dhcpcd, nixos/dhcpcd: enable privsep

dhdpcd 9 support privilege separation with a dedicated user and seccomp filtering. this has been enabled for a while in other distributions as well. if the dhcpcd module is not used and the _dhcpcd user/group isn't definied otherwise dhcpcd will fall back to not using privsep.
2024-09-21 04:49:01 +02:00 · 2021-11-26 18:44:50 +01:00 · 2021-11-26 18:44:50 +01:00 · 8072ee22f2
parent 5269674a6d
commit 8072ee22f2
2 changed files with 13 additions and 0 deletions
--- a/nixos/modules/services/networking/dhcpcd.nix
+++ b/nixos/modules/services/networking/dhcpcd.nix
@ -214,6 +214,12 @@ in
          };
      };

+    users.users._dhcpcd = {
+      isSystemUser = true;
+      group = "_dhcpcd";
+    };
+    users.groups._dhcpcd = {};
+
    environment.systemPackages = [ dhcpcd ];

    environment.etc."dhcpcd.exit-hook".source = exitHook;
--- a/pkgs/tools/networking/dhcpcd/default.nix
+++ b/pkgs/tools/networking/dhcpcd/default.nix
@ -6,6 +6,7 @@
 , runtimeShellPackage
 , runtimeShell
 , nixosTests
+, enablePrivSep ? true
 }:

 stdenv.mkDerivation rec {
@ -32,6 +33,12 @@ stdenv.mkDerivation rec {
  configureFlags = [
    "--sysconfdir=/etc"
    "--localstatedir=/var"
+  ]
+  ++ lib.optionals enablePrivSep [
+    "--enable-privsep"
+    # dhcpcd disables privsep if it can't find the default user,
+    # so we explicitly specify the default.
+    "--privsepuser=_dhcpcd"
  ];

  makeFlags = [ "PREFIX=${placeholder "out"}" ];