From 881ccdb19dcc2475aa4cffadb6119a32ae17909b Mon Sep 17 00:00:00 2001 From: Rutherther Date: Sat, 15 Feb 2025 13:57:33 +0100 Subject: [PATCH] feat: add Wireshark, root-less privileges --- config.scm | 48 +++++++++++++++++++++++++++++++++++++++-- patches/wireshark.patch | 34 +++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+), 2 deletions(-) create mode 100644 patches/wireshark.patch diff --git a/config.scm b/config.scm index 1b635a2..a1b5138 100644 --- a/config.scm +++ b/config.scm @@ -13,9 +13,31 @@ (gnu system nss) (guix utils) (guix packages) + (guix build-system gnu) (ruther bootloader grub)) (use-service-modules desktop sddm xorg base nix pm virtualization vpn sound dbus cups docker) -(use-package-modules gnome package-management shells networking wm vim wget curl bash compression glib linux embedded finance python-xyz freedesktop python-build haskell-apps) +(use-package-modules gnome package-management shells networking wm + vim wget curl bash compression glib + linux embedded finance python-xyz freedesktop + python-build haskell-apps commencement) + +(define wireshark-patched + (package/inherit wireshark + (source (origin + (inherit (package-source wireshark)) + (patches (cons* + (local-file "patches/wireshark.patch") + (origin-patches (package-source wireshark)))))) + (arguments + (substitute-keyword-arguments (package-arguments wireshark) + ((#:phases original-phases) + #~(modify-phases #$original-phases + (add-after 'qt-wrap 'unwrap-dumpcap + (lambda _ + (delete-file (string-append #$output "/bin/dumpcap")) + (copy-file + (string-append #$output "/bin/.dumpcap-real") + (string-append #$output "/bin/dumpcap")))))))))) (operating-system (kernel linux-6.12) @@ -73,6 +95,27 @@ ;; Add the `students' group (groups %base-groups) + (privileged-programs + (cons* + (privileged-program + (program + (file-append wireshark-patched "/bin/dumpcap")) + ;; (program + ;; (file-append + ;; (computed-file + ;; "dumpcap" + ;; (with-imported-modules '((guix build utils)) + ;; #~(begin + ;; (use-modules (guix build utils)) + ;; (mkdir-p (string-append #$output "/bin")) + ;; (copy-file + ;; #$(file-append wireshark-patched "/bin/.dumpcap-real") + ;; (string-append #$output "/bin/dumpcap"))))) + ;; "/bin/dumpcap")) + ;; (setuid? #t) + (capabilities "cap_net_raw,cap_net_admin=eip")) + %default-privileged-programs)) + ;; This is where we specify system-wide packages. (packages (append (list ;; for user mounts @@ -80,7 +123,8 @@ zip unzip wget curl vim - nix) + nix + wireshark-patched) %base-packages)) (services diff --git a/patches/wireshark.patch b/patches/wireshark.patch new file mode 100644 index 0000000..2422958 --- /dev/null +++ b/patches/wireshark.patch @@ -0,0 +1,34 @@ +From cb326bf97c99ff73a0a8689304e3ad47aa59139f Mon Sep 17 00:00:00 2001 +From: Rutherther +Date: Sat, 15 Feb 2025 11:39:38 +0100 +Subject: [PATCH] Point dumpcap to privileged bin + +--- + capture/capture_sync.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/capture/capture_sync.c b/capture/capture_sync.c +index 946dc810db..2cc3d6f705 100644 +--- a/capture/capture_sync.c ++++ b/capture/capture_sync.c +@@ -244,7 +244,7 @@ init_pipe_args(int *argc) { + char **argv; + + /* Find the absolute path of the dumpcap executable. */ +- exename = get_executable_path("dumpcap"); ++ exename = "/run/privileged/bin/dumpcap"; + if (exename == NULL) { + return NULL; + } +@@ -270,10 +270,6 @@ init_pipe_args(int *argc) { + } + } + +- /* sync_pipe_add_arg strdupes exename, so we should free our copy */ +- g_free(exename); +- + return argv; + } + +-- +2.48.1 -- 2.48.1