iproute2: fix sandboxing (hopefully)

2024-05-24 06:41:01 +00:00 · 2024-05-24 06:41:01 +00:00 · 844a128d60
commit 844a128d60
parent d25fb31767
2 changed files with 6 additions and 4 deletions
--- a/TODO.md
+++ b/TODO.md
@ -5,7 +5,6 @@
  - or try dnsmasq?
 - trust-dns: can't recursively resolve api.mangadex.org
  - and *sometimes* apple.com fails
- sandbox: `ip netns exec ovpns bash`: doesn't work
 - wg-ovpnd-* interfaces don't work, because i use the same keys across all hosts...
  - and if i had them differ and simultaneously online, then i'd exceed the OVPN machine count.
  - i should at least have them be up'd only on-demand.
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@ -569,12 +569,15 @@ in
    ];
    iotop.sandbox.capabilities = [ "net_admin" ];

-    # provides `ip`, `routel`, others
-    iproute2.sandbox.method = "landlock";
+    # provides `ip`, `routel`, `bridge`, others.
+    # landlock works fine for most of these, but `ip netns exec` uses namespaces internally,
+    # and that's incompatible with landlock
+    iproute2.sandbox.method = "bwrap";
    iproute2.sandbox.net = "all";
    iproute2.sandbox.capabilities = [ "net_admin" ];
    iproute2.sandbox.extraPaths = [
-      "/run/netns"  # for `ip netns ...` to work
+      "/run/netns"  # for `ip netns ...` to work, but maybe not needed anymore?
+      "/sys/class/net"  # for `ip netns ...` to work
      "/var/run/netns"
    ];