modemmanager: minimal (working) sandbox

2024-05-30 18:27:34 +00:00 · 2024-05-30 18:27:34 +00:00 · 820fdecfd5
commit 820fdecfd5
parent 8d43565f31
1 changed files with 28 additions and 17 deletions
--- a/hosts/common/programs/modemmanager.nix
+++ b/hosts/common/programs/modemmanager.nix
@ -6,6 +6,16 @@ in
  sane.programs.modemmanager = {
    # mmcli needs /run/current-system/sw/share/dbus-1 files to function
    enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;
+
+    sandbox.method = "landlock";
+    sandbox.wrapperType = "inplace";  #< .pc files, GIR files with absolute paths,
+    sandbox.capabilities = [
+      "net_admin"
+      "net_raw"
+    ];
+    sandbox.extraPaths = lib.warn "TODO: modemmanager: sandbox more aggressively" [
+      "/"
+    ];
  };

  systemd.services.ModemManager = lib.mkIf cfg.enabled {
@ -13,24 +23,25 @@ in
    after = [ "polkit.service" ];
    requires = [ "polkit.service" ];
    wantedBy = [ "network.target" ];
-    serviceConfig = {
-      Type = "dbus";
-      BusName = "org.freedesktop.ModemManager1";
-      # only if started with `--debug` does mmcli let us issue AT commands like
-      # `mmcli --modem any --command=<AT_CMD>`
-      ExecStart = "${cfg.package}/bin/ModemManager --debug";
-      # --debug sets DEBUG level logging: so reset
-      ExecStartPost = "${cfg.package}/bin/mmcli --set-logging=INFO";
+    path = [ "/run/current-system/sw" ];  #< so it can find `sanebox`

-      Restart = "on-abort";
-      StandardError = "null";
-      CapabilityBoundingSet = "CAP_SYS_ADMIN CAP_NET_ADMIN";
-      ProtectSystem = true;
-      ProtectHome = true;
-      PrivateTmp = true;
-      RestrictAddressFamilies = "AF_NETLINK AF_UNIX AF_QIPCRTR";
-      NoNewPrivileges = true;
-    };
+    serviceConfig.Type = "dbus";
+    serviceConfig.BusName = "org.freedesktop.ModemManager1";
+
+    # only if started with `--debug` does mmcli let us issue AT commands like
+    # `mmcli --modem any --command=<AT_CMD>`
+    serviceConfig.ExecStart = "${cfg.package}/bin/ModemManager --debug";
+    # --debug sets DEBUG level logging: so reset
+    serviceConfig.ExecStartPost = "${cfg.package}/bin/mmcli --set-logging=INFO";
+
+    serviceConfig.Restart = "on-abort";
+    serviceConfig.StandardError = "null";
+    serviceConfig.CapabilityBoundingSet = "CAP_SYS_ADMIN CAP_NET_ADMIN";
+    serviceConfig.ProtectSystem = true;
+    serviceConfig.ProtectHome = true;
+    serviceConfig.PrivateTmp = true;
+    serviceConfig.RestrictAddressFamilies = "AF_NETLINK AF_UNIX AF_QIPCRTR";
+    serviceConfig.NoNewPrivileges = true;
  };

  # so that ModemManager can discover when the modem appears