BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

dhcpcd, nixos/dhcpcd: enable privsep

Browse source 
dhdpcd 9 support privilege separation with a dedicated user and seccomp
filtering. this has been enabled for a while in other distributions as
well.

if the dhcpcd module is not used and the _dhcpcd user/group isn't
definied otherwise dhcpcd will fall back to not using privsep.
This commit is contained in:
pennae 2021-11-26 18:44:50 +01:00
parent 5269674a6d
commit 8072ee22f2
2 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
nixos/modules/services/networking/dhcpcd.nix
View file

@ -214,6 +214,12 @@ in
}; };
}; };
users.users._dhcpcd = {
isSystemUser = true;
group = "_dhcpcd";
};
users.groups._dhcpcd = {};
environment.systemPackages = [ dhcpcd ]; environment.systemPackages = [ dhcpcd ];
environment.etc."dhcpcd.exit-hook".source = exitHook; environment.etc."dhcpcd.exit-hook".source = exitHook;

7
pkgs/tools/networking/dhcpcd/default.nix
View file

@ -6,6 +6,7 @@
, runtimeShellPackage , runtimeShellPackage
, runtimeShell , runtimeShell
, nixosTests , nixosTests
, enablePrivSep ? true
}: }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
@ -32,6 +33,12 @@ stdenv.mkDerivation rec {
configureFlags = [ configureFlags = [
"--sysconfdir=/etc" "--sysconfdir=/etc"
"--localstatedir=/var" "--localstatedir=/var"
]
++ lib.optionals enablePrivSep [
"--enable-privsep"
# dhcpcd disables privsep if it can't find the default user,
# so we explicitly specify the default.
"--privsepuser=_dhcpcd"
]; ];
makeFlags = [ "PREFIX=${placeholder "out"}" ]; makeFlags = [ "PREFIX=${placeholder "out"}" ];