50a34e55b2
This patch is heavily inspired by bd0d8ed807
which added
a setcap wrapper for `mtr` in order to allow running `mtr` without
`sudo`. The need for the capability `cap_net_raw` that can be registered using
`setcap` has been documented in the Arch Wiki: https://wiki.archlinux.org/index.php/Capabilities#iftop
A simple testcase has been added which starts two machines, one with a
setcap wrapper for `iftop`, one without. Both testcases monitor the
bandwidth usage of the machine using the options `-t -s 1` once, the
machine with setcap wrapper is expected to succeed, the `iftop` on the
machine without setcap wrapper is expected to return a non-zero exit
code.
18 lines
372 B
Nix
18 lines
372 B
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.programs.iftop;
|
|
in {
|
|
options = {
|
|
programs.iftop.enable = mkEnableOption "iftop + setcap wrapper";
|
|
};
|
|
config = mkIf cfg.enable {
|
|
environment.systemPackages = [ pkgs.iftop ];
|
|
security.wrappers.iftop = {
|
|
source = "${pkgs.iftop}/bin/iftop";
|
|
capabilities = "cap_net_raw+p";
|
|
};
|
|
};
|
|
}
|