mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-24 07:53:19 +00:00
nixos/network-interfaces: stop wrapping ping with cap_net_raw
From systemd 243 release note[1]:
This release enables unprivileged programs (i.e. requiring neither
setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests
by turning on the "net.ipv4.ping_group_range" sysctl of the Linux
kernel for the whole UNIX group range, i.e. all processes.
So this wrapper is not needed any more.
See also [2] and [3].
This patch also removes:
- apparmor profiles in NixOS for ping itself and the wrapped one
- other references for the wrapped ping
[1]: 8e2d9d40b3/NEWS (L6457-L6464)
[2]: https://github.com/systemd/systemd/pull/13141
[3]: https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange
This commit is contained in:
parent
0e69d3ec89
commit
759ec1113d
@ -69,4 +69,4 @@ do:
|
||||
`/etc/group` and `/etc/shadow`. This also creates home directories
|
||||
- `usrbinenv` creates `/usr/bin/env`
|
||||
- `var` creates some directories in `/var` that are not service-specific
|
||||
- `wrappers` creates setuid wrappers like `ping` and `sudo`
|
||||
- `wrappers` creates setuid wrappers like `sudo`
|
||||
|
@ -2,10 +2,4 @@
|
||||
let apparmor = config.security.apparmor; in
|
||||
{
|
||||
config.security.apparmor.packages = [ pkgs.apparmor-profiles ];
|
||||
config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable ''
|
||||
include "${pkgs.iputils.apparmor}/bin.ping"
|
||||
include "${pkgs.inetutils.apparmor}/bin.ping"
|
||||
# Note that including those two profiles in the same profile
|
||||
# would not work if the second one were to re-include <tunables/global>.
|
||||
'';
|
||||
}
|
||||
|
@ -586,11 +586,12 @@ in {
|
||||
"~@privileged"
|
||||
] ++ optionals (any useComponent componentsUsingPing) [
|
||||
"capset"
|
||||
"setuid"
|
||||
];
|
||||
UMask = "0077";
|
||||
};
|
||||
path = [
|
||||
"/run/wrappers" # needed for ping
|
||||
pkgs.unixtools.ping # needed for ping
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -1385,28 +1385,6 @@ in
|
||||
val = tempaddrValues.${opt}.sysctl;
|
||||
in nameValuePair "net.ipv6.conf.${replaceStrings ["."] ["/"] i.name}.use_tempaddr" val));
|
||||
|
||||
security.wrappers = {
|
||||
ping = {
|
||||
owner = "root";
|
||||
group = "root";
|
||||
capabilities = "cap_net_raw+p";
|
||||
source = "${pkgs.iputils.out}/bin/ping";
|
||||
};
|
||||
};
|
||||
security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''
|
||||
/run/wrappers/bin/ping {
|
||||
include <abstractions/base>
|
||||
include <nixos/security.wrappers/ping>
|
||||
rpx /run/wrappers/wrappers.*/ping,
|
||||
}
|
||||
/run/wrappers/wrappers.*/ping {
|
||||
include <abstractions/base>
|
||||
include <nixos/security.wrappers/ping>
|
||||
capability net_raw,
|
||||
capability setpcap,
|
||||
}
|
||||
'');
|
||||
|
||||
# Set the host and domain names in the activation script. Don't
|
||||
# clear it if it's not configured in the NixOS configuration,
|
||||
# since it may have been set by dhcpcd in the meantime.
|
||||
|
@ -169,7 +169,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
|
||||
|
||||
# Do some IP traffic
|
||||
output_ping = machine.succeed(
|
||||
"systemd-run --wait -- /run/wrappers/bin/ping -c 1 127.0.0.1 2>&1"
|
||||
"systemd-run --wait -- ping -c 1 127.0.0.1 2>&1"
|
||||
)
|
||||
|
||||
with subtest("systemd reports accounting data on system.slice"):
|
||||
|
@ -21,6 +21,7 @@
|
||||
, openldap
|
||||
, procps
|
||||
, runtimeShell
|
||||
, unixtools
|
||||
}:
|
||||
|
||||
let
|
||||
@ -33,6 +34,7 @@ let
|
||||
lm_sensors
|
||||
net-snmp
|
||||
procps
|
||||
unixtools.ping
|
||||
];
|
||||
|
||||
mailq = runCommand "mailq-wrapper" { preferLocalBuild = true; } ''
|
||||
@ -58,7 +60,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "sha256-yLhHOSrPFRjW701aOL8LPe4OnuJxL6f+dTxNqm0evIg=";
|
||||
};
|
||||
|
||||
# TODO: Awful hack. Grrr... this of course only works on NixOS.
|
||||
# TODO: Awful hack. Grrr...
|
||||
# Anyway the check that configure performs to figure out the ping
|
||||
# syntax is totally impure, because it runs an actual ping to
|
||||
# localhost (which won't work for ping6 if IPv6 support isn't
|
||||
@ -74,8 +76,8 @@ stdenv.mkDerivation rec {
|
||||
-e 's|^DEFAULT_PATH=.*|DEFAULT_PATH=\"${binPath}\"|'
|
||||
|
||||
configureFlagsArray+=(
|
||||
--with-ping-command='/run/wrappers/bin/ping -4 -n -U -w %d -c %d %s'
|
||||
--with-ping6-command='/run/wrappers/bin/ping -6 -n -U -w %d -c %d %s'
|
||||
--with-ping-command='ping -4 -n -U -w %d -c %d %s'
|
||||
--with-ping6-command='ping -6 -n -U -w %d -c %d %s'
|
||||
)
|
||||
|
||||
install -Dm555 ${share} $out/share
|
||||
|
Loading…
Reference in New Issue
Block a user