From 759ec1113d0a1d6315b38bd83ec3562dacc08238 Mon Sep 17 00:00:00 2001 From: Lin Jian Date: Thu, 7 Sep 2023 10:27:20 +0800 Subject: [PATCH] nixos/network-interfaces: stop wrapping ping with cap_net_raw From systemd 243 release note[1]: This release enables unprivileged programs (i.e. requiring neither setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests by turning on the "net.ipv4.ping_group_range" sysctl of the Linux kernel for the whole UNIX group range, i.e. all processes. So this wrapper is not needed any more. See also [2] and [3]. This patch also removes: - apparmor profiles in NixOS for ping itself and the wrapped one - other references for the wrapped ping [1]: https://github.com/systemd/systemd/blob/8e2d9d40b33bc8e8f5d3479fb075d3fab32a4184/NEWS#L6457-L6464 [2]: https://github.com/systemd/systemd/pull/13141 [3]: https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange --- .../development/activation-script.section.md | 2 +- nixos/modules/security/apparmor/profiles.nix | 6 ----- .../home-automation/home-assistant.nix | 3 ++- nixos/modules/tasks/network-interfaces.nix | 22 ------------------- nixos/tests/systemd.nix | 2 +- pkgs/servers/monitoring/plugins/default.nix | 8 ++++--- 6 files changed, 9 insertions(+), 34 deletions(-) diff --git a/nixos/doc/manual/development/activation-script.section.md b/nixos/doc/manual/development/activation-script.section.md index c339258c6dc4..cc317a6a01aa 100644 --- a/nixos/doc/manual/development/activation-script.section.md +++ b/nixos/doc/manual/development/activation-script.section.md @@ -69,4 +69,4 @@ do: `/etc/group` and `/etc/shadow`. This also creates home directories - `usrbinenv` creates `/usr/bin/env` - `var` creates some directories in `/var` that are not service-specific -- `wrappers` creates setuid wrappers like `ping` and `sudo` +- `wrappers` creates setuid wrappers like `sudo` diff --git a/nixos/modules/security/apparmor/profiles.nix b/nixos/modules/security/apparmor/profiles.nix index 8eb630b5a48a..0bf90a008655 100644 --- a/nixos/modules/security/apparmor/profiles.nix +++ b/nixos/modules/security/apparmor/profiles.nix @@ -2,10 +2,4 @@ let apparmor = config.security.apparmor; in { config.security.apparmor.packages = [ pkgs.apparmor-profiles ]; -config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable '' - include "${pkgs.iputils.apparmor}/bin.ping" - include "${pkgs.inetutils.apparmor}/bin.ping" - # Note that including those two profiles in the same profile - # would not work if the second one were to re-include . -''; } diff --git a/nixos/modules/services/home-automation/home-assistant.nix b/nixos/modules/services/home-automation/home-assistant.nix index 0b8b1d719418..bf32382652d1 100644 --- a/nixos/modules/services/home-automation/home-assistant.nix +++ b/nixos/modules/services/home-automation/home-assistant.nix @@ -586,11 +586,12 @@ in { "~@privileged" ] ++ optionals (any useComponent componentsUsingPing) [ "capset" + "setuid" ]; UMask = "0077"; }; path = [ - "/run/wrappers" # needed for ping + pkgs.unixtools.ping # needed for ping ]; }; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 0d4033ca9430..e11fd3aaec37 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1385,28 +1385,6 @@ in val = tempaddrValues.${opt}.sysctl; in nameValuePair "net.ipv6.conf.${replaceStrings ["."] ["/"] i.name}.use_tempaddr" val)); - security.wrappers = { - ping = { - owner = "root"; - group = "root"; - capabilities = "cap_net_raw+p"; - source = "${pkgs.iputils.out}/bin/ping"; - }; - }; - security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' - /run/wrappers/bin/ping { - include - include - rpx /run/wrappers/wrappers.*/ping, - } - /run/wrappers/wrappers.*/ping { - include - include - capability net_raw, - capability setpcap, - } - ''); - # Set the host and domain names in the activation script. Don't # clear it if it's not configured in the NixOS configuration, # since it may have been set by dhcpcd in the meantime. diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index 3c36291b733d..5fb7ba53ad84 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -169,7 +169,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { # Do some IP traffic output_ping = machine.succeed( - "systemd-run --wait -- /run/wrappers/bin/ping -c 1 127.0.0.1 2>&1" + "systemd-run --wait -- ping -c 1 127.0.0.1 2>&1" ) with subtest("systemd reports accounting data on system.slice"): diff --git a/pkgs/servers/monitoring/plugins/default.nix b/pkgs/servers/monitoring/plugins/default.nix index c7823789081b..2f6122caa69e 100644 --- a/pkgs/servers/monitoring/plugins/default.nix +++ b/pkgs/servers/monitoring/plugins/default.nix @@ -21,6 +21,7 @@ , openldap , procps , runtimeShell +, unixtools }: let @@ -33,6 +34,7 @@ let lm_sensors net-snmp procps + unixtools.ping ]; mailq = runCommand "mailq-wrapper" { preferLocalBuild = true; } '' @@ -58,7 +60,7 @@ stdenv.mkDerivation rec { sha256 = "sha256-yLhHOSrPFRjW701aOL8LPe4OnuJxL6f+dTxNqm0evIg="; }; - # TODO: Awful hack. Grrr... this of course only works on NixOS. + # TODO: Awful hack. Grrr... # Anyway the check that configure performs to figure out the ping # syntax is totally impure, because it runs an actual ping to # localhost (which won't work for ping6 if IPv6 support isn't @@ -74,8 +76,8 @@ stdenv.mkDerivation rec { -e 's|^DEFAULT_PATH=.*|DEFAULT_PATH=\"${binPath}\"|' configureFlagsArray+=( - --with-ping-command='/run/wrappers/bin/ping -4 -n -U -w %d -c %d %s' - --with-ping6-command='/run/wrappers/bin/ping -6 -n -U -w %d -c %d %s' + --with-ping-command='ping -4 -n -U -w %d -c %d %s' + --with-ping6-command='ping -6 -n -U -w %d -c %d %s' ) install -Dm555 ${share} $out/share