wpa_supplicant: get it to run under bwrap

2024-05-31 10:18:39 +00:00 · 2024-05-31 10:18:39 +00:00 · 9bb6a903bb
commit 9bb6a903bb
parent 214f963d89
1 changed files with 3 additions and 1 deletions
--- a/hosts/common/programs/wpa_supplicant.nix
+++ b/hosts/common/programs/wpa_supplicant.nix
@ -23,11 +23,13 @@ in
            rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
          '';
        });
-        sandbox.method = "landlock";  #< 'bwrap' (likely) can't work, because it needs to manipulate net interfaces in the root namespace
+        sandbox.method = "bwrap";  #< landlock works too, even allows us to be a different user than root if we want (bwrap probably requires root)
        sandbox.capabilities = [
          # see also: <https://github.com/NixOS/nixpkgs/pull/305722>
          "net_admin" "net_raw"
        ];
+        # sandbox.extraConfig = [ "--sanebox-keep-namespace" "all" ];
+        sandbox.net = "all";
        sandbox.extraPaths = [
          "/dev/net"
          "/dev/rfkill"