colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

iproute2: disable sandbox and fix ip commands

Browse Source
This commit is contained in:
Colin 2024-05-25 10:49:19 +00:00
parent 6a15434cc6
commit efa1ee6c69
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
hosts/common/programs/assorted.nix
View File

@ -572,16 +572,16 @@ in
iotop.sandbox.capabilities = [ "net_admin" ]; iotop.sandbox.capabilities = [ "net_admin" ];
# provides `ip`, `routel`, `bridge`, others. # provides `ip`, `routel`, `bridge`, others.
# landlock works fine for most of these, but `ip netns exec` uses namespaces internally, # landlock works fine for most of these, but `ip netns exec` wants to attach to an existing namespace
# and that's incompatible with landlock # and that means we can't use ANY sandboxer for it.
iproute2.sandbox.method = "bwrap"; iproute2.sandbox.enable = false;
iproute2.sandbox.net = "all"; # iproute2.sandbox.net = "all";
iproute2.sandbox.capabilities = [ "net_admin" ]; # iproute2.sandbox.capabilities = [ "net_admin" ];
iproute2.sandbox.extraPaths = [ # iproute2.sandbox.extraPaths = [
"/run/netns" # for `ip netns ...` to work, but maybe not needed anymore? # "/run/netns" # for `ip netns ...` to work, but maybe not needed anymore?
"/sys/class/net" # for `ip netns ...` to work # "/sys/class/net" # for `ip netns ...` to work
"/var/run/netns" # "/var/run/netns"
]; # ];
iptables.sandbox.method = "landlock"; iptables.sandbox.method = "landlock";
iptables.sandbox.net = "all"; iptables.sandbox.net = "all";