pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #253764 from linj-fork/fix-ping-wrapper

nixos/network-interfaces: stop wrapping ping with cap_net_raw

authored by Martin Weinelt and committed by GitHub d042a296 9f27f8b2

+9 -34
unified split
+1 -1
nixos/doc/manual/development/activation-script.section.md
··· 69 `/etc/group` and `/etc/shadow`. This also creates home directories 70 - `usrbinenv` creates `/usr/bin/env` 71 - `var` creates some directories in `/var` that are not service-specific 72 - - `wrappers` creates setuid wrappers like `ping` and `sudo`
··· 69 `/etc/group` and `/etc/shadow`. This also creates home directories 70 - `usrbinenv` creates `/usr/bin/env` 71 - `var` creates some directories in `/var` that are not service-specific 72 + - `wrappers` creates setuid wrappers like `sudo`
-6
nixos/modules/security/apparmor/profiles.nix
··· 2 let apparmor = config.security.apparmor; in 3 { 4 config.security.apparmor.packages = [ pkgs.apparmor-profiles ]; 5 - config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable '' 6 - include "${pkgs.iputils.apparmor}/bin.ping" 7 - include "${pkgs.inetutils.apparmor}/bin.ping" 8 - # Note that including those two profiles in the same profile 9 - # would not work if the second one were to re-include <tunables/global>. 10 - ''; 11 }
··· 2 let apparmor = config.security.apparmor; in 3 { 4 config.security.apparmor.packages = [ pkgs.apparmor-profiles ]; 5 }
+2 -1
nixos/modules/services/home-automation/home-assistant.nix
··· 588 "~@privileged" 589 ] ++ optionals (any useComponent componentsUsingPing) [ 590 "capset" 591 ]; 592 UMask = "0077"; 593 }; 594 path = [ 595 - "/run/wrappers" # needed for ping 596 ]; 597 }; 598
··· 588 "~@privileged" 589 ] ++ optionals (any useComponent componentsUsingPing) [ 590 "capset" 591 + "setuid" 592 ]; 593 UMask = "0077"; 594 }; 595 path = [ 596 + pkgs.unixtools.ping # needed for ping 597 ]; 598 }; 599
-22
nixos/modules/tasks/network-interfaces.nix
··· 1406 val = tempaddrValues.${opt}.sysctl; 1407 in nameValuePair "net.ipv6.conf.${replaceStrings ["."] ["/"] i.name}.use_tempaddr" val)); 1408 1409 - security.wrappers = { 1410 - ping = { 1411 - owner = "root"; 1412 - group = "root"; 1413 - capabilities = "cap_net_raw+p"; 1414 - source = "${pkgs.iputils.out}/bin/ping"; 1415 - }; 1416 - }; 1417 - security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' 1418 - /run/wrappers/bin/ping { 1419 - include <abstractions/base> 1420 - include <nixos/security.wrappers/ping> 1421 - rpx /run/wrappers/wrappers.*/ping, 1422 - } 1423 - /run/wrappers/wrappers.*/ping { 1424 - include <abstractions/base> 1425 - include <nixos/security.wrappers/ping> 1426 - capability net_raw, 1427 - capability setpcap, 1428 - } 1429 - ''); 1430 - 1431 # Set the host and domain names in the activation script. Don't 1432 # clear it if it's not configured in the NixOS configuration, 1433 # since it may have been set by dhcpcd in the meantime.
··· 1406 val = tempaddrValues.${opt}.sysctl; 1407 in nameValuePair "net.ipv6.conf.${replaceStrings ["."] ["/"] i.name}.use_tempaddr" val)); 1408 1409 # Set the host and domain names in the activation script. Don't 1410 # clear it if it's not configured in the NixOS configuration, 1411 # since it may have been set by dhcpcd in the meantime.
+1 -1
nixos/tests/systemd.nix
··· 169 170 # Do some IP traffic 171 output_ping = machine.succeed( 172 - "systemd-run --wait -- /run/wrappers/bin/ping -c 1 127.0.0.1 2>&1" 173 ) 174 175 with subtest("systemd reports accounting data on system.slice"):
··· 169 170 # Do some IP traffic 171 output_ping = machine.succeed( 172 + "systemd-run --wait -- ping -c 1 127.0.0.1 2>&1" 173 ) 174 175 with subtest("systemd reports accounting data on system.slice"):
+5 -3
pkgs/servers/monitoring/plugins/default.nix
··· 21 , openldap 22 , procps 23 , runtimeShell 24 }: 25 26 let ··· 33 lm_sensors 34 net-snmp 35 procps 36 ]; 37 38 mailq = runCommand "mailq-wrapper" { preferLocalBuild = true; } '' ··· 58 sha256 = "sha256-yLhHOSrPFRjW701aOL8LPe4OnuJxL6f+dTxNqm0evIg="; 59 }; 60 61 - # TODO: Awful hack. Grrr... this of course only works on NixOS. 62 # Anyway the check that configure performs to figure out the ping 63 # syntax is totally impure, because it runs an actual ping to 64 # localhost (which won't work for ping6 if IPv6 support isn't ··· 74 -e 's|^DEFAULT_PATH=.*|DEFAULT_PATH=\"${binPath}\"|' 75 76 configureFlagsArray+=( 77 - --with-ping-command='/run/wrappers/bin/ping -4 -n -U -w %d -c %d %s' 78 - --with-ping6-command='/run/wrappers/bin/ping -6 -n -U -w %d -c %d %s' 79 ) 80 81 install -Dm555 ${share} $out/share
··· 21 , openldap 22 , procps 23 , runtimeShell 24 + , unixtools 25 }: 26 27 let ··· 34 lm_sensors 35 net-snmp 36 procps 37 + unixtools.ping 38 ]; 39 40 mailq = runCommand "mailq-wrapper" { preferLocalBuild = true; } '' ··· 60 sha256 = "sha256-yLhHOSrPFRjW701aOL8LPe4OnuJxL6f+dTxNqm0evIg="; 61 }; 62 63 + # TODO: Awful hack. Grrr... 64 # Anyway the check that configure performs to figure out the ping 65 # syntax is totally impure, because it runs an actual ping to 66 # localhost (which won't work for ping6 if IPv6 support isn't ··· 76 -e 's|^DEFAULT_PATH=.*|DEFAULT_PATH=\"${binPath}\"|' 77 78 configureFlagsArray+=( 79 + --with-ping-command='ping -4 -n -U -w %d -c %d %s' 80 + --with-ping6-command='ping -6 -n -U -w %d -c %d %s' 81 ) 82 83 install -Dm555 ${share} $out/share