67 lines
2.2 KiB
Nix
67 lines
2.2 KiB
Nix
{ config, lib, ... }:
|
|
let
|
|
cfg = config.sane.programs.wireshark;
|
|
in
|
|
{
|
|
sane.programs.wireshark = {
|
|
sandbox.method = "landlock";
|
|
# sandbox.extraHomePaths = [
|
|
# ".wireshark/config"
|
|
# ];
|
|
sandbox.extraPaths = [
|
|
"/proc/net"
|
|
];
|
|
fs.".config/wireshark".dir = {};
|
|
# sandbox.extraConfig = [
|
|
# # "--sane-sandbox-path" "/"
|
|
# # "--sane-sandbox-cap" "dac_override"
|
|
# # "--sane-sandbox-cap" "dac_read_search"
|
|
# "--sane-sandbox-cap" "net_admin"
|
|
# "--sane-sandbox-cap" "net_raw"
|
|
# # "--sane-sandbox-cap" "setpcap"
|
|
# ];
|
|
# sandbox.extraPaths = [ "/" ];
|
|
# sandbox.method = "firejail";
|
|
# sandbox.extraConfig = [
|
|
# # somehow needs `setpcap` (makes these bounding capabilities also be inherited?)
|
|
# # else no interfaces appear on the main page
|
|
# "--sane-sandbox-firejail-arg"
|
|
# "--ignore=caps.keep dac_override,dac_read_search,net_admin,net_raw"
|
|
# "--sane-sandbox-firejail-arg"
|
|
# "--caps.keep=dac_override,dac_read_search,net_admin,net_raw,setpcap"
|
|
# ];
|
|
slowToBuild = true;
|
|
};
|
|
|
|
# users.groups.wireshark = {};
|
|
|
|
# security.wrappers = lib.mkIf cfg.enabled {
|
|
# wireshark = {
|
|
# source = "${cfg.package}/bin/wireshark";
|
|
# capabilities = "cap_dac_override,cap_dac_read_search,cap_net_raw,cap_net_admin,cap_setpcap+eip"; #< can probably be just `+p`
|
|
# owner = "root";
|
|
# group = "wireshark";
|
|
# permissions = "u+rx,g+x";
|
|
# };
|
|
# dumpcap = {
|
|
# source = "${cfg.package}/bin/.dumpcap-sandboxed";
|
|
# capabilities = "cap_net_raw,cap_net_admin+eip"; #< can probably be just `+p`
|
|
# owner = "root";
|
|
# group = "wireshark";
|
|
# permissions = "u+rx,g+x";
|
|
# };
|
|
# };
|
|
|
|
# programs.wireshark = lib.mkIf cfg.enabled {
|
|
# # adds a SUID* wrapper for wireshark's `dumpcap` program
|
|
# # *actually a setcap wrapper, which sets CAP_NET_ADMIN, CAP_NET_RAW
|
|
# # when executed by a member of the wireshark group.
|
|
# enable = true;
|
|
# package = cfg.package;
|
|
# };
|
|
# # the SUID wrapper can't also be a firejail (idk why? it might be that the binary's already *too* restricted).
|
|
# security.wrappers = lib.mkIf cfg.enabled {
|
|
# dumpcap.source = lib.mkForce "${cfg.package}/bin/.dumpcap-sandboxed";
|
|
# };
|
|
}
|