networkmanager: fix sandbox to actually work with systemd-resolved
This commit is contained in:
parent
1378988f21
commit
e8dbe0750d
|
@ -148,20 +148,32 @@ in
|
|||
networking.useDHCP = false;
|
||||
services.udev.packages = [ cfg.package ];
|
||||
security.polkit.enable = lib.mkDefault true;
|
||||
# allow networkmanager unbounded control over modemmanager.
|
||||
# i believe this was sourced from the default nixpkgs config.
|
||||
security.polkit.extraConfig = ''
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (subject.isInGroup("networkmanager")
|
||||
&& (
|
||||
action.id.indexOf("org.freedesktop.NetworkManager.") == 0
|
||||
|| action.id.indexOf("org.freedesktop.ModemManager") == 0
|
||||
)
|
||||
) {
|
||||
|
||||
security.polkit.extraConfig = lib.concatStringsSep "\n" [
|
||||
# allow networkmanager unbounded control over modemmanager.
|
||||
# i believe this was sourced from the default nixpkgs config.
|
||||
''
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (subject.isInGroup("networkmanager")
|
||||
&& (
|
||||
action.id.indexOf("org.freedesktop.NetworkManager.") == 0
|
||||
|| action.id.indexOf("org.freedesktop.ModemManager") == 0
|
||||
)
|
||||
) {
|
||||
return polkit.Result.YES;
|
||||
}
|
||||
});
|
||||
''
|
||||
# allow networkmanager to control systemd-resolved,
|
||||
# which it needs to do to apply new DNS settings when using systemd-resolved.
|
||||
''
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (subject.isInGroup("networkmanager") && action.id.indexOf("org.freedesktop.resolve1.") == 0) {
|
||||
return polkit.Result.YES;
|
||||
}
|
||||
});
|
||||
'';
|
||||
}
|
||||
});
|
||||
''
|
||||
];
|
||||
|
||||
users.groups.networkmanager.gid = config.ids.gids.networkmanager;
|
||||
users.users.networkmanager = {
|
||||
|
|
|
@ -23,7 +23,6 @@ in
|
|||
rm $out/etc/systemd/system/{wpa_supplicant-nl80211@,wpa_supplicant-wired@,wpa_supplicant@}.service
|
||||
'';
|
||||
});
|
||||
# sandbox.enable = false; #< TODO: re-enable
|
||||
sandbox.method = "landlock"; #< 'bwrap' (likely) can't work, because it needs to manipulate net interfaces in the root namespace
|
||||
sandbox.capabilities = [
|
||||
# see also: <https://github.com/NixOS/nixpkgs/pull/305722>
|
||||
|
|
Loading…
Reference in New Issue
Block a user