wpa_supplicant: get it to run under bwrap
This commit is contained in:
@@ -23,11 +23,13 @@ in
|
|||||||
rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
|
rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
|
||||||
'';
|
'';
|
||||||
});
|
});
|
||||||
sandbox.method = "landlock"; #< 'bwrap' (likely) can't work, because it needs to manipulate net interfaces in the root namespace
|
sandbox.method = "bwrap"; #< landlock works too, even allows us to be a different user than root if we want (bwrap probably requires root)
|
||||||
sandbox.capabilities = [
|
sandbox.capabilities = [
|
||||||
# see also: <https://github.com/NixOS/nixpkgs/pull/305722>
|
# see also: <https://github.com/NixOS/nixpkgs/pull/305722>
|
||||||
"net_admin" "net_raw"
|
"net_admin" "net_raw"
|
||||||
];
|
];
|
||||||
|
# sandbox.extraConfig = [ "--sanebox-keep-namespace" "all" ];
|
||||||
|
sandbox.net = "all";
|
||||||
sandbox.extraPaths = [
|
sandbox.extraPaths = [
|
||||||
"/dev/net"
|
"/dev/net"
|
||||||
"/dev/rfkill"
|
"/dev/rfkill"
|
||||||
|
Reference in New Issue
Block a user