From 759ec1113d0a1d6315b38bd83ec3562dacc08238 Mon Sep 17 00:00:00 2001 From: Lin Jian Date: Thu, 7 Sep 2023 10:27:20 +0800 Subject: nixos/network-interfaces: stop wrapping ping with cap_net_raw From systemd 243 release note[1]: This release enables unprivileged programs (i.e. requiring neither setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests by turning on the "net.ipv4.ping_group_range" sysctl of the Linux kernel for the whole UNIX group range, i.e. all processes. So this wrapper is not needed any more. See also [2] and [3]. This patch also removes: - apparmor profiles in NixOS for ping itself and the wrapped one - other references for the wrapped ping [1]: https://github.com/systemd/systemd/blob/8e2d9d40b33bc8e8f5d3479fb075d3fab32a4184/NEWS#L6457-L6464 [2]: https://github.com/systemd/systemd/pull/13141 [3]: https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange --- nixos/modules/security/apparmor/profiles.nix | 6 ------ 1 file changed, 6 deletions(-) (limited to 'nixos/modules/security') diff --git a/nixos/modules/security/apparmor/profiles.nix b/nixos/modules/security/apparmor/profiles.nix index 8eb630b5a48..0bf90a00865 100644 --- a/nixos/modules/security/apparmor/profiles.nix +++ b/nixos/modules/security/apparmor/profiles.nix @@ -2,10 +2,4 @@ let apparmor = config.security.apparmor; in { config.security.apparmor.packages = [ pkgs.apparmor-profiles ]; -config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable '' - include "${pkgs.iputils.apparmor}/bin.ping" - include "${pkgs.inetutils.apparmor}/bin.ping" - # Note that including those two profiles in the same profile - # would not work if the second one were to re-include . -''; } -- cgit 1.4.1