2 files changed, 80 insertions(+), 2 deletions(-)

M config.scm
A patches/wireshark.patch

@@ 13,9 13,31 @@
  (gnu system nss)
  (guix utils)
  (guix packages)
+ (guix build-system gnu)
  (ruther bootloader grub))
 (use-service-modules desktop sddm xorg base nix pm virtualization vpn sound dbus cups docker)
-(use-package-modules gnome package-management shells networking wm vim wget curl bash compression glib linux embedded finance python-xyz freedesktop python-build haskell-apps)
+(use-package-modules gnome package-management shells networking wm
+                     vim wget curl bash compression glib
+                     linux embedded finance python-xyz freedesktop
+                     python-build haskell-apps commencement)
+
+(define wireshark-patched
+  (package/inherit wireshark
+                  (source (origin
+                            (inherit (package-source wireshark))
+                            (patches (cons*
+                                      (local-file "patches/wireshark.patch")
+                                      (origin-patches (package-source wireshark))))))
+                  (arguments
+                   (substitute-keyword-arguments (package-arguments wireshark)
+                     ((#:phases original-phases)
+                      #~(modify-phases #$original-phases
+                          (add-after 'qt-wrap 'unwrap-dumpcap
+                            (lambda _
+                              (delete-file (string-append #$output "/bin/dumpcap"))
+                              (copy-file
+                               (string-append #$output "/bin/.dumpcap-real")
+                               (string-append #$output "/bin/dumpcap"))))))))))
 
 (operating-system
  (kernel linux-6.12)


@@ 73,6 95,27 @@
  ;; Add the `students' group
  (groups %base-groups)
 
+ (privileged-programs
+  (cons*
+   (privileged-program
+    (program
+     (file-append wireshark-patched "/bin/dumpcap"))
+    ;; (program
+    ;;  (file-append
+    ;;   (computed-file
+    ;;    "dumpcap"
+    ;;    (with-imported-modules '((guix build utils))
+    ;;      #~(begin
+    ;;          (use-modules (guix build utils))
+    ;;          (mkdir-p (string-append #$output "/bin"))
+    ;;          (copy-file
+    ;;           #$(file-append wireshark-patched "/bin/.dumpcap-real")
+    ;;           (string-append #$output "/bin/dumpcap")))))
+    ;;   "/bin/dumpcap"))
+    ;; (setuid? #t)
+    (capabilities "cap_net_raw,cap_net_admin=eip"))
+   %default-privileged-programs))
+
  ;; This is where we specify system-wide packages.
  (packages (append (list
                     ;; for user mounts


@@ 80,7 123,8 @@
                     zip unzip
                     wget curl
                     vim
-                    nix)
+                    nix
+                    wireshark-patched)
                    %base-packages))
 
  (services

@@ 0,0 1,34 @@
+From cb326bf97c99ff73a0a8689304e3ad47aa59139f Mon Sep 17 00:00:00 2001
+From: Rutherther <rutherther@ditigal.xyz>
+Date: Sat, 15 Feb 2025 11:39:38 +0100
+Subject: [PATCH] Point dumpcap to privileged bin
+
+---
+ capture/capture_sync.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/capture/capture_sync.c b/capture/capture_sync.c
+index 946dc810db..2cc3d6f705 100644
+--- a/capture/capture_sync.c
++++ b/capture/capture_sync.c
+@@ -244,7 +244,7 @@ init_pipe_args(int *argc) {
+     char **argv;
+ 
+     /* Find the absolute path of the dumpcap executable. */
+-    exename = get_executable_path("dumpcap");
++    exename = "/run/privileged/bin/dumpcap";
+     if (exename == NULL) {
+         return NULL;
+     }
+@@ -270,10 +270,6 @@ init_pipe_args(int *argc) {
+         }
+     }
+ 
+-    /* sync_pipe_add_arg strdupes exename, so we should free our copy */
+-    g_free(exename);
+-
+     return argv;
+ }
+ 
+--
+2.48.1