From e8846b2d6b3a0e6b801bc7508d9dbcab87519b22 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Tue, 28 May 2024 13:34:35 +0000
Subject: [PATCH] wpa_supplicant: sandbox

---
 hosts/common/programs/wpa_supplicant.nix | 50 +++++++++++++++++++++---
 1 file changed, 45 insertions(+), 5 deletions(-)

diff --git a/hosts/common/programs/wpa_supplicant.nix b/hosts/common/programs/wpa_supplicant.nix
index 47f2ed7a..60a10a06 100644
--- a/hosts/common/programs/wpa_supplicant.nix
+++ b/hosts/common/programs/wpa_supplicant.nix
@@ -1,10 +1,50 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.sane.programs.wpa_supplicant;
 in
 {
-  sane.programs.wpa_supplicant = {};
-  services.udev.packages = lib.mkIf cfg.enabled [ cfg.package ];
-  # need to be on systemd.packages so we get its service file
-  systemd.packages = lib.mkIf cfg.enabled [ cfg.package ];
+  config = lib.mkMerge [
+    {
+      sane.programs.wpa_supplicant = {
+        packageUnwrapped = pkgs.wpa_supplicant.overrideAttrs (upstream: {
+          # nixpkgs wpa_supplicant generates a dbus file which has a path like
+          # /nix/store/abc-wpa_supplicant/nix/store/abc-wpa_supplicant/sbin/...
+          # upstreaming status: <https://github.com/NixOS/nixpkgs/pull/315346>
+          postInstall = upstream.postInstall + ''
+            substituteInPlace $out/share/dbus-1/system-services/* --replace-fail \
+              "$out$out" "$out"
+          '';
+        });
+        sandbox.method = "landlock";  #< 'bwrap' (likely) can't work, because it needs to manipulate net interfaces in the root namespace
+        sandbox.capabilities = [
+          # see also: <https://github.com/NixOS/nixpkgs/pull/305722>
+          "net_admin" "net_raw"
+        ];
+        sandbox.extraPaths = [
+          "/dev/net"
+          "/dev/rfkill"
+          "/proc/sys/net"
+          "/sys/class/net"
+          "/sys/devices"
+        ];
+        sandbox.whitelistDbus = [ "system" ];
+      };
+    }
+    (lib.mkIf cfg.enabled {
+      services.udev.packages = [ cfg.package ];
+      systemd.packages = [ cfg.package ];  #< needs to be on systemd.packages so we get its service file
+      systemd.services.wpa_supplicant.path = [ "/run/current-system/sw" ];  #< so it can find `sanebox`
+      # systemd.services.wpa_supplicant = {
+      #   aliases = [ "dbus-fi.w1.wpa_supplicant1.service" ];
+      #   before = [ "network.target" ];
+      #   wantedBy = [ "network.target" ];
+      #   serviceConfig = {
+      #     Type = "dbus";
+      #     BusName = "fi.w1.wpa_supplicant1";
+      #     ExecStart = "${cfg.package}/bin/wpa_supplicant -u";
+      #     Restart = "always";
+      #   };
+      # };
+    })
+  ];
 }