Adding a capability to an executable and using that executable in a flake

I currently have a flake that uses cloud-hypervisor (package: nixpkgs/default.nix at b8ce7fd59dcf28cccabfcf5f6407ea042b30fc1a · NixOS/nixpkgs · GitHub). The package has the possibility to open a network interface (TAP interface), and I want to do that without root. For this I would need the CAP_NET_ADMIN capability. I see there’s the security.wrappers.<name>.capabilities option to wrap an executable with the added capability:
nixpkgs/default.nix at 0152de25d49dc16883b65f3e29cfea8d32f68956 · NixOS/nixpkgs · GitHub

The question is, how would I use this wrapped executable in my flake? For example, I would assume using "${}/bin/cloud-hypervisor" in my flake would still not have that capability as it does not use the wrapped executable.

1 Like

Flake or not, you can not use that wrapped binary in your builds.

I’m not sure if you can do anything within a derivation that would require CAP_NET_ADMIN.

No I won’t use the wrapped binary directly in the build.

On this line I would like to use the wrapped binary instead of cloud-hypervisor. The only thing it would do at build time is create a script with :

exec '/nix/store/cpg38s7n7znz239zdxnviv1wb1m5ri4d-cloud-hypervisor-28.0/bin/cloud-hypervisor' '--cpus' 'boot=1'  (..... more options)

however I would like it to use the /nix/store/ path of my wrapped binary instead.

So if you want to generate some string or path that uses the wrapped binary, there is sadly nothing but hardcoding /run/wrappers/bin :frowning:

It is really sad, that you can not properly have this declared in a runtime closure and always need to make sure that the runtime requirements are fullfilled by other means :frowning:

1 Like

Alright well, thanks for your time!