colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

modemmanager: minimal (working) sandbox

Browse Source
This commit is contained in:
Colin 2024-05-30 18:27:34 +00:00
parent 8d43565f31
commit 820fdecfd5
1 changed files with 28 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
hosts/common/programs/modemmanager.nix
View File

@ -6,6 +6,16 @@ in
sane.programs.modemmanager = { sane.programs.modemmanager = {
# mmcli needs /run/current-system/sw/share/dbus-1 files to function # mmcli needs /run/current-system/sw/share/dbus-1 files to function
enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true; enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;
sandbox.method = "landlock";
sandbox.wrapperType = "inplace"; #< .pc files, GIR files with absolute paths,
sandbox.capabilities = [
"net_admin"
"net_raw"
];
sandbox.extraPaths = lib.warn "TODO: modemmanager: sandbox more aggressively" [
"/"
];
}; };
systemd.services.ModemManager = lib.mkIf cfg.enabled { systemd.services.ModemManager = lib.mkIf cfg.enabled {
@ -13,24 +23,25 @@ in
after = [ "polkit.service" ]; after = [ "polkit.service" ];
requires = [ "polkit.service" ]; requires = [ "polkit.service" ];
wantedBy = [ "network.target" ]; wantedBy = [ "network.target" ];
serviceConfig = { path = [ "/run/current-system/sw" ]; #< so it can find `sanebox`
Type = "dbus";
BusName = "org.freedesktop.ModemManager1"; serviceConfig.Type = "dbus";
serviceConfig.BusName = "org.freedesktop.ModemManager1";
# only if started with `--debug` does mmcli let us issue AT commands like # only if started with `--debug` does mmcli let us issue AT commands like
# `mmcli --modem any --command=<AT_CMD>` # `mmcli --modem any --command=<AT_CMD>`
ExecStart = "${cfg.package}/bin/ModemManager --debug"; serviceConfig.ExecStart = "${cfg.package}/bin/ModemManager --debug";
# --debug sets DEBUG level logging: so reset # --debug sets DEBUG level logging: so reset
ExecStartPost = "${cfg.package}/bin/mmcli --set-logging=INFO"; serviceConfig.ExecStartPost = "${cfg.package}/bin/mmcli --set-logging=INFO";
Restart = "on-abort"; serviceConfig.Restart = "on-abort";
StandardError = "null"; serviceConfig.StandardError = "null";
CapabilityBoundingSet = "CAP_SYS_ADMIN CAP_NET_ADMIN"; serviceConfig.CapabilityBoundingSet = "CAP_SYS_ADMIN CAP_NET_ADMIN";
ProtectSystem = true; serviceConfig.ProtectSystem = true;
ProtectHome = true; serviceConfig.ProtectHome = true;
PrivateTmp = true; serviceConfig.PrivateTmp = true;
RestrictAddressFamilies = "AF_NETLINK AF_UNIX AF_QIPCRTR"; serviceConfig.RestrictAddressFamilies = "AF_NETLINK AF_UNIX AF_QIPCRTR";
NoNewPrivileges = true; serviceConfig.NoNewPrivileges = true;
};
}; };
# so that ModemManager can discover when the modem appears # so that ModemManager can discover when the modem appears