dhcpcd, nixos/dhcpcd: enable privsep

dhdpcd 9 support privilege separation with a dedicated user and seccomp
filtering. this has been enabled for a while in other distributions as
well.

if the dhcpcd module is not used and the _dhcpcd user/group isn't
definied otherwise dhcpcd will fall back to not using privsep.
This commit is contained in:
pennae 2021-11-26 18:44:50 +01:00
parent 5269674a6d
commit 8072ee22f2
2 changed files with 13 additions and 0 deletions

View file

@ -214,6 +214,12 @@ in
};
};
users.users._dhcpcd = {
isSystemUser = true;
group = "_dhcpcd";
};
users.groups._dhcpcd = {};
environment.systemPackages = [ dhcpcd ];
environment.etc."dhcpcd.exit-hook".source = exitHook;

View file

@ -6,6 +6,7 @@
, runtimeShellPackage
, runtimeShell
, nixosTests
, enablePrivSep ? true
}:
stdenv.mkDerivation rec {
@ -32,6 +33,12 @@ stdenv.mkDerivation rec {
configureFlags = [
"--sysconfdir=/etc"
"--localstatedir=/var"
]
++ lib.optionals enablePrivSep [
"--enable-privsep"
# dhcpcd disables privsep if it can't find the default user,
# so we explicitly specify the default.
"--privsepuser=_dhcpcd"
];
makeFlags = [ "PREFIX=${placeholder "out"}" ];