M config.scm => config.scm +46 -2
@@ 13,9 13,31 @@
(gnu system nss)
(guix utils)
(guix packages)
+ (guix build-system gnu)
(ruther bootloader grub))
(use-service-modules desktop sddm xorg base nix pm virtualization vpn sound dbus cups docker)
-(use-package-modules gnome package-management shells networking wm vim wget curl bash compression glib linux embedded finance python-xyz freedesktop python-build haskell-apps)
+(use-package-modules gnome package-management shells networking wm
+ vim wget curl bash compression glib
+ linux embedded finance python-xyz freedesktop
+ python-build haskell-apps commencement)
+
+(define wireshark-patched
+ (package/inherit wireshark
+ (source (origin
+ (inherit (package-source wireshark))
+ (patches (cons*
+ (local-file "patches/wireshark.patch")
+ (origin-patches (package-source wireshark))))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments wireshark)
+ ((#:phases original-phases)
+ #~(modify-phases #$original-phases
+ (add-after 'qt-wrap 'unwrap-dumpcap
+ (lambda _
+ (delete-file (string-append #$output "/bin/dumpcap"))
+ (copy-file
+ (string-append #$output "/bin/.dumpcap-real")
+ (string-append #$output "/bin/dumpcap"))))))))))
(operating-system
(kernel linux-6.12)
@@ 73,6 95,27 @@
;; Add the `students' group
(groups %base-groups)
+ (privileged-programs
+ (cons*
+ (privileged-program
+ (program
+ (file-append wireshark-patched "/bin/dumpcap"))
+ ;; (program
+ ;; (file-append
+ ;; (computed-file
+ ;; "dumpcap"
+ ;; (with-imported-modules '((guix build utils))
+ ;; #~(begin
+ ;; (use-modules (guix build utils))
+ ;; (mkdir-p (string-append #$output "/bin"))
+ ;; (copy-file
+ ;; #$(file-append wireshark-patched "/bin/.dumpcap-real")
+ ;; (string-append #$output "/bin/dumpcap")))))
+ ;; "/bin/dumpcap"))
+ ;; (setuid? #t)
+ (capabilities "cap_net_raw,cap_net_admin=eip"))
+ %default-privileged-programs))
+
;; This is where we specify system-wide packages.
(packages (append (list
;; for user mounts
@@ 80,7 123,8 @@
zip unzip
wget curl
vim
- nix)
+ nix
+ wireshark-patched)
%base-packages))
(services
A patches/wireshark.patch => patches/wireshark.patch +34 -0
@@ 0,0 1,34 @@
+From cb326bf97c99ff73a0a8689304e3ad47aa59139f Mon Sep 17 00:00:00 2001
+From: Rutherther <rutherther@ditigal.xyz>
+Date: Sat, 15 Feb 2025 11:39:38 +0100
+Subject: [PATCH] Point dumpcap to privileged bin
+
+---
+ capture/capture_sync.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/capture/capture_sync.c b/capture/capture_sync.c
+index 946dc810db..2cc3d6f705 100644
+--- a/capture/capture_sync.c
++++ b/capture/capture_sync.c
+@@ -244,7 +244,7 @@ init_pipe_args(int *argc) {
+ char **argv;
+
+ /* Find the absolute path of the dumpcap executable. */
+- exename = get_executable_path("dumpcap");
++ exename = "/run/privileged/bin/dumpcap";
+ if (exename == NULL) {
+ return NULL;
+ }
+@@ -270,10 +270,6 @@ init_pipe_args(int *argc) {
+ }
+ }
+
+- /* sync_pipe_add_arg strdupes exename, so we should free our copy */
+- g_free(exename);
+-
+ return argv;
+ }
+
+--
+2.48.1