This patch is heavily inspired by bd0d8ed807
which added
a setcap wrapper for `mtr` in order to allow running `mtr` without
`sudo`. The need for the capability `cap_net_raw` that can be registered using
`setcap` has been documented in the Arch Wiki: https://wiki.archlinux.org/index.php/Capabilities#iftop
A simple testcase has been added which starts two machines, one with a
setcap wrapper for `iftop`, one without. Both testcases monitor the
bandwidth usage of the machine using the options `-t -s 1` once, the
machine with setcap wrapper is expected to succeed, the `iftop` on the
machine without setcap wrapper is expected to return a non-zero exit
code.
wip/yesman
parent
f8fe297ff1
commit
50a34e55b2
@ -0,0 +1,18 @@ |
||||
{ config, pkgs, lib, ... }: |
||||
|
||||
with lib; |
||||
|
||||
let |
||||
cfg = config.programs.iftop; |
||||
in { |
||||
options = { |
||||
programs.iftop.enable = mkEnableOption "iftop + setcap wrapper"; |
||||
}; |
||||
config = mkIf cfg.enable { |
||||
environment.systemPackages = [ pkgs.iftop ]; |
||||
security.wrappers.iftop = { |
||||
source = "${pkgs.iftop}/bin/iftop"; |
||||
capabilities = "cap_net_raw+p"; |
||||
}; |
||||
}; |
||||
} |
@ -0,0 +1,30 @@ |
||||
import ./make-test.nix ({ pkgs, lib, ... }: |
||||
|
||||
with lib; |
||||
|
||||
{ |
||||
name = "iftop"; |
||||
meta.maintainers = with pkgs.stdenv.lib.maintainers; [ ma27 ]; |
||||
|
||||
nodes = { |
||||
withIftop = { |
||||
imports = [ ./common/user-account.nix ]; |
||||
|
||||
programs.iftop.enable = true; |
||||
}; |
||||
withoutIftop = { |
||||
imports = [ ./common/user-account.nix ]; |
||||
}; |
||||
}; |
||||
|
||||
testScript = '' |
||||
subtest "machine with iftop enabled", sub { |
||||
$withIftop->start; |
||||
$withIftop->succeed("su -l alice -c 'iftop -t -s 1'"); |
||||
}; |
||||
subtest "machine without iftop", sub { |
||||
$withoutIftop->start; |
||||
$withoutIftop->mustFail("su -l alice -c 'iftop -t -s 1'"); |
||||
}; |
||||
''; |
||||
}) |
Loading…
Reference in new issue