From ea20334cd4d9b4691680552c42df2da2ca1103ea Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Wed, 25 Dec 2024 05:24:11 -0700
Subject: [PATCH] Fix NetworkManager hardening

---
 etc/systemd/system/NetworkManager.service.d/98-qubes-fix.conf | 3 ---
 fedora-gnome/fedora-gnome.sh                                  | 3 ++-
 2 files changed, 2 insertions(+), 4 deletions(-)
 delete mode 100644 etc/systemd/system/NetworkManager.service.d/98-qubes-fix.conf

diff --git a/etc/systemd/system/NetworkManager.service.d/98-qubes-fix.conf b/etc/systemd/system/NetworkManager.service.d/98-qubes-fix.conf
deleted file mode 100644
index 0259cd7..0000000
--- a/etc/systemd/system/NetworkManager.service.d/98-qubes-fix.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-[Service]
-ExecStartPre=
-ExecStartPre=+/usr/lib/qubes/network-manager-prepare-conf-dir
\ No newline at end of file
diff --git a/fedora-gnome/fedora-gnome.sh b/fedora-gnome/fedora-gnome.sh
index 7bace3b..99ae1ea 100644
--- a/fedora-gnome/fedora-gnome.sh
+++ b/fedora-gnome/fedora-gnome.sh
@@ -84,8 +84,9 @@ download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc
 # We don't need the usual mac address randomization and stuff here, because this template is not used for sys-net
 
 sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
-download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/refs/heads/main/etc/systemd/system/NetworkManager.service.d/98-qubes-fix.conf /etc/systemd/system/NetworkManager.service.d/98-qubes-fix.conf
 download https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf /etc/systemd/system/NetworkManager.service.d/99-brace.conf
+sudo sed -i 's@ReadOnlyPaths=/etc/NetworkManager@#ReadOnlyPaths=/etc/NetworkManager@' /etc/systemd/system/NetworkManager.service.d/99-brace.conf
+sudo sed -i 's@ReadWritePaths=-/etc/NetworkManager/system-connections@#ReadWritePaths=-/etc/NetworkManager/system-connections@' /etc/systemd/system/NetworkManager.service.d/99-brace.conf
 
 # Disable GJS and WebkitGTK JIT
 download https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/environment /etc/environment