colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

networkmanager: fix sandbox to actually work with systemd-resolved

Browse Source
This commit is contained in:
Colin 2024-05-29 10:34:24 +00:00
parent 1378988f21
commit e8dbe0750d
2 changed files with 25 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
hosts/common/programs/networkmanager.nix
View File

@ -148,20 +148,32 @@ in
networking.useDHCP = false; networking.useDHCP = false;
services.udev.packages = [ cfg.package ]; services.udev.packages = [ cfg.package ];
security.polkit.enable = lib.mkDefault true; security.polkit.enable = lib.mkDefault true;
# allow networkmanager unbounded control over modemmanager.
# i believe this was sourced from the default nixpkgs config. security.polkit.extraConfig = lib.concatStringsSep "\n" [
security.polkit.extraConfig = '' # allow networkmanager unbounded control over modemmanager.
polkit.addRule(function(action, subject) { # i believe this was sourced from the default nixpkgs config.
if (subject.isInGroup("networkmanager") ''
&& ( polkit.addRule(function(action, subject) {
action.id.indexOf("org.freedesktop.NetworkManager.") == 0 if (subject.isInGroup("networkmanager")
|| action.id.indexOf("org.freedesktop.ModemManager") == 0 && (
) action.id.indexOf("org.freedesktop.NetworkManager.") == 0
) { || action.id.indexOf("org.freedesktop.ModemManager") == 0
)
) {
return polkit.Result.YES;
}
});
''
# allow networkmanager to control systemd-resolved,
# which it needs to do to apply new DNS settings when using systemd-resolved.
''
polkit.addRule(function(action, subject) {
if (subject.isInGroup("networkmanager") && action.id.indexOf("org.freedesktop.resolve1.") == 0) {
return polkit.Result.YES; return polkit.Result.YES;
} }
}); });
''; ''
];
users.groups.networkmanager.gid = config.ids.gids.networkmanager; users.groups.networkmanager.gid = config.ids.gids.networkmanager;
users.users.networkmanager = { users.users.networkmanager = {

1
hosts/common/programs/wpa_supplicant.nix
View File

@ -23,7 +23,6 @@ in
rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
''; '';
}); });
# sandbox.enable = false; #< TODO: re-enable
sandbox.method = "landlock"; #< 'bwrap' (likely) can't work, because it needs to manipulate net interfaces in the root namespace sandbox.method = "landlock"; #< 'bwrap' (likely) can't work, because it needs to manipulate net interfaces in the root namespace
sandbox.capabilities = [ sandbox.capabilities = [
# see also: <https://github.com/NixOS/nixpkgs/pull/305722> # see also: <https://github.com/NixOS/nixpkgs/pull/305722>