diff options
| author | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-12 18:53:48 +0200 |
|---|---|---|
| committer | rnhmjoj <rnhmjoj@inventati.org> | 2021-09-13 13:48:13 +0200 |
| commit | fedd7cd6901646cb7e2a94a148d300f7b632d7e0 (patch) | |
| tree | 14b7af8318d75536656849335e20c51cdfdf3447 /nixos/modules/tasks | |
| parent | 8f76a6eefcfa0c9904e0749f04b27090527ce09f (diff) | |
nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you to think about what the wrapper ownership and permissions will be.
Diffstat (limited to 'nixos/modules/tasks')
| -rw-r--r-- | nixos/modules/tasks/filesystems/ecryptfs.nix | 14 | ||||
| -rw-r--r-- | nixos/modules/tasks/network-interfaces.nix | 9 |
2 files changed, 19 insertions, 4 deletions
diff --git a/nixos/modules/tasks/filesystems/ecryptfs.nix b/nixos/modules/tasks/filesystems/ecryptfs.nix index 12a407cabbfb0..8138e65916109 100644 --- a/nixos/modules/tasks/filesystems/ecryptfs.nix +++ b/nixos/modules/tasks/filesystems/ecryptfs.nix @@ -7,8 +7,18 @@ with lib; config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) { system.fsPackages = [ pkgs.ecryptfs ]; security.wrappers = { - "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; - "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; + "mount.ecryptfs_private" = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; + }; + "umount.ecryptfs_private" = + { setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; + }; }; }; } diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 8f9c66b01572c..d934e3cf02248 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1133,11 +1133,16 @@ in # kernel because we need the ambient capability security.wrappers = if (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") then { ping = { - source = "${pkgs.iputils.out}/bin/ping"; + owner = "root"; + group = "root"; capabilities = "cap_net_raw+p"; + source = "${pkgs.iputils.out}/bin/ping"; }; } else { - ping.source = "${pkgs.iputils.out}/bin/ping"; + setuid = true; + owner = "root"; + group = "root"; + source = "${pkgs.iputils.out}/bin/ping"; }; security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' /run/wrappers/bin/ping { |