diff options
author | Lin Jian <me@linj.tech> | 2023-09-07 10:27:20 +0800 |
---|---|---|
committer | Lin Jian <me@linj.tech> | 2023-09-21 16:52:16 +0800 |
commit | 759ec1113d0a1d6315b38bd83ec3562dacc08238 (patch) | |
tree | da272287f8b12355ff4ffe6e1f2bd944ae2f5543 /nixos/modules/services/home-automation/home-assistant.nix | |
parent | 0e69d3ec89f55e5ef6b3684b71815d57d8a5a98b (diff) |
nixos/network-interfaces: stop wrapping ping with cap_net_raw
From systemd 243 release note[1]: This release enables unprivileged programs (i.e. requiring neither setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests by turning on the "net.ipv4.ping_group_range" sysctl of the Linux kernel for the whole UNIX group range, i.e. all processes. So this wrapper is not needed any more. See also [2] and [3]. This patch also removes: - apparmor profiles in NixOS for ping itself and the wrapped one - other references for the wrapped ping [1]: https://github.com/systemd/systemd/blob/8e2d9d40b33bc8e8f5d3479fb075d3fab32a4184/NEWS#L6457-L6464 [2]: https://github.com/systemd/systemd/pull/13141 [3]: https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange
Diffstat (limited to 'nixos/modules/services/home-automation/home-assistant.nix')
-rw-r--r-- | nixos/modules/services/home-automation/home-assistant.nix | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/nixos/modules/services/home-automation/home-assistant.nix b/nixos/modules/services/home-automation/home-assistant.nix index 0b8b1d7194187..bf32382652d1d 100644 --- a/nixos/modules/services/home-automation/home-assistant.nix +++ b/nixos/modules/services/home-automation/home-assistant.nix @@ -586,11 +586,12 @@ in { "~@privileged" ] ++ optionals (any useComponent componentsUsingPing) [ "capset" + "setuid" ]; UMask = "0077"; }; path = [ - "/run/wrappers" # needed for ping + pkgs.unixtools.ping # needed for ping ]; }; |