1 files changed, 37 insertions, 2 deletions

diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index 83d9854d3517..a69435ff5937 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, utils, ... }:
+{ config, lib, pkgs, utils, stdenv, ... }:
 
 with lib;
 with utils;
@@ -896,7 +896,42 @@ in
         (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))
       ));
 
-    security.setuidPrograms = [ "ping" "ping6" ];
+    # Capabilities won't work unless we have at-least a 4.3 Linux
+    # kernel because we need the ambient capability
+    security.permissionsWrappers.setcap = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") (
+      [
+        { program = "ping";
+          source  = "${pkgs.iputils.out}/bin/ping";
+          setcap  = true;
+          capabilities = "cap_net_raw+p";
+        }
+
+        { program = "ping6";
+          source  = "${pkgs.iputils.out}/bin/ping6";
+          setcap  = true;
+          capabilities = "cap_net_raw+p";
+        }
+      ]
+    );
+
+    # If our linux kernel IS older than 4.3, let's setuid ping and ping6
+    security.permissionsWrappers.setuid = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") (
+      [
+        { program = "ping";
+          source  = "${pkgs.iputils.out}/bin/ping";
+          owner   = "root";
+          group   = "root";
+          setuid  = true;
+        }
+        
+        { program = "ping6";
+          source  = "${pkgs.iputils.out}/bin/ping6";
+          owner   = "root";
+          group   = "root";
+          setuid  = true;
+        }
+      ]
+    );
 
     # Set the host and domain names in the activation script.  Don't
     # clear it if it's not configured in the NixOS configuration,