networkmanager: fix sandbox to actually work with systemd-resolved

2024-05-29 10:34:24 +00:00 · 2024-05-29 10:34:24 +00:00 · e8dbe0750d
commit e8dbe0750d
parent 1378988f21
2 changed files with 25 additions and 14 deletions
--- a/hosts/common/programs/networkmanager.nix
+++ b/hosts/common/programs/networkmanager.nix
@ -148,20 +148,32 @@ in
      networking.useDHCP = false;
      services.udev.packages = [ cfg.package ];
      security.polkit.enable = lib.mkDefault true;
-      # allow networkmanager unbounded control over modemmanager.
-      # i believe this was sourced from the default nixpkgs config.
-      security.polkit.extraConfig = ''
-        polkit.addRule(function(action, subject) {
-          if (subject.isInGroup("networkmanager")
-            && (
-              action.id.indexOf("org.freedesktop.NetworkManager.") == 0
-              || action.id.indexOf("org.freedesktop.ModemManager")  == 0
-            )
-          ) {
+
+      security.polkit.extraConfig = lib.concatStringsSep "\n" [
+        # allow networkmanager unbounded control over modemmanager.
+        # i believe this was sourced from the default nixpkgs config.
+        ''
+          polkit.addRule(function(action, subject) {
+            if (subject.isInGroup("networkmanager")
+              && (
+                action.id.indexOf("org.freedesktop.NetworkManager.") == 0
+                || action.id.indexOf("org.freedesktop.ModemManager")  == 0
+              )
+            ) {
+                return polkit.Result.YES;
+            }
+          });
+        ''
+        # allow networkmanager to control systemd-resolved,
+        # which it needs to do to apply new DNS settings when using systemd-resolved.
+        ''
+          polkit.addRule(function(action, subject) {
+            if (subject.isInGroup("networkmanager") && action.id.indexOf("org.freedesktop.resolve1.") == 0) {
              return polkit.Result.YES;
-          }
-        });
-      '';
+            }
+          });
+        ''
+      ];

      users.groups.networkmanager.gid = config.ids.gids.networkmanager;
      users.users.networkmanager = {
--- a/hosts/common/programs/wpa_supplicant.nix
+++ b/hosts/common/programs/wpa_supplicant.nix
@ -23,7 +23,6 @@ in
            rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
          '';
        });
-        # sandbox.enable = false; #< TODO: re-enable
        sandbox.method = "landlock";  #< 'bwrap' (likely) can't work, because it needs to manipulate net interfaces in the root namespace
        sandbox.capabilities = [
          # see also: <https://github.com/NixOS/nixpkgs/pull/305722>