security: Updating the machinery for creating the wrapper programs dir in var and updating ping and ping6 for changed config interface.

1 files changed, 17 insertions, 3 deletions

diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index 12605c245160..1e0b874297a2 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -891,7 +891,7 @@ in
 
     # Capabilities won't work unless we have at-least a 4.3 Linux
     # kernel because we need the ambient capability
-    security.setcapCapabilities = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") (
+    security.permissionsWrappers.setcap = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") (
       [
         { program = "ping";
           source  = "${pkgs.iputils.out}/bin/ping";
@@ -908,8 +908,22 @@ in
     );
 
     # If our linux kernel IS older than 4.3, let's setuid ping and ping6
-    security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") (
-      [ "ping" "ping6" ]
+    security.permissionsWrappers.setuid = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") (
+      [
+        { program = "ping";
+          source  = "${pkgs.iputils.out}/bin/ping";
+          owner   = "root";
+          group   = "root";
+          setuid  = true;
+        }
+        
+        { program = "ping6";
+          source  = "${pkgs.iputils.out}/bin/ping6";
+          owner   = "root";
+          group   = "root";
+          setuid  = true;
+        }
+      ]
     );
 
     # Set the host and domain names in the activation script.  Don't