networkmanager: fix sandbox to actually work with systemd-resolved
This commit is contained in:
parent
1378988f21
commit
e8dbe0750d
|
@ -148,20 +148,32 @@ in
|
||||||
networking.useDHCP = false;
|
networking.useDHCP = false;
|
||||||
services.udev.packages = [ cfg.package ];
|
services.udev.packages = [ cfg.package ];
|
||||||
security.polkit.enable = lib.mkDefault true;
|
security.polkit.enable = lib.mkDefault true;
|
||||||
# allow networkmanager unbounded control over modemmanager.
|
|
||||||
# i believe this was sourced from the default nixpkgs config.
|
security.polkit.extraConfig = lib.concatStringsSep "\n" [
|
||||||
security.polkit.extraConfig = ''
|
# allow networkmanager unbounded control over modemmanager.
|
||||||
polkit.addRule(function(action, subject) {
|
# i believe this was sourced from the default nixpkgs config.
|
||||||
if (subject.isInGroup("networkmanager")
|
''
|
||||||
&& (
|
polkit.addRule(function(action, subject) {
|
||||||
action.id.indexOf("org.freedesktop.NetworkManager.") == 0
|
if (subject.isInGroup("networkmanager")
|
||||||
|| action.id.indexOf("org.freedesktop.ModemManager") == 0
|
&& (
|
||||||
)
|
action.id.indexOf("org.freedesktop.NetworkManager.") == 0
|
||||||
) {
|
|| action.id.indexOf("org.freedesktop.ModemManager") == 0
|
||||||
|
)
|
||||||
|
) {
|
||||||
|
return polkit.Result.YES;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
''
|
||||||
|
# allow networkmanager to control systemd-resolved,
|
||||||
|
# which it needs to do to apply new DNS settings when using systemd-resolved.
|
||||||
|
''
|
||||||
|
polkit.addRule(function(action, subject) {
|
||||||
|
if (subject.isInGroup("networkmanager") && action.id.indexOf("org.freedesktop.resolve1.") == 0) {
|
||||||
return polkit.Result.YES;
|
return polkit.Result.YES;
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
'';
|
''
|
||||||
|
];
|
||||||
|
|
||||||
users.groups.networkmanager.gid = config.ids.gids.networkmanager;
|
users.groups.networkmanager.gid = config.ids.gids.networkmanager;
|
||||||
users.users.networkmanager = {
|
users.users.networkmanager = {
|
||||||
|
|
|
@ -23,7 +23,6 @@ in
|
||||||
rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
|
rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
|
||||||
'';
|
'';
|
||||||
});
|
});
|
||||||
# sandbox.enable = false; #< TODO: re-enable
|
|
||||||
sandbox.method = "landlock"; #< 'bwrap' (likely) can't work, because it needs to manipulate net interfaces in the root namespace
|
sandbox.method = "landlock"; #< 'bwrap' (likely) can't work, because it needs to manipulate net interfaces in the root namespace
|
||||||
sandbox.capabilities = [
|
sandbox.capabilities = [
|
||||||
# see also: <https://github.com/NixOS/nixpkgs/pull/305722>
|
# see also: <https://github.com/NixOS/nixpkgs/pull/305722>
|
||||||
|
|
Loading…
Reference in New Issue
Block a user