iproute2: disable sandbox and fix ip
commands
This commit is contained in:
parent
6a15434cc6
commit
efa1ee6c69
|
@ -572,16 +572,16 @@ in
|
|||
iotop.sandbox.capabilities = [ "net_admin" ];
|
||||
|
||||
# provides `ip`, `routel`, `bridge`, others.
|
||||
# landlock works fine for most of these, but `ip netns exec` uses namespaces internally,
|
||||
# and that's incompatible with landlock
|
||||
iproute2.sandbox.method = "bwrap";
|
||||
iproute2.sandbox.net = "all";
|
||||
iproute2.sandbox.capabilities = [ "net_admin" ];
|
||||
iproute2.sandbox.extraPaths = [
|
||||
"/run/netns" # for `ip netns ...` to work, but maybe not needed anymore?
|
||||
"/sys/class/net" # for `ip netns ...` to work
|
||||
"/var/run/netns"
|
||||
];
|
||||
# landlock works fine for most of these, but `ip netns exec` wants to attach to an existing namespace
|
||||
# and that means we can't use ANY sandboxer for it.
|
||||
iproute2.sandbox.enable = false;
|
||||
# iproute2.sandbox.net = "all";
|
||||
# iproute2.sandbox.capabilities = [ "net_admin" ];
|
||||
# iproute2.sandbox.extraPaths = [
|
||||
# "/run/netns" # for `ip netns ...` to work, but maybe not needed anymore?
|
||||
# "/sys/class/net" # for `ip netns ...` to work
|
||||
# "/var/run/netns"
|
||||
# ];
|
||||
|
||||
iptables.sandbox.method = "landlock";
|
||||
iptables.sandbox.net = "all";
|
||||
|
|
Loading…
Reference in New Issue
Block a user