diff options
Diffstat (limited to 'nixos/modules/tasks/network-interfaces.nix')
-rw-r--r-- | nixos/modules/tasks/network-interfaces.nix | 39 |
1 files changed, 37 insertions, 2 deletions
diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 83d9854d3517..a69435ff5937 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, utils, ... }: +{ config, lib, pkgs, utils, stdenv, ... }: with lib; with utils; @@ -896,7 +896,42 @@ in (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true)) )); - security.setuidPrograms = [ "ping" "ping6" ]; + # Capabilities won't work unless we have at-least a 4.3 Linux + # kernel because we need the ambient capability + security.permissionsWrappers.setcap = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") ( + [ + { program = "ping"; + source = "${pkgs.iputils.out}/bin/ping"; + setcap = true; + capabilities = "cap_net_raw+p"; + } + + { program = "ping6"; + source = "${pkgs.iputils.out}/bin/ping6"; + setcap = true; + capabilities = "cap_net_raw+p"; + } + ] + ); + + # If our linux kernel IS older than 4.3, let's setuid ping and ping6 + security.permissionsWrappers.setuid = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") ( + [ + { program = "ping"; + source = "${pkgs.iputils.out}/bin/ping"; + owner = "root"; + group = "root"; + setuid = true; + } + + { program = "ping6"; + source = "${pkgs.iputils.out}/bin/ping6"; + owner = "root"; + group = "root"; + setuid = true; + } + ] + ); # Set the host and domain names in the activation script. Don't # clear it if it's not configured in the NixOS configuration, |