diff options
author | Martin Weinelt <mweinelt@users.noreply.github.com> | 2023-10-20 00:57:55 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-10-20 00:57:55 +0200 |
commit | d042a296139c6a111be3e3d5dc9ef6783b5e7c16 (patch) | |
tree | 4ced7f46c1e8fc4b4f6d14208e038c7f1b6f6041 /nixos | |
parent | 9f27f8b28ee45597d113498db0ee0d726f2b74a2 (diff) | |
parent | 759ec1113d0a1d6315b38bd83ec3562dacc08238 (diff) | |
download | nixpkgs-d042a296139c6a111be3e3d5dc9ef6783b5e7c16.tar nixpkgs-d042a296139c6a111be3e3d5dc9ef6783b5e7c16.tar.gz nixpkgs-d042a296139c6a111be3e3d5dc9ef6783b5e7c16.tar.bz2 nixpkgs-d042a296139c6a111be3e3d5dc9ef6783b5e7c16.tar.lz nixpkgs-d042a296139c6a111be3e3d5dc9ef6783b5e7c16.tar.xz nixpkgs-d042a296139c6a111be3e3d5dc9ef6783b5e7c16.tar.zst nixpkgs-d042a296139c6a111be3e3d5dc9ef6783b5e7c16.zip |
Merge pull request #253764 from linj-fork/fix-ping-wrapper
nixos/network-interfaces: stop wrapping ping with cap_net_raw
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/development/activation-script.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/security/apparmor/profiles.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/home-automation/home-assistant.nix | 3 | ||||
-rw-r--r-- | nixos/modules/tasks/network-interfaces.nix | 22 | ||||
-rw-r--r-- | nixos/tests/systemd.nix | 2 |
5 files changed, 4 insertions, 31 deletions
diff --git a/nixos/doc/manual/development/activation-script.section.md b/nixos/doc/manual/development/activation-script.section.md index c339258c6dc..cc317a6a01a 100644 --- a/nixos/doc/manual/development/activation-script.section.md +++ b/nixos/doc/manual/development/activation-script.section.md @@ -69,4 +69,4 @@ do: `/etc/group` and `/etc/shadow`. This also creates home directories - `usrbinenv` creates `/usr/bin/env` - `var` creates some directories in `/var` that are not service-specific -- `wrappers` creates setuid wrappers like `ping` and `sudo` +- `wrappers` creates setuid wrappers like `sudo` diff --git a/nixos/modules/security/apparmor/profiles.nix b/nixos/modules/security/apparmor/profiles.nix index 8eb630b5a48..0bf90a00865 100644 --- a/nixos/modules/security/apparmor/profiles.nix +++ b/nixos/modules/security/apparmor/profiles.nix @@ -2,10 +2,4 @@ let apparmor = config.security.apparmor; in { config.security.apparmor.packages = [ pkgs.apparmor-profiles ]; -config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable '' - include "${pkgs.iputils.apparmor}/bin.ping" - include "${pkgs.inetutils.apparmor}/bin.ping" - # Note that including those two profiles in the same profile - # would not work if the second one were to re-include <tunables/global>. -''; } diff --git a/nixos/modules/services/home-automation/home-assistant.nix b/nixos/modules/services/home-automation/home-assistant.nix index 7dc08d4356a..99bac86a8e9 100644 --- a/nixos/modules/services/home-automation/home-assistant.nix +++ b/nixos/modules/services/home-automation/home-assistant.nix @@ -588,11 +588,12 @@ in { "~@privileged" ] ++ optionals (any useComponent componentsUsingPing) [ "capset" + "setuid" ]; UMask = "0077"; }; path = [ - "/run/wrappers" # needed for ping + pkgs.unixtools.ping # needed for ping ]; }; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index cd0de51a6e0..853a2cb3143 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1406,28 +1406,6 @@ in val = tempaddrValues.${opt}.sysctl; in nameValuePair "net.ipv6.conf.${replaceStrings ["."] ["/"] i.name}.use_tempaddr" val)); - security.wrappers = { - ping = { - owner = "root"; - group = "root"; - capabilities = "cap_net_raw+p"; - source = "${pkgs.iputils.out}/bin/ping"; - }; - }; - security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' - /run/wrappers/bin/ping { - include <abstractions/base> - include <nixos/security.wrappers/ping> - rpx /run/wrappers/wrappers.*/ping, - } - /run/wrappers/wrappers.*/ping { - include <abstractions/base> - include <nixos/security.wrappers/ping> - capability net_raw, - capability setpcap, - } - ''); - # Set the host and domain names in the activation script. Don't # clear it if it's not configured in the NixOS configuration, # since it may have been set by dhcpcd in the meantime. diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index 3c36291b733..5fb7ba53ad8 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -169,7 +169,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { # Do some IP traffic output_ping = machine.succeed( - "systemd-run --wait -- /run/wrappers/bin/ping -c 1 127.0.0.1 2>&1" + "systemd-run --wait -- ping -c 1 127.0.0.1 2>&1" ) with subtest("systemd reports accounting data on system.slice"): |