diff options
| author | Lin Jian <me@linj.tech> | 2023-09-07 10:27:20 +0800 |
|---|---|---|
| committer | Lin Jian <me@linj.tech> | 2023-09-21 16:52:16 +0800 |
| commit | 759ec1113d0a1d6315b38bd83ec3562dacc08238 (patch) | |
| tree | da272287f8b12355ff4ffe6e1f2bd944ae2f5543 /nixos | |
| parent | 0e69d3ec89f55e5ef6b3684b71815d57d8a5a98b (diff) | |
| download | nixpkgs-759ec1113d0a1d6315b38bd83ec3562dacc08238.tar nixpkgs-759ec1113d0a1d6315b38bd83ec3562dacc08238.tar.gz nixpkgs-759ec1113d0a1d6315b38bd83ec3562dacc08238.tar.bz2 nixpkgs-759ec1113d0a1d6315b38bd83ec3562dacc08238.tar.lz nixpkgs-759ec1113d0a1d6315b38bd83ec3562dacc08238.tar.xz nixpkgs-759ec1113d0a1d6315b38bd83ec3562dacc08238.tar.zst nixpkgs-759ec1113d0a1d6315b38bd83ec3562dacc08238.zip | |
nixos/network-interfaces: stop wrapping ping with cap_net_raw
From systemd 243 release note[1]: This release enables unprivileged programs (i.e. requiring neither setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests by turning on the "net.ipv4.ping_group_range" sysctl of the Linux kernel for the whole UNIX group range, i.e. all processes. So this wrapper is not needed any more. See also [2] and [3]. This patch also removes: - apparmor profiles in NixOS for ping itself and the wrapped one - other references for the wrapped ping [1]: https://github.com/systemd/systemd/blob/8e2d9d40b33bc8e8f5d3479fb075d3fab32a4184/NEWS#L6457-L6464 [2]: https://github.com/systemd/systemd/pull/13141 [3]: https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/development/activation-script.section.md | 2 | ||||
| -rw-r--r-- | nixos/modules/security/apparmor/profiles.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/services/home-automation/home-assistant.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/tasks/network-interfaces.nix | 22 | ||||
| -rw-r--r-- | nixos/tests/systemd.nix | 2 |
5 files changed, 4 insertions, 31 deletions
diff --git a/nixos/doc/manual/development/activation-script.section.md b/nixos/doc/manual/development/activation-script.section.md index c339258c6dc..cc317a6a01a 100644 --- a/nixos/doc/manual/development/activation-script.section.md +++ b/nixos/doc/manual/development/activation-script.section.md @@ -69,4 +69,4 @@ do: `/etc/group` and `/etc/shadow`. This also creates home directories - `usrbinenv` creates `/usr/bin/env` - `var` creates some directories in `/var` that are not service-specific -- `wrappers` creates setuid wrappers like `ping` and `sudo` +- `wrappers` creates setuid wrappers like `sudo` diff --git a/nixos/modules/security/apparmor/profiles.nix b/nixos/modules/security/apparmor/profiles.nix index 8eb630b5a48..0bf90a00865 100644 --- a/nixos/modules/security/apparmor/profiles.nix +++ b/nixos/modules/security/apparmor/profiles.nix @@ -2,10 +2,4 @@ let apparmor = config.security.apparmor; in { config.security.apparmor.packages = [ pkgs.apparmor-profiles ]; -config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable '' - include "${pkgs.iputils.apparmor}/bin.ping" - include "${pkgs.inetutils.apparmor}/bin.ping" - # Note that including those two profiles in the same profile - # would not work if the second one were to re-include <tunables/global>. -''; } diff --git a/nixos/modules/services/home-automation/home-assistant.nix b/nixos/modules/services/home-automation/home-assistant.nix index 0b8b1d71941..bf32382652d 100644 --- a/nixos/modules/services/home-automation/home-assistant.nix +++ b/nixos/modules/services/home-automation/home-assistant.nix @@ -586,11 +586,12 @@ in { "~@privileged" ] ++ optionals (any useComponent componentsUsingPing) [ "capset" + "setuid" ]; UMask = "0077"; }; path = [ - "/run/wrappers" # needed for ping + pkgs.unixtools.ping # needed for ping ]; }; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 0d4033ca943..e11fd3aaec3 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1385,28 +1385,6 @@ in val = tempaddrValues.${opt}.sysctl; in nameValuePair "net.ipv6.conf.${replaceStrings ["."] ["/"] i.name}.use_tempaddr" val)); - security.wrappers = { - ping = { - owner = "root"; - group = "root"; - capabilities = "cap_net_raw+p"; - source = "${pkgs.iputils.out}/bin/ping"; - }; - }; - security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' - /run/wrappers/bin/ping { - include <abstractions/base> - include <nixos/security.wrappers/ping> - rpx /run/wrappers/wrappers.*/ping, - } - /run/wrappers/wrappers.*/ping { - include <abstractions/base> - include <nixos/security.wrappers/ping> - capability net_raw, - capability setpcap, - } - ''); - # Set the host and domain names in the activation script. Don't # clear it if it's not configured in the NixOS configuration, # since it may have been set by dhcpcd in the meantime. diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index 3c36291b733..5fb7ba53ad8 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -169,7 +169,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { # Do some IP traffic output_ping = machine.succeed( - "systemd-run --wait -- /run/wrappers/bin/ping -c 1 127.0.0.1 2>&1" + "systemd-run --wait -- ping -c 1 127.0.0.1 2>&1" ) with subtest("systemd reports accounting data on system.slice"): |