pyrox.dev / nixpkgs
lol
fork atom

programs.wireshark: use setcap wrapper

Robin Gloster 7ec5faa8 8f3e6fdd

options
unified split
Changed files
+5 -22
nixos
modules
misc
ids.nix
programs
wireshark.nix
-2
nixos/modules/misc/ids.nix 
···

       
288

       
288

       
 

       
      kresd = 270;


     

       
289

       
289

       
 

       
      rpc = 271;


     

       
290

       
290

       
 

       
      geoip = 272;


     

       
291

       

       
-

       
      #wireshark = 273; # unused


     

       
292

       
291

       
 

       



     

       
293

       
292

       
 

       
      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!


     

       
294

       
293

       
 

       



     
···

       
546

       
545

       
 

       
      kresd = 270;


     

       
547

       
546

       
 

       
      #rpc = 271; # unused


     

       
548

       
547

       
 

       
      #geoip = 272; # unused


     

       
549

       

       
-

       
      wireshark = 273;


     

       
550

       
548

       
 

       



     

       
551

       
549

       
 

       
      # When adding a gid, make sure it doesn't match an existing


     

       
552

       
550

       
 

       
      # uid. Users and groups with the same name should have equal
+5 -20
nixos/modules/programs/wireshark.nix 
···

       
3

       
3

       
 

       
with lib;


     

       
4

       
4

       
 

       



     

       
5

       
5

       
 

       
let


     

       
6

       

       
-

       



     

       
7

       
6

       
 

       
  cfg = config.programs.wireshark;


     

       
8

       
7

       
 

       
  wireshark = cfg.package;


     

       
9

       

       
-

       



     

       
10

       

       
-

       
in


     

       
11

       

       
-

       



     

       
12

       

       
-

       
{


     

       
13

       

       
-

       



     

       

       
8

       
+

       
in {


     

       
14

       
9

       
 

       
  options = {


     

       
15

       

       
-

       



     

       
16

       
10

       
 

       
    programs.wireshark = {


     

       
17

       

       
-

       



     

       
18

       
11

       
 

       
      enable = mkOption {


     

       
19

       
12

       
 

       
        type = types.bool;


     

       
20

       
13

       
 

       
        default = false;


     

       
21

       
14

       
 

       
        description = ''


     

       
22

       
15

       
 

       
          Whether to add Wireshark to the global environment and configure a


     

       
23

       

       
-

       
          setuid wrapper for 'dumpcap' for users in the 'wireshark' group.


     

       

       
16

       
+

       
          setcap wrapper for 'dumpcap' for users in the 'wireshark' group.


     

       
24

       
17

       
 

       
        '';


     

       
25

       
18

       
 

       
      };


     

       
26

       

       
-

       



     

       
27

       
19

       
 

       
      package = mkOption {


     

       
28

       
20

       
 

       
        type = types.package;


     

       
29

       
21

       
 

       
        default = pkgs.wireshark-cli;


     
···

       
32

       
24

       
 

       
          Which Wireshark package to install in the global environment.


     

       
33

       
25

       
 

       
        '';


     

       
34

       
26

       
 

       
      };


     

       
35

       

       
-

       



     

       
36

       
27

       
 

       
    };


     

       
37

       

       
-

       



     

       
38

       
28

       
 

       
  };


     

       
39

       
29

       
 

       



     

       
40

       
30

       
 

       
  config = mkIf cfg.enable {


     

       
41

       

       
-

       



     

       
42

       
31

       
 

       
    environment.systemPackages = [ wireshark ];


     

       
43

       

       
-

       
    


     

       

       
32

       
+

       
    users.extraGroups.wireshark = {};


     

       

       
33

       
+

       



     

       
44

       
34

       
 

       
    security.wrappers.dumpcap = {


     

       
45

       
35

       
 

       
      source = "${wireshark}/bin/dumpcap";


     

       

       
36

       
+

       
      capabilities = "cap_net_raw+p";


     

       
46

       
37

       
 

       
      owner = "root";


     

       
47

       
38

       
 

       
      group = "wireshark";


     

       
48

       

       
-

       
      setuid = true;


     

       
49

       

       
-

       
      setgid = false;


     

       
50

       
39

       
 

       
      permissions = "u+rx,g+x";


     

       
51

       
40

       
 

       
    };


     

       
52

       

       
-

       



     

       
53

       

       
-

       
    users.extraGroups.wireshark.gid = config.ids.gids.wireshark;


     

       
54

       

       
-

       



     

       
55

       
41

       
 

       
  };


     

       
56

       

       
-

       



     

       
57

       
42

       
 

       
}