iproute2: fix sandboxing (hopefully)
This commit is contained in:
parent
d25fb31767
commit
844a128d60
1
TODO.md
1
TODO.md
|
@ -5,7 +5,6 @@
|
|||
- or try dnsmasq?
|
||||
- trust-dns: can't recursively resolve api.mangadex.org
|
||||
- and *sometimes* apple.com fails
|
||||
- sandbox: `ip netns exec ovpns bash`: doesn't work
|
||||
- wg-ovpnd-* interfaces don't work, because i use the same keys across all hosts...
|
||||
- and if i had them differ and simultaneously online, then i'd exceed the OVPN machine count.
|
||||
- i should at least have them be up'd only on-demand.
|
||||
|
|
|
@ -569,12 +569,15 @@ in
|
|||
];
|
||||
iotop.sandbox.capabilities = [ "net_admin" ];
|
||||
|
||||
# provides `ip`, `routel`, others
|
||||
iproute2.sandbox.method = "landlock";
|
||||
# provides `ip`, `routel`, `bridge`, others.
|
||||
# landlock works fine for most of these, but `ip netns exec` uses namespaces internally,
|
||||
# and that's incompatible with landlock
|
||||
iproute2.sandbox.method = "bwrap";
|
||||
iproute2.sandbox.net = "all";
|
||||
iproute2.sandbox.capabilities = [ "net_admin" ];
|
||||
iproute2.sandbox.extraPaths = [
|
||||
"/run/netns" # for `ip netns ...` to work
|
||||
"/run/netns" # for `ip netns ...` to work, but maybe not needed anymore?
|
||||
"/sys/class/net" # for `ip netns ...` to work
|
||||
"/var/run/netns"
|
||||
];
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user