODO: is this needed? why? (DNS?)
+          # "setgid"
+          # "setuid"
+          # "sys_module"  #< TODO: is this needed?
+          "audit_write"  #< allow writing to the audit log
+          # "kill"
+          # "sys_chroot"
+        ];
+        sandbox.extraPaths = [
+          # "/proc"
+          # "/run"
+          # "/sys"
+          # "/var/lib"
+          #^ works
+
+          # "/dev"
+          # "/proc"
+          # "/run"
+          # "/sys"
+          # "/var/lib/NetworkManager"
+          # "/var/lib/trust-dns"  #< for trust-dns-nmhook
+          #^ works
+
+          # # "/dev/net"
+          # # "/dev/rfkill"
+          # # "/proc/sys/net"
+          # "/dev"
+          # "/proc"
+          # "/run/NetworkManager"
+          # "/run/dbus"
+          # "/run/log"
+          # "/run/resolvconf"
+          # "/run/secrets"
+          # "/run/systemd"
+          # "/run/udev"
+          # "/run/user"
+          # "/run/wg-home.priv"
+          # "/var/run/NetworkManager"  #< legacy symlinks, which NM wants to crawl
+          # "/var/run/dbus"
+          # "/var/run/log"
+          # "/var/run/resolvconf"
+          # "/var/run/systemd"
+          # "/var/run/udev"
+          # "/var/run/user"
+          # "/sys"
+          # # "/sys/class/net"
+          # # "/sys/devices"
+          # "/var/lib/NetworkManager"
+          # "/var/lib/trust-dns"  #< for trust-dns-nmhook
+          #^ works
+
+          # "/dev/net"
+          # "/dev/rfkill"  #< TODO: check if really necessary!
+          # "/proc"  #< TODO: specify this more precisely
+          # "/proc/acpi"
+          # "/proc/asound"
+          # "/proc/bus"
+          # "/proc/cpuinfo"
+          # "/proc/crypto"
+          # "/proc/devices"
+          # "/proc/driver"
+          # "/proc/fs"
+          # "/proc/irq"
+          # "/proc/modules"
+          # "/proc/net"
+          # "/proc/pressure"
+          "/proc/net"
+          "/proc/sys/net"
+          # "/proc/sysvipc"
+          # "/proc/tty"
+          "/run/NetworkManager"
+          # "/run/dbus"
+          # "/run/secrets/net"
+          "/run/systemd"  # for trust-dns-nmhook
+          "/run/udev"
+          # "/run/wg-home.priv"  #< TODO: move this into /run/secrets?
+          "/sys/class"  #< TODO: specify this more precisely
+          "/sys/devices"
+          "/var/lib/NetworkManager"
+          # "/var/lib/bluetooth"
+          # "/var/lib/cups"
+          # "/var/lib/etc_secrets"
+          # "/var/lib/machines"
+          # "/var/lib/nixos"
+          # "/var/lib/portables"
+          # "/var/lib/private"
+          # "/var/lib/systemd"  #< rfkill?
+          "/var/lib/trust-dns"  #< for trust-dns-nmhook
+          # "/var/lib/udisks2"
+        ];
+
+        # sandbox.whitelistDbus = [ "system" ];
       };
     }
 
@@ -24,7 +125,11 @@ in
         wantedBy = [ "network.target" ];
         aliases = [ "dbus-org.freedesktop.NetworkManager.service" ];
 
+        path = [ "/run/current-system/sw" ];  #< so it can find `sanebox`
         serviceConfig = {
+          ExecStartPre = [
+            "${pkgs.coreutils}/bin/mkdir -p /run/NetworkManager"
+          ];
           StateDirectory = "NetworkManager";
           StateDirectoryMode = 755; # not sure if this really needs to be 755
         };
@@ -34,11 +139,16 @@ in
 
       systemd.services.NetworkManager-dispatcher = {
         wantedBy = [ "NetworkManager.service" ];
+        path = [ "/run/current-system/sw" ];  #< so it can find `sanebox`
         # to debug, add NM_DISPATCHER_DEBUG_LOG=1
         serviceConfig.ExecStart = [
           ""  # first blank line is to clear the upstream `ExecStart` field.
           "${cfg.package}/libexec/nm-dispatcher --persist"  # --persist is needed for it to actually run as a daemon
         ];
+        serviceConfig.ExecStartPre = [
+          # TODO: establish the trust-dns dependency more idiomatically than this
+          "${pkgs.coreutils}/bin/mkdir -p /var/lib/trust-dns && chown trust-dns:trust-dns /var/lib/trust-dns"
+        ];
         serviceConfig.Restart = "always";
         serviceConfig.RestartSec = "1s";
       };