diff options
author | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-12 18:53:48 +0200 |
---|---|---|
committer | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-13 13:48:13 +0200 |
commit | fedd7cd6901646cb7e2a94a148d300f7b632d7e0 (patch) | |
tree | 14b7af8318d75536656849335e20c51cdfdf3447 /nixos/modules/tasks/network-interfaces.nix | |
parent | 8f76a6eefcfa0c9904e0749f04b27090527ce09f (diff) | |
download | nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.gz nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.bz2 nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.lz nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.xz nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.tar.zst nixpkgs-fedd7cd6901646cb7e2a94a148d300f7b632d7e0.zip |
nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you to think about what the wrapper ownership and permissions will be.
Diffstat (limited to 'nixos/modules/tasks/network-interfaces.nix')
-rw-r--r-- | nixos/modules/tasks/network-interfaces.nix | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 8f9c66b0157..d934e3cf022 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1133,11 +1133,16 @@ in # kernel because we need the ambient capability security.wrappers = if (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") then { ping = { - source = "${pkgs.iputils.out}/bin/ping"; + owner = "root"; + group = "root"; capabilities = "cap_net_raw+p"; + source = "${pkgs.iputils.out}/bin/ping"; }; } else { - ping.source = "${pkgs.iputils.out}/bin/ping"; + setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.iputils.out}/bin/ping"; }; security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' /run/wrappers/bin/ping { |