29 lines
864 B
Nix
29 lines
864 B
Nix
# use like: `sudo -E wireshark` (`-E` to preserve the wayland environment)
|
|
{ pkgs, ... }:
|
|
{
|
|
sane.programs.wireshark = {
|
|
# ship *just* wireshark, else it calls out to helpers from the same package via PATH
|
|
# which causes sandboxing errors (it won't sandbox recursively).
|
|
packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.wireshark [
|
|
"bin/wireshark"
|
|
"share"
|
|
];
|
|
|
|
sandbox.autodetectCliPaths = "existingFile"; #< for loading pcap files on CLI
|
|
sandbox.whitelistWayland = true;
|
|
sandbox.net = "all";
|
|
sandbox.capabilities = [
|
|
"dac_override" #< this wasn't needed with landlock; only bunpen
|
|
"net_admin"
|
|
"net_raw"
|
|
];
|
|
sandbox.tryKeepUsers = true;
|
|
# sandbox.extraPaths = [
|
|
# "/proc/net" #< only needed if using landlock
|
|
# ];
|
|
|
|
fs.".config/wireshark".dir = {};
|
|
buildCost = 2;
|
|
};
|
|
}
|