iproute2: disable sandbox and fix ip
commands
This commit is contained in:
parent
6a15434cc6
commit
efa1ee6c69
|
@ -572,16 +572,16 @@ in
|
||||||
iotop.sandbox.capabilities = [ "net_admin" ];
|
iotop.sandbox.capabilities = [ "net_admin" ];
|
||||||
|
|
||||||
# provides `ip`, `routel`, `bridge`, others.
|
# provides `ip`, `routel`, `bridge`, others.
|
||||||
# landlock works fine for most of these, but `ip netns exec` uses namespaces internally,
|
# landlock works fine for most of these, but `ip netns exec` wants to attach to an existing namespace
|
||||||
# and that's incompatible with landlock
|
# and that means we can't use ANY sandboxer for it.
|
||||||
iproute2.sandbox.method = "bwrap";
|
iproute2.sandbox.enable = false;
|
||||||
iproute2.sandbox.net = "all";
|
# iproute2.sandbox.net = "all";
|
||||||
iproute2.sandbox.capabilities = [ "net_admin" ];
|
# iproute2.sandbox.capabilities = [ "net_admin" ];
|
||||||
iproute2.sandbox.extraPaths = [
|
# iproute2.sandbox.extraPaths = [
|
||||||
"/run/netns" # for `ip netns ...` to work, but maybe not needed anymore?
|
# "/run/netns" # for `ip netns ...` to work, but maybe not needed anymore?
|
||||||
"/sys/class/net" # for `ip netns ...` to work
|
# "/sys/class/net" # for `ip netns ...` to work
|
||||||
"/var/run/netns"
|
# "/var/run/netns"
|
||||||
];
|
# ];
|
||||||
|
|
||||||
iptables.sandbox.method = "landlock";
|
iptables.sandbox.method = "landlock";
|
||||||
iptables.sandbox.net = "all";
|
iptables.sandbox.net = "all";
|
||||||
|
|
Loading…
Reference in New Issue
Block a user