pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #253764 from linj-fork/fix-ping-wrapper

nixos/network-interfaces: stop wrapping ping with cap_net_raw

authored by Martin Weinelt and committed by GitHub d042a296 9f27f8b2

+9 -34
unified split
+1 -1
nixos/doc/manual/development/activation-script.section.md
··· 69 69 `/etc/group` and `/etc/shadow`. This also creates home directories 70 70 - `usrbinenv` creates `/usr/bin/env` 71 71 - `var` creates some directories in `/var` that are not service-specific 72 - - `wrappers` creates setuid wrappers like `ping` and `sudo` 72 + - `wrappers` creates setuid wrappers like `sudo`
-6
nixos/modules/security/apparmor/profiles.nix
··· 2 2 let apparmor = config.security.apparmor; in 3 3 { 4 4 config.security.apparmor.packages = [ pkgs.apparmor-profiles ]; 5 - config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable '' 6 - include "${pkgs.iputils.apparmor}/bin.ping" 7 - include "${pkgs.inetutils.apparmor}/bin.ping" 8 - # Note that including those two profiles in the same profile 9 - # would not work if the second one were to re-include <tunables/global>. 10 - ''; 11 5 }
+2 -1
nixos/modules/services/home-automation/home-assistant.nix
··· 588 588 "~@privileged" 589 589 ] ++ optionals (any useComponent componentsUsingPing) [ 590 590 "capset" 591 + "setuid" 591 592 ]; 592 593 UMask = "0077"; 593 594 }; 594 595 path = [ 595 - "/run/wrappers" # needed for ping 596 + pkgs.unixtools.ping # needed for ping 596 597 ]; 597 598 }; 598 599
-22
nixos/modules/tasks/network-interfaces.nix
··· 1406 1406 val = tempaddrValues.${opt}.sysctl; 1407 1407 in nameValuePair "net.ipv6.conf.${replaceStrings ["."] ["/"] i.name}.use_tempaddr" val)); 1408 1408 1409 - security.wrappers = { 1410 - ping = { 1411 - owner = "root"; 1412 - group = "root"; 1413 - capabilities = "cap_net_raw+p"; 1414 - source = "${pkgs.iputils.out}/bin/ping"; 1415 - }; 1416 - }; 1417 - security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' 1418 - /run/wrappers/bin/ping { 1419 - include <abstractions/base> 1420 - include <nixos/security.wrappers/ping> 1421 - rpx /run/wrappers/wrappers.*/ping, 1422 - } 1423 - /run/wrappers/wrappers.*/ping { 1424 - include <abstractions/base> 1425 - include <nixos/security.wrappers/ping> 1426 - capability net_raw, 1427 - capability setpcap, 1428 - } 1429 - ''); 1430 - 1431 1409 # Set the host and domain names in the activation script. Don't 1432 1410 # clear it if it's not configured in the NixOS configuration, 1433 1411 # since it may have been set by dhcpcd in the meantime.
+1 -1
nixos/tests/systemd.nix
··· 169 169 170 170 # Do some IP traffic 171 171 output_ping = machine.succeed( 172 - "systemd-run --wait -- /run/wrappers/bin/ping -c 1 127.0.0.1 2>&1" 172 + "systemd-run --wait -- ping -c 1 127.0.0.1 2>&1" 173 173 ) 174 174 175 175 with subtest("systemd reports accounting data on system.slice"):
+5 -3
pkgs/servers/monitoring/plugins/default.nix
··· 21 21 , openldap 22 22 , procps 23 23 , runtimeShell 24 + , unixtools 24 25 }: 25 26 26 27 let ··· 33 34 lm_sensors 34 35 net-snmp 35 36 procps 37 + unixtools.ping 36 38 ]; 37 39 38 40 mailq = runCommand "mailq-wrapper" { preferLocalBuild = true; } '' ··· 58 60 sha256 = "sha256-yLhHOSrPFRjW701aOL8LPe4OnuJxL6f+dTxNqm0evIg="; 59 61 }; 60 62 61 - # TODO: Awful hack. Grrr... this of course only works on NixOS. 63 + # TODO: Awful hack. Grrr... 62 64 # Anyway the check that configure performs to figure out the ping 63 65 # syntax is totally impure, because it runs an actual ping to 64 66 # localhost (which won't work for ping6 if IPv6 support isn't ··· 74 76 -e 's|^DEFAULT_PATH=.*|DEFAULT_PATH=\"${binPath}\"|' 75 77 76 78 configureFlagsArray+=( 77 - --with-ping-command='/run/wrappers/bin/ping -4 -n -U -w %d -c %d %s' 78 - --with-ping6-command='/run/wrappers/bin/ping -6 -n -U -w %d -c %d %s' 79 + --with-ping-command='ping -4 -n -U -w %d -c %d %s' 80 + --with-ping6-command='ping -6 -n -U -w %d -c %d %s' 79 81 ) 80 82 81 83 install -Dm555 ${share} $out/share