Merge pull request #253764 from linj-fork/fix-ping-wrapper

nixos/network-interfaces: stop wrapping ping with cap_net_raw

nixos/doc/manual/development/activation-script.section.md

@@ -69,4 +69,4 @@ do:
   `/etc/group` and `/etc/shadow`. This also creates home directories
 - `usrbinenv` creates `/usr/bin/env`
 - `var` creates some directories in `/var` that are not service-specific
-- `wrappers` creates setuid wrappers like `ping` and `sudo`
+- `wrappers` creates setuid wrappers like `sudo`

nixos/modules/security/apparmor/profiles.nix

@@ -2,10 +2,4 @@
 let apparmor = config.security.apparmor; in
 {
 config.security.apparmor.packages = [ pkgs.apparmor-profiles ];
-config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable ''
-  include "${pkgs.iputils.apparmor}/bin.ping"
-  include "${pkgs.inetutils.apparmor}/bin.ping"
-  # Note that including those two profiles in the same profile
-  # would not work if the second one were to re-include <tunables/global>.
-'';
 }

nixos/modules/services/home-automation/home-assistant.nix

@@ -588,11 +588,12 @@ in {
           "~@privileged"
         ] ++ optionals (any useComponent componentsUsingPing) [
           "capset"
+          "setuid"
         ];
         UMask = "0077";
       };
       path = [
-        "/run/wrappers" # needed for ping
+        pkgs.unixtools.ping # needed for ping
       ];
     };
 

nixos/modules/tasks/network-interfaces.nix

@@ -1406,28 +1406,6 @@ in
           val = tempaddrValues.${opt}.sysctl;
          in nameValuePair "net.ipv6.conf.${replaceStrings ["."] ["/"] i.name}.use_tempaddr" val));
 
-    security.wrappers = {
-      ping = {
-        owner = "root";
-        group = "root";
-        capabilities = "cap_net_raw+p";
-        source = "${pkgs.iputils.out}/bin/ping";
-      };
-    };
-    security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''
-      /run/wrappers/bin/ping {
-        include <abstractions/base>
-        include <nixos/security.wrappers/ping>
-        rpx /run/wrappers/wrappers.*/ping,
-      }
-      /run/wrappers/wrappers.*/ping {
-        include <abstractions/base>
-        include <nixos/security.wrappers/ping>
-        capability net_raw,
-        capability setpcap,
-      }
-    '');
-
     # Set the host and domain names in the activation script.  Don't
     # clear it if it's not configured in the NixOS configuration,
     # since it may have been set by dhcpcd in the meantime.

nixos/tests/systemd.nix

@@ -169,7 +169,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
 
     # Do some IP traffic
     output_ping = machine.succeed(
-        "systemd-run --wait -- /run/wrappers/bin/ping -c 1 127.0.0.1 2>&1"
+        "systemd-run --wait -- ping -c 1 127.0.0.1 2>&1"
     )
 
     with subtest("systemd reports accounting data on system.slice"):

pkgs/servers/monitoring/plugins/default.nix

@@ -21,6 +21,7 @@
 , openldap
 , procps
 , runtimeShell
+, unixtools
 }:
 
 let
@@ -33,6 +34,7 @@ let
     lm_sensors
     net-snmp
     procps
+    unixtools.ping
   ];
 
   mailq = runCommand "mailq-wrapper" { preferLocalBuild = true; } ''
@@ -58,7 +60,7 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-yLhHOSrPFRjW701aOL8LPe4OnuJxL6f+dTxNqm0evIg=";
   };
 
-  # TODO: Awful hack. Grrr... this of course only works on NixOS.
+  # TODO: Awful hack. Grrr...
   # Anyway the check that configure performs to figure out the ping
   # syntax is totally impure, because it runs an actual ping to
   # localhost (which won't work for ping6 if IPv6 support isn't
@@ -74,8 +76,8 @@ stdenv.mkDerivation rec {
       -e 's|^DEFAULT_PATH=.*|DEFAULT_PATH=\"${binPath}\"|'
 
     configureFlagsArray+=(
-      --with-ping-command='/run/wrappers/bin/ping -4 -n -U -w %d -c %d %s'
+      --with-ping-command='ping -4 -n -U -w %d -c %d %s'
-      --with-ping6-command='/run/wrappers/bin/ping -6 -n -U -w %d -c %d %s'
+      --with-ping6-command='ping -6 -n -U -w %d -c %d %s'
     )
 
     install -Dm555 ${share} $out/share