wpa_supplicant: get it to run under bwrap

This commit is contained in:
2024-05-31 10:18:39 +00:00
parent 214f963d89
commit 9bb6a903bb

View File

@@ -23,11 +23,13 @@ in
rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
''; '';
}); });
sandbox.method = "landlock"; #< 'bwrap' (likely) can't work, because it needs to manipulate net interfaces in the root namespace sandbox.method = "bwrap"; #< landlock works too, even allows us to be a different user than root if we want (bwrap probably requires root)
sandbox.capabilities = [ sandbox.capabilities = [
# see also: <https://github.com/NixOS/nixpkgs/pull/305722> # see also: <https://github.com/NixOS/nixpkgs/pull/305722>
"net_admin" "net_raw" "net_admin" "net_raw"
]; ];
# sandbox.extraConfig = [ "--sanebox-keep-namespace" "all" ];
sandbox.net = "all";
sandbox.extraPaths = [ sandbox.extraPaths = [
"/dev/net" "/dev/net"
"/dev/rfkill" "/dev/rfkill"