dhcpcd, nixos/dhcpcd: enable privsep
dhdpcd 9 support privilege separation with a dedicated user and seccomp filtering. this has been enabled for a while in other distributions as well. if the dhcpcd module is not used and the _dhcpcd user/group isn't definied otherwise dhcpcd will fall back to not using privsep.
This commit is contained in:
parent
5269674a6d
commit
8072ee22f2
2 changed files with 13 additions and 0 deletions
|
@ -214,6 +214,12 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
users.users._dhcpcd = {
|
||||
isSystemUser = true;
|
||||
group = "_dhcpcd";
|
||||
};
|
||||
users.groups._dhcpcd = {};
|
||||
|
||||
environment.systemPackages = [ dhcpcd ];
|
||||
|
||||
environment.etc."dhcpcd.exit-hook".source = exitHook;
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
, runtimeShellPackage
|
||||
, runtimeShell
|
||||
, nixosTests
|
||||
, enablePrivSep ? true
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
|
@ -32,6 +33,12 @@ stdenv.mkDerivation rec {
|
|||
configureFlags = [
|
||||
"--sysconfdir=/etc"
|
||||
"--localstatedir=/var"
|
||||
]
|
||||
++ lib.optionals enablePrivSep [
|
||||
"--enable-privsep"
|
||||
# dhcpcd disables privsep if it can't find the default user,
|
||||
# so we explicitly specify the default.
|
||||
"--privsepuser=_dhcpcd"
|
||||
];
|
||||
|
||||
makeFlags = [ "PREFIX=${placeholder "out"}" ];
|
||||
|
|
Loading…
Reference in a new issue