nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-07 12:44:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: Updating the machinery for creating the wrapper programs dir in var and updating ping and ping6 for changed config interface.

Browse Source
This commit is contained in:
Parnell Springmeyer 2016-07-15 18:15:08 -05:00
parent 79e81aa31b
commit 81b33eb466
3 changed files with 19 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nixos/modules/installer/tools/nixos-generate-config.pl
View File

@ -328,8 +328,7 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
# Skip special filesystems. # Skip special filesystems.
next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs"; next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs";
next if $mountPoint eq "/var/setuid-wrappers"; next if $mountPoint eq "/var/permissions-wrappers";
next if $mountPoint eq "/var/setcap-wrappers";
# Skip the optional fields. # Skip the optional fields.
my $n = 6; $n++ while $fields[$n] ne "-"; $n++; my $n = 6; $n++ while $fields[$n] ne "-"; $n++;

3
nixos/modules/module-list.nix
View File

@ -103,8 +103,7 @@
./security/prey.nix ./security/prey.nix
./security/rngd.nix ./security/rngd.nix
./security/rtkit.nix ./security/rtkit.nix
./security/setuid-wrappers.nix ./security/permissions-wrappers
./security/setcap-wrappers.nix
./security/sudo.nix ./security/sudo.nix
./services/amqp/activemq/default.nix ./services/amqp/activemq/default.nix
./services/amqp/rabbitmq.nix ./services/amqp/rabbitmq.nix

20
nixos/modules/tasks/network-interfaces.nix
View File

@ -891,7 +891,7 @@ in
# Capabilities won't work unless we have at-least a 4.3 Linux # Capabilities won't work unless we have at-least a 4.3 Linux
# kernel because we need the ambient capability # kernel because we need the ambient capability
security.setcapCapabilities = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") ( security.permissionsWrappers.setcap = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") (
[ [
{ program = "ping"; { program = "ping";
source = "${pkgs.iputils.out}/bin/ping"; source = "${pkgs.iputils.out}/bin/ping";
@ -908,8 +908,22 @@ in
); );
# If our linux kernel IS older than 4.3, let's setuid ping and ping6 # If our linux kernel IS older than 4.3, let's setuid ping and ping6
security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") ( security.permissionsWrappers.setuid = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") (
[ "ping" "ping6" ] [
{ program = "ping";
source = "${pkgs.iputils.out}/bin/ping";
owner = "root";
group = "root";
setuid = true;
}
{ program = "ping6";
source = "${pkgs.iputils.out}/bin/ping6";
owner = "root";
group = "root";
setuid = true;
}
]
); );
# Set the host and domain names in the activation script. Don't # Set the host and domain names in the activation script. Don't