iproute2: disable sandbox and fix ip commands

2024-05-25 10:49:19 +00:00 · 2024-05-25 10:49:19 +00:00 · efa1ee6c69
commit efa1ee6c69
parent 6a15434cc6
1 changed files with 10 additions and 10 deletions
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@ -572,16 +572,16 @@ in
    iotop.sandbox.capabilities = [ "net_admin" ];

    # provides `ip`, `routel`, `bridge`, others.
-    # landlock works fine for most of these, but `ip netns exec` uses namespaces internally,
-    # and that's incompatible with landlock
-    iproute2.sandbox.method = "bwrap";
-    iproute2.sandbox.net = "all";
-    iproute2.sandbox.capabilities = [ "net_admin" ];
-    iproute2.sandbox.extraPaths = [
-      "/run/netns"  # for `ip netns ...` to work, but maybe not needed anymore?
-      "/sys/class/net"  # for `ip netns ...` to work
-      "/var/run/netns"
-    ];
+    # landlock works fine for most of these, but `ip netns exec` wants to attach to an existing namespace
+    # and that means we can't use ANY sandboxer for it.
+    iproute2.sandbox.enable = false;
+    # iproute2.sandbox.net = "all";
+    # iproute2.sandbox.capabilities = [ "net_admin" ];
+    # iproute2.sandbox.extraPaths = [
+    #   "/run/netns"  # for `ip netns ...` to work, but maybe not needed anymore?
+    #   "/sys/class/net"  # for `ip netns ...` to work
+    #   "/var/run/netns"
+    # ];

    iptables.sandbox.method = "landlock";
    iptables.sandbox.net = "all";