Unverified Commit d042a296 authored by Martin Weinelt's avatar Martin Weinelt Committed by GitHub
Browse files

Merge pull request #253764 from linj-fork/fix-ping-wrapper 

nixos/network-interfaces: stop wrapping ping with cap_net_raw
parents 9f27f8b2 759ec111

nixos/doc/manual/development/activation-script.section.md

+1 −1
Original line number Diff line number Diff line
@@ -69,4 +69,4 @@ do: 
  `/etc/group` and `/etc/shadow`. This also creates home directories

- `usrbinenv` creates `/usr/bin/env`

- `var` creates some directories in `/var` that are not service-specific

- `wrappers` creates setuid wrappers like `ping` and `sudo`
 
- `wrappers` creates setuid wrappers like `sudo`

nixos/modules/security/apparmor/profiles.nix

+0 −6
Original line number Diff line number Diff line
@@ -2,10 +2,4 @@ 
let apparmor = config.security.apparmor; in

{

config.security.apparmor.packages = [ pkgs.apparmor-profiles ];

config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable ''

  include "${pkgs.iputils.apparmor}/bin.ping"

  include "${pkgs.inetutils.apparmor}/bin.ping"

  # Note that including those two profiles in the same profile

  # would not work if the second one were to re-include <tunables/global>.

'';

}

nixos/modules/services/home-automation/home-assistant.nix

+2 −1
Original line number Diff line number Diff line
@@ -588,11 +588,12 @@ in { 
          "~@privileged"

        ] ++ optionals (any useComponent componentsUsingPing) [

          "capset"

          "setuid"

        ];

        UMask = "0077";

      };

      path = [

        "/run/wrappers" # needed for ping

        pkgs.unixtools.ping # needed for ping

      ];

    };

nixos/modules/tasks/network-interfaces.nix

+0 −22
Original line number Diff line number Diff line
@@ -1406,28 +1406,6 @@ in 
          val = tempaddrValues.${opt}.sysctl;

         in nameValuePair "net.ipv6.conf.${replaceStrings ["."] ["/"] i.name}.use_tempaddr" val));



    security.wrappers = {

      ping = {

        owner = "root";

        group = "root";

        capabilities = "cap_net_raw+p";

        source = "${pkgs.iputils.out}/bin/ping";

      };

    };

    security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''

      /run/wrappers/bin/ping {

        include <abstractions/base>

        include <nixos/security.wrappers/ping>

        rpx /run/wrappers/wrappers.*/ping,

      }

      /run/wrappers/wrappers.*/ping {

        include <abstractions/base>

        include <nixos/security.wrappers/ping>

        capability net_raw,

        capability setpcap,

      }

    '');



    # Set the host and domain names in the activation script.  Don't

    # clear it if it's not configured in the NixOS configuration,

    # since it may have been set by dhcpcd in the meantime.

nixos/tests/systemd.nix

+1 −1
Original line number Diff line number Diff line
@@ -169,7 +169,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { 


    # Do some IP traffic

    output_ping = machine.succeed(

        "systemd-run --wait -- /run/wrappers/bin/ping -c 1 127.0.0.1 2>&1"

        "systemd-run --wait -- ping -c 1 127.0.0.1 2>&1"

    )



    with subtest("systemd reports accounting data on system.slice"):