29 lines
954 B
Nix
29 lines
954 B
Nix
{ config, lib, ... }:
|
|
let
|
|
cfg = config.sane.programs.wireshark;
|
|
in
|
|
{
|
|
sane.programs.wireshark = {
|
|
sandbox.method = "firejail";
|
|
sandbox.extraConfig = [
|
|
# somehow needs `setpcap` (makes these bounding capabilities also be inherited?)
|
|
# else no interfaces appear on the main page
|
|
"--sane-sandbox-firejail-arg"
|
|
"--ignore=caps.keep dac_override,dac_read_search,net_admin,net_raw"
|
|
"--sane-sandbox-firejail-arg"
|
|
"--caps.keep=dac_override,dac_read_search,net_admin,net_raw,setpcap"
|
|
];
|
|
slowToBuild = true;
|
|
};
|
|
|
|
programs.wireshark = lib.mkIf cfg.enabled {
|
|
# adds a SUID wrapper for wireshark's `dumpcap` program
|
|
enable = true;
|
|
package = cfg.package;
|
|
};
|
|
# the SUID wrapper can't also be a firejail (idk why? it might be that the binary's already *too* restricted).
|
|
security.wrappers = lib.mkIf cfg.enabled {
|
|
dumpcap.source = lib.mkForce "${cfg.package}/bin/.dumpcap-sandboxed";
|
|
};
|
|
}
|